David Hláčik wrote: > Hello , i am searching for a reasonable howto, documentiation for > Signing Custom RPM packages. Can you give more detail on where you're getting stuck at? As Ed asked, have you read the rpm man page? I don't know of a howto off the top of my head, but the process it pretty simple, so I'll try to detail it quickly. If you don't already have a gpg key, you'll need to generate one using "gpg --gen-key" and filling in the prompts. Next, tell rpm what key you want to use to sign in ~/.rpmmacros: %_gpg_name your_key@xxxxxxxxxxx (You can use the email address of the key or the key id to identify the key.) Then, just use rpm --addsign /path/to/some.rpm and enter the passphrase when prompted. In order to verify packages signed with your key you need to import the key into the rpm database. To export the key from gpg: $ gpg -a --export your_key@xxxxxxxxxxx > RPM-GPG-KEY-example To import the key to the rpm database: $ su -c 'rpm --import RPM-GPG-KEY-example' To verify a package you have signed: $ rpm -K /path/to/some.rpm /path/to/some.rpm: (sha1) dsa sha1 md5 gpg OK To sign a package when building it: $ rpmbuild -ba --sign some.spec That should be all you need. After a quick google, I also turned up this howto: http://fedoranews.org/tchung/gpg/ It lists the steps pretty much as I have listed them above, often with a little more detail. Perhaps you'll find it helpful. [Two things you can ignore about it are the '%_signature gpg' part in ~/.rpmmacros and the use of --resign, as that option is the same as --addsign these days.] -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Common sense is genius dressed in its working clothes. -- Ralph Waldo Emerson
Attachment:
pgpCksxhxNuy0.pgp
Description: PGP signature
-- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
