LinuxCommandLibrary
GitHub F-Droid Google Play Store

rpmsign

Sign RPM packages with GPG keys

TLDR

Sign RPM package
$ rpmsign --addsign [package.rpm]
copy
Sign with specific key
$ rpmsign --addsign --key-id [KEYID] [package.rpm]
copy
Re-sign package
$ rpmsign --resign [package.rpm]
copy
Delete signature
$ rpmsign --delsign [package.rpm]
copy
Sign multiple packages
$ rpmsign --addsign [*.rpm]
copy

SYNOPSIS

rpmsign --addsign|--resign [options] PACKAGEFILE_...rpmsign --delsign PACKAGEFILE_...rpmsign --delfilesign PACKAGEFILE_...

DESCRIPTION

rpmsign adds or manages OpenPGP signatures on RPM packages. Signing packages allows verification of authenticity and integrity. It supports both traditional package signing and file-level IMA/fsverity signing.Part of the RPM package manager. The signing key is configured via the %_openpgp_sign_id macro (or legacy %_gpg_name).

PARAMETERS

--addsign

Add signature to package.
--resign
Replace existing signature.
--delsign
Delete all OpenPGP signatures.
--delfilesign
Delete all IMA and fsverity file signatures.
--key-id KEYID
GPG key ID, overriding %openpgpsign_id configuration.
--signfiles
Sign package files using the configured digest algorithm and RSA key.
--fskpath KEY
File signing key path, used with --signfiles.
--signverity
Sign package files with fsverity signatures.
--certpath CERT
Certificate for use with --signverity.
--rpmv3
Add RPM V3 header+payload signature on V4 packages for compatibility with rpm < 4.14.
--rpmv4
Add RPM V4 header signature on V6 packages for rpm 4.x compatibility.
-D "MACRO EXPR"
Define RPM macro.

EXAMPLES

$ # Sign package
rpmsign --addsign mypackage-1.0-1.x86_64.rpm

# Sign with specific key
rpmsign --addsign --key-id ABCD1234 package.rpm

# Re-sign (replace signature)
rpmsign --resign package.rpm

# Sign all RPMs
rpmsign --addsign *.rpm

# Define signing identity via macro
rpmsign -D "_gpg_name Your Name" --addsign package.rpm

# Delete file signatures
rpmsign --delfilesign package.rpm

# Verify signature
rpm -K package.rpm
copy

CONFIGURATION

~/.rpmmacros

User-level RPM macro file where %_openpgp_sign_id (or legacy %_gpg_name) sets the default signing identity and %_gpg_path specifies the GnuPG keyring directory.
/etc/rpm/macros
System-wide RPM macro overrides for signing defaults shared across all users.

CAVEATS

Requires GPG key. Passphrase needed (or gpg-agent). Signature added to header.

HISTORY

rpmsign is part of RPM package manager, originally developed at Red Hat for package authentication.

SEE ALSO

rpm(8), rpmbuild(8), rpmkeys(8), gpg(1)

Copied to clipboard
Kai

AltStyle によって変換されたページ (->オリジナル) /