Chapitre 4. Advanced topics
This section covers topics that are beyond the scope of the introductory tutorial but are useful in real-world RPM packaging.
4.1. Signing RPM packages
You can sign RPM packages to ensure that no third party can alter their content. To add an additional layer of security, use the HTTPS protocol when downloading the package.
You can sign a package by using the --addsign option provided by the rpm-sign package.
Conditions préalables
- You have created a GNU Privacy Guard (GPG) key as described in Creating a GPG key.
4.1.1. Creating a GPG key
Use the following procedure to create a GNU Privacy Guard (GPG) key required for signing packages.
Procédure
Generate a GPG key pair:
# gpg --gen-keyCheck the generated key pair:
# gpg --list-keysExporter la clé publique :
# gpg --export -a '<Key_name>' > RPM-GPG-KEY-pmanagerReplace <Key_name> with the real key name that you have selected.
Import the exported public key into an RPM database:
# rpm --import RPM-GPG-KEY-pmanager
4.1.2. Configuring RPM to sign a package
To be able to sign an RPM package, you need to specify the %_gpg_name RPM macro.
The following procedure describes how to configure RPM for signing a package.
Procédure
Define the
%_gpg_namemacro in your$HOME/.rpmmacrosfile as follows:%_gpg_name Key IDReplace Key ID with the GNU Privacy Guard (GPG) key ID that you will use to sign a package. A valid GPG key ID value is either a full name or email address of the user who created the key.
4.1.3. Adding a signature to an RPM package
This section describes the most usual case when a package is built without a signature. The signature is added just before the release of the package.
To add a signature to an RPM package, use the --addsign option provided by the rpm-sign package.
Procédure
Add a signature to a package:
$ rpm --addsign package-name.rpmReplace package-name with the name of an RPM package you want to sign.
NoteYou must enter the password to unlock the secret key for the signature.