Chapitre 4. Advanced topics

This section covers topics that are beyond the scope of the introductory tutorial but are useful in real-world RPM packaging.

4.1. Signing RPM packages

You can sign RPM packages to ensure that no third party can alter their content. To add an additional layer of security, use the HTTPS protocol when downloading the package.

You can sign a package by using the --addsign option provided by the rpm-sign package.

Conditions préalables

4.1.1. Creating a GPG key

Use the following procedure to create a GNU Privacy Guard (GPG) key required for signing packages.


  1. Generate a GPG key pair:

    # gpg --gen-key
  2. Check the generated key pair:

    # gpg --list-keys
  3. Exporter la clé publique :

    # gpg --export -a '<Key_name>' > RPM-GPG-KEY-pmanager

    Replace <Key_name> with the real key name that you have selected.

  4. Import the exported public key into an RPM database:

    # rpm --import RPM-GPG-KEY-pmanager

4.1.2. Configuring RPM to sign a package

To be able to sign an RPM package, you need to specify the %_gpg_name RPM macro.

The following procedure describes how to configure RPM for signing a package.


  • Define the %_gpg_name macro in your $HOME/.rpmmacros file as follows:

    %_gpg_name Key ID

    Replace Key ID with the GNU Privacy Guard (GPG) key ID that you will use to sign a package. A valid GPG key ID value is either a full name or email address of the user who created the key.

4.1.3. Adding a signature to an RPM package

This section describes the most usual case when a package is built without a signature. The signature is added just before the release of the package.

To add a signature to an RPM package, use the --addsign option provided by the rpm-sign package.


  • Add a signature to a package:

    $ rpm --addsign package-name.rpm

    Replace package-name with the name of an RPM package you want to sign.


    You must enter the password to unlock the secret key for the signature.