HOWTO Sign your own RPM's

##############################################################################
#
# The purpose of this HOWTO is walk you through the necessary steps for
# signing your own personal RPM's.  You will need root access and the GNUPG
# and RPM packages.  Obviously you will need to be working with a Linux
# distro that uses RPM as a package manager :)
#
#  Created by: David Kramer, SF LUG - 02/28/2006
#
##############################################################################  

**Verify necessary Packages are installed

First make sure you have the RPM package installed, as root, run cmd: rpm ?
  You should see a similar output on the first line returned: RPM version 4.4.2
If you dont please find and install the RPM binaries.

Verify the GNUPG package is installed run command:
  rpm -qa | grep <package name>
#Here I am running the RPM Query ALL command piping it to grep where Im searching for
#a particular package name. 

On my FC6 machine its:
gnupg-1.4.6-2


**Generate Your GPG Key
After you have confirmed the gnupg package you need to generate your own GPG 
Key for signing your custom packages (RPMs)

As Root (su -), run cmds:

  mkdir ~/.gnupg
  #verify /root/.gnupg as been initialized (ls /root/.gnupg)

  gpg --gen-key
##############################################################################
# 
#Follow the questions as listed below from the gpg command:
#
##############################################################################
Select the follow options:
   Select type 1 DSA and EIGamal key (default)
   1024 Bites long
   Does not expire
  Enter the following or similar values:
   Real Name: Enoch Root
   Email Address: foo@rpmdemo.com
   Comment: Add something interesting if you like
   Type o, hit return, you should see some screen jargen and then finally your public and secret key, i.e., something like:

pub  1024D/4288445C 2007-02-27 Enoch Root (My Satellite Demo) <dkramer@redhat.com>
    Key fingerprint = 5C55 ABD6 1B6B 728A 7601  DCC0 D821 F11A 4288 445C
sub  1024g/1EF0ADA0 2007-02-27

##############################################################################
#
#**Please note your KeyID and fingerprint, these will be needed later
#	Key-ID: 4288445C
#	fingerprint: 5C55 ABD6 1B6B 728A 7601  DCC0 D821 F11A 4288 445C
#	
##############################################################################

Next, Export the gpg key we just created to an ASCII file:
  gpg --export --armor <key-id> > /tmp/MY-GPG-KEY
	Ex: gpg --export --armor 4288445C > /tmp/MY-GPG-KEY-4288445C.txt

  For this example name the Key file with the Key ID value include:
	MY-GPG-KEY-4288445C.txt

##############################################################################
#
# Setup root and Sign RPMS
# 
############################################################################## 

**Configure your root user to sign RPMs
On Server where you are signing RPM's -> setup your rpmmacros file:

  echo "%_signature gpg" > /root/.rpmmacros
  echo "%_gpg_name Enoch Root foo@rpmdemo.com" >> /root/.rpmmacros

Now you are ready to sign RPMs!!!

**Sign your custom rpms:

  rpm --resign hello-1.0-1.i686.rpm  
  rpm --resign hello-1.0-1.src.rpm

 
##############################################################################
#
# Client setup, Importing your Key into the RPM DB
# 
##############################################################################

For the RPM to install you will need to import YOUR
GPG Key prior to installing any RPM packages you have signed.

Download/Copy your RPM GPG Key (MY-GPG-KEY-4288445C.txt) to your server where
your signed RPMs will be installed.

Import the Key into the RPM DB:
  rpm --import MY-GPG-KEY-4288445C.txt

Next install the RPM:
  rpm -ivh <your signed>.rpm


##############################################################################
#
# Extra Commands to Note
#
##############################################################################

Some other RPM and GPG switch commands to note:
gpg  --verify                  verify a signature
     --list-keys               list keys
     --list-sigs               list keys and signatures
     --check-sigs              list and check key signatures
     --fingerprint    	       list keys and fingerprints

rpm  -ivh <rpm>			  install rpm with verbose output  
	**APPEND --aid to help resolve dependencies.
     -e				  extract package from operating system
     -Uvh                         update package with verbose output
     -qa		       	  query rpm DB and return all packages
     -ql <package-name+version>	  lists the contents in an rpm package
     -qf </Full/Path/To/FileName> returns rpm package that a file is packaged in
     -qi <package-name+version>	  lists the rpm's preamble and build information
**   -qlp <- add the " p " switch to the ql, qf, and qi commands to interact with RPMs
	     that are not installed. (-qlp, -qfp, -qip)