Packages
rpmsign
Sign RPM packages with a GPG signature.
rpmsigngpgpackagesecurity
Additional Notes
rpmsign adds and manages cryptographic signatures on RPM packages. Signing packages allows recipients to verify the authenticity and integrity of the package before installing it. Packages can be signed with a GPG key at build time (using rpmbuild --sign) or after building using rpmsign.
Signature verification is done by the RPM client using imported public keys. RPM signatures help ensure that the package was created by a trusted source and has not been tampered with since it was signed.
Syntax
rpmsign --addsign package.rpm
rpmsign --resign package.rpm
rpmsign --delsign package.rpm
Parameters
package.rpm: The RPM package file to sign or verify.
Common Options
--addsign: Add a signature to the package (preserves any existing signatures).--resign: Remove all existing signatures and sign with the current key.--delsign: Remove all signatures from the package.--delsignature N: Remove a specific signature by number.--checksig: Verify the signature on a package.--key-id KEY_ID: Specify which GPG key to use for signing.--pgppath PATH: Path to the GPG binary or agent.-v,--verbose: Show detailed output during signing.
Examples
rpmsign --addsign mypackage.rpm
Add a GPG signature to an existing unsigned package.
rpmsign --resign mypackage.rpm
Replace the signature with the current default GPG key.
rpmsign --checksig mypackage.rpm
Verify the signature on a package.
rpm --checksig --nosignature package.rpm
Check the package digest without checking the GPG signature.
Practical Notes
- GPG signing requires a configured GPG key pair and
rpmmacros defining the key. - The signing key is typically configured in
~/.rpmmacrosor/etc/rpm/macros. - Signed packages display
gpg OKwhen verified withrpm -K. - Distribution repositories require packages to be signed for automatic acceptance.
rpmsignis separate fromrpm --signon some older distributions.