RPM Signing using PGP (Pretty Good Privacy)

Reason

• Provide authentication.
  
• With signed package, its possible for users/community to verify the owner of RPM and ensure that RPM is not being tampered with.
  

Steps for creating PGP Key(2048 bit)

• gpg –gen-key
  
• Select option (5): RSA (sign only)
  
• Keysize: 2048
  
• How long is the key valid?: 3y (3 years)
  
• Enter Name/Comment/Email : Enter these one at a time followed by enter
  
• Enter Passphrase: <passphrase>
  
• Repeat Passphrase
  
• Returns gpg key with other details. Note down the key
  

Exporting keys

• Exporting build/signing server private/secret key
  
• gpg –export-secret-keys -a <gpg key> > <PrivatekeyNameOfYourChoice>
  
• Note : Do not let the key get into the wrong hands... this should only be stored and installed(via “rpm –import <PrivateKeyName>”) onto secure sites.
  
• Exporting the installation server public key
  
• gpg –export -a <gpg key> > <PublickeyNameOfYourChoice>
  
• Note : This key should be provided to users who need to install RPM's signed using the key assosiated with the passphrase.
  

Importing a key

• gpg –import <public/privateKeyName>
  

Congifuration to be added in POM.xml for RPM signing

<keyname>keyName</keyname> <keyPassphrase>    <passphrase>SecretKey</passphrase> </keyPassphrase>

• keyname
  Set to a key name to sign the package using GPG. If keyPassphrase is not also provided, this will require the input of the passphrase at the terminal
  
• keyPassphrase
  The passphrase for the keyname to sign the rpm. This utilizes expect and requires that expect be on the PATH.
  

After adding the configuration the generated RPM is automatically signed. The machine from where we fire the build should contain the key which we have specified in keyname.