Reason

Provide authentication.
With signed package, its possible for users/community to verify the owner of RPM and ensure that RPM is not being tampered with.

Steps for creating PGP Key(2048 bit)

gpg –gen-key
Select option (5): RSA (sign only)
Keysize: 2048
How long is the key valid?: 3y (3 years)
Enter Name/Comment/Email : Enter these one at a time followed by enter
Enter Passphrase: <passphrase>
Repeat Passphrase
Returns gpg key with other details. Note down the key

Exporting keys

Exporting build/signing server private/secret key
gpg –export-secret-keys -a <gpg key> > <PrivatekeyNameOfYourChoice>
Note : Do not let the key get into the wrong hands... this should only be stored and installed(via “rpm –import <PrivateKeyName>”) onto secure sites.
Exporting the installation server public key
gpg –export -a <gpg key> > <PublickeyNameOfYourChoice>
Note : This key should be provided to users who need to install RPM's signed using the key assosiated with the passphrase.

Importing a key

gpg –import <public/privateKeyName>

Congifuration to be added in POM.xml for RPM signing

<keyname>keyName</keyname>

<passphrase>SecretKey</passphrase>

</keyPassphrase>

keyname
Set to a key name to sign the package using GPG. If keyPassphrase is not also provided, this will require the input of the passphrase at the terminal
keyPassphrase
The passphrase for the keyname to sign the rpm. This utilizes expect and requires that expectbe on the PATH.

After adding the configuration the generated RPM is automatically signed. The machine from where we fire the build should contain the key which we have specified in keyname.

In order to create RPM in maven projects we need to add a pluggin called RPM Maven Plugin. It allows artifacts from one or more projects to be packaged in an RPM for distribution. In addition to project artifacts, the RPM can contain other resources to be installed with the artifacts and scripts to be run while the package is being installed and removed. This plugin does not support the full range of features available to RPMs.

Features

Files can be collected from anywhere on the system and packaged
Packaged files can be assigned any ownership and permissions
Scripts for pre- and post-installation and pre- and post-removal are supported, as well as a verification script

Usage Scenarios

RPM on Demand
RPM as side Effect
RPM as secondary Artifact

In our project we have used RPM as side effect as we wanted to package the primary artifact i.e. war file in RPM.

Configuration in pom.xml

Following is the configuration added in POM.xml for creating RPM as side effect.

<goals>

</goals>

</execution>

</executions>

Following is the configuration added in POM.xml for RPM creation

<copyright>${copyright}</copyright>

<group>${group}</group>

<release>${release}</release>

<prefix>${prefix}</prefix>

<vendor>${vendor}</vendor>

<summary>${summary}</summary>

<packager>${packager}</packager>

<defaultFilemode>${defaultFilemode}</defaultFilemode>

<defaultDirmode>${defaultDirmode}</defaultDirmode>

<directory>${tomcat.deploy.directory}/webapps</directory>

<!-- The following adtifact/classifiers/classifier voodoo is required

to get the projects main artifact into the rpm (and only the main artifact,

without the test artifact. See http://mojo.codehaus.org/rpm-maven-plugin/map-params.html#artifact -->

</classifiers>

</artifact>

</mapping>

</mappings>

</configuration>

copyright : The one-line copyright information.
group : The package group for the package.
release : The release portion of the RPM file name.
name : The name portion of the output file name.
prefix : The relocation prefix for this package.
vendor : The vendor supplying the package.
summary : The one-line description of the package.
packager : The name of the person or group creating the package.
defaultFilemode : The default file mode (octal string) to assign to files when installed.
defaultDirmode : The default directory mode (octal string) to assign to directories when installed.

C Deepak's tech blog

Wednesday, April 3, 2013

RPM Signing using PGP (Pretty Good Privacy)