rpm  5.4.10
signatures
Go to the documentation of this file.
1 /*! \page signatures Signature header
2 
3 The 2.1 release of RPM had a few improvements in the area of
4 digital package signatures. The usage of PGP has been cleaned
5 up and extended, the signature section in the RPM file format
6 has been made easily extensible with new signature types, and
7 packages can have multiple signatures.
8 
9 \subsection signatures_pgp PGP
10 
11 Legacy usage of PGP in rpm-2.0 was cumbersome, and only supported
12 1024 bit keys. Both of these problems have been corrected in rpm-2.1.
13 
14 Whereas previously you needed many rpmrc entries to clue in
15 RPM about keyring locations and such, RPM now behaves as PGP
16 users would expect. The PGPPATH environment variable can be
17 used to specify keyring locations. You can also use a
18 "%_pgpbin" line in your macros file to specify a different value
19 for RPM to use for PGPPATH. If neither of these are used PGP
20 uses its default ($HOME/.pgp).
21 
22 If you just want to verify packages, you need to supply values
23 for the macros
24 \verbatim
25  %_pgpbin the path to the pgp executable
26  %_signature the type of signature to use
27 \endverbatim
28 
29 In order to be able to sign packages, you may also have to
30 supply values for
31 \verbatim
32  %_pgp_name the pgp signature to use for signing
33  %_pgp_path the path to the key ring
34 \endverbatim
35 
36 \subsection signatures_signing Signing Packages
37 
38 Signature creation is the same as previous releases: just add
39 a --sign to your build command line. You can sign a package
40 after the package is built with:
41 
42 \verbatim
43  rpm --resign <package>
44 \endverbatim
45 
46 Using --resign removes any previous signature in the package.
47 To *add* a signature to a package, leaving all existing
48 signatures use:
49 
50 \verbatim
51  rpm --addsign <package>
52 \endverbatim
53 
54 RPM always creates MD5 and SIZE signatures when it build
55 packages, which means that packages built without --sign can
56 be "verified" to some extent. The MD5 signature should catch
57 problems like corrupt packages, faulty downloads, etc.
58 
59 \subsection signatures_verifying Verifying Package Signatures
60 
61 Package signature verification is the same as previous releases:
62 
63 \verbatim
64  rpm -K <package>
65 \endverbatim
66 
67 RPM will verify every signature in the package, which may include
68 more than one PGP signature. The output indicates what types of
69 signatures are being checked. If any checks fail you'll see a
70 "NOT OK" message, and you should be worried.
71 
72 If you have a package with PGP signatures, but don't have PGP
73 installed, but still want to verify it as much as possible, you
74 can do:
75 
76 \verbatim
77  rpm -K --nopgp <package>
78 \endverbatim
79 
80 That will cause RPM to skip any PGP signatures, but still check
81 any others (currently only MD5 and SIZE).
82 
83 */