#rpm-digital-signature.sh

 # How to sign your custom RPM package with GPG key

 # Step:

 # Generate gpg key pair (public key and private key)

 #

 # You will be prompted with a series of questions about encryption.

 # Simply select the default values presented. You will also be asked

 # to create a Real Name, Email Address and Comment (comment optional).

 #

 # If you get the following response:

 # -----------------------------------------------------------------------

 # We need to generate a lot of random bytes. It is a good idea to perform

 # some other action (type on the keyboard, move the mouse, utilize the

 # disks) during the prime generation; this gives the random number

 # generator a better chance to gain enough entropy.

 # -----------------------------------------------------------------------

 # Open up a separate terminal, ssh into your server and run this command:

 # ls -R /

 gpg --gen-key

 # Step:

 # Verify your gpg keys were created

 gpg --list-keys

 # Step:

 # Export your public key from your key ring to a text file.

 #

 # You will use the information for Real Name and Email you used to

 # create your key. I used Fernando Aleman and [email protected]

 gpg --export -a 'Fernando Aleman' > RPM-GPG-KEY-faleman

 # Step:

 # Import your public key to your RPM DB

 #

 # If you plan to share your custom built RPM packages with others, make sure

 # to have your public key file available online so others can verify RPMs

 sudo rpm --import RPM-GPG-KEY-faleman

 # Step:

 # Verify the list of gpg public keys in RPM DB

 rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'

 # Step:

 # Configure your ~/.rpmmacros file

 #

 # You can use the following command to edit if you are on the server:

 # vi ~/.rpmmacros

 #

 # %_signature => This will always be gpg

 # %_gpg_path  => Enter full path to .gnupg in your home directory

 # %_gpg_name  => Use the Real Name you used to create your key

 # %_gpbin     => run `which gpg` (without ` marks) to get full path

 %_signature gpg

 %_gpg_path /root/.gnupg

 %_gpg_name Fernando Aleman

 %_gpgbin /usr/bin/gpg

 # Step:

 # Sign your custom RPM package

 #

 # You can sign each RPM file individually:

 rpm --addsign git-1.7.7.3-.el6.x86_64.rpm

 # Or you can `cd` into your RPMS folder and sign them all:

 rpm --addsign *.rpm

 # Step:

 # Check the signature to make sure it was signed

 #

 # Watch for 'gpg OK' as in this example:

 # git-1.7.7.3-.el6.x86_64.rpm: (sha1) dsa sha1 md5 gpg OK

 rpm --checksig git-1.7.7.3-.el6.x86_64.rpm

 # Tip!

 # Sign package during build

 #

 # To sign a package while it's being built, simply add '--sign'

 rpmbuild -ba --sign git.spec