RPM packages are signed using GPG keys. In order to be able to sign RPM packages, a suitable key needs to be created. This can be done using standard
$ gpg --gen-key
The tool will ask all the necessary information. When unsure, select the default value.
If your gpg key is protected with a passphrase, you need to provide it to the sfdk tool via passphrase file. This is just a text file containing the passphrase. The permissions of the file should be 600, so that it’s not readable by anyone else. In the example below, we use a file called
passphrase.txt, located in user’s home directory. You can use a file/path of your own choosing instead.
$ echo “This is my passphrase” > $HOME/passphrase.txt
$ chmod 0600 $HOME/passphrase.txt
sfdk tool supports signing packages as part of the build process. First we need to configure the tool to use our key and passphrase file:
$ sfdk config package.signing.user=”Full Name” # replace Full Name with the name given when creating the signing key
$ sfdk config package.signing-passphrase-file=$HOME/passphrase.txt
Then we can build the package with the
$ sfdk build --sign
This will result in a signed package created under the RPMS directory.
Verifying package signature can be done with
rpm -K command:
$ rpm -K RPMS/mypackage-0-1.noarch.rpm
A successful verification looks like this:
RPMS/mypackage-0-1.noarch.rpm: digests signatures OK
However, you will likely get
digests SIGNATURES NOT OK when you first try it. This is because the key used for signing is not known to
rpm. You must import the key to the rpm keyring first:
$ gpg --output keyfile.gpg --armor --export “Full Name”
$ rpm --import keyfile.gpg