Why can't I sign an RPM package with my GPG key? [Archive]

View Full Version : Why can't I sign an RPM package with my GPG key?

KevinDrums

15th April 2012, 07:30 PM

I build my package: 'rpmbuild -ba SPECS/rmmr.spec' and this results in a source and noarch package.
I can check the
'rpm --checksig RPMS/noarch/rmmr-1.8-1_3kc.noarch.rpm SRPMS/rmmr-1.8-1_3kc.src.rpm'
RPMS/noarch/rmmr-1.8-1_3kc.noarch.rpm: sha1 md5 OK
SRPMS/rmmr-1.8-1_3kc.src.rpm: sha1 md5 OK

I want to add my GPG signature to the packages and try this:
rpm -v --addsign SRPMS/rmmr-1.8-1_3kc.src.rpm
rpm: SRPMS/rmmr-1.8-1_3kc.src.rpm: No such file or directory

But, 'ls -l SRPMS/rmmr-1.8-1_3kc.src.rpm' reports
-rw-r-----. 1 kevinc kevinc 7547 Apr 15 11:24 SRPMS/rmmr-1.8-1_3kc.src.rpm

I've been signing packages just fine since the mid 1990s with RPM 4.0. Now on Fedora 16 I can't sign packages? I added '-v' to rpm to report what's going on. But, that didn't help. I'm guessing that there's some temporary directory somewhere that doesn't exist. But, I can't figure out what's going on.

Any ideas people?

Thanks....

Yellowman

15th April 2012, 08:41 PM

Try installing rpm-sign then try again

su
yum install rpm-sign

KevinDrums

15th April 2012, 09:23 PM

That worked! I signed my packages. Then I tried to verify the signatures. Earlier I did:
gpg --export -a cb31ebcc > kevinc-cb31ebcc.key
sudo rpm --import kevinc-cb31ebcc.key

That used to be enough years ago. But, I would now get
rpm --checksig ../homebrew/fedora/16/noarch/*
../homebrew/fedora/16/noarch/rmmr-1.8-3kc_fc16.noarch.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#cb31ebcc)
../homebrew/fedora/16/noarch/sharmail-1.6-3kc_0tek_fc16.noarch.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#cb31ebcc)
It appears that I now also need to copy the key
sudo cp kevinc-cb31ebcc.key /var/lib/rpm/pubkeys/
Now I getrpm --checksig ../homebrew/fedora/16/noarch/*
../homebrew/fedora/16/noarch/rmmr-1.8-3kc_fc16.noarch.rpm: (sha1) dsa sha1 md5 gpg OK
../homebrew/fedora/16/noarch/sharmail-1.6-3kc_0tek_fc16.noarch.rpm: (sha1) dsa sha1 md5 gpg OK

Thanks!

---------- Post added at 01:23 PM ---------- Previous post was at 01:06 PM ----------

It turns out that putting my keys into /var/lib/rpm/pubkeys to get 'rpm --checksig' working ends up breaking 'yum update'.

http://forums.fedoraforum.org/showpost.php?p=1570149&postcount=3

So, I tried 'sudo gpg --import kevinc-cb31ebcc.key' which works to get 'rpm --checksig' working. I'll have to wait for the next set of updates to see if these keys broke that.

A long time ago having root import my GPG keys didn't work very well. See here http://www.mombu.com/gnu_linux/red-hat/t-rpm-checksig-missing-key-not-11049416.html

Thanks....