Intermediates such as proxies and caches which are sometimes used to separate production servers from the Internet cannot tamper with these signatures. This is a good guide, but its worth mentioning that the key-creation step creates excess key material, particularly an encryption subkey.
And encryption subkey would never be needed for a package signing key and might open the user up to forming a bad habbit of using it because it exists--understanding they could trivially add an encryption or authentication key at any time.
A more correct approach would be to use the --full-gen-key option and chose options 3 or 4 to create a, "sign only" key:. This key is valid for signature and certification signing other keys , as evidenced by the [SC] below:. One would think that you should trim down further and create a key incapable of signing other keys, however, GnuPG just won't let you do that because it has to sign itself.
Using --passphrase-fd 3 to tell gpg to read the passphrase from "stdin" apparently worked in older versions of "gpg" where "stdin" was file descriptor 3, it seems but does not work in newer versions of "gpg" we used rpmsign on Ubuntu, and upgrading from Ubuntu This was also an issue for me on RHEL 8.
Thanks for the comment as this fixed it for me on EL8 as well! First generate a gpg key pair on the machine. Real name: Package Manager Email address: pmanager example. Log in to comment. CO Newbie 10 points. CJ Oster. This is free software: you are free to change and redistribute it. What keysize do you want? It is a good idea to perform some other action type on the keyboard, move the mouse, utilize the disks during the prime generation; this gives the random number generator a better chance to gain enough entropy.
You signed out in another tab or window. Step: 1. Generate gpg key pair public key and private key. You will be prompted with a series of questions about encryption. Simply select the default values presented. You will also be asked. If you get the following response:. We need to generate a lot of random bytes. It is a good idea to perform. Open up a separate terminal, ssh into your server and run this command:. Step: 2.
Verify your gpg keys were created. Step: 3. Export your public key from your key ring to a text file. You will use the information for Real Name and Email you used to. I used Fernando Aleman and faleman email. Step: 4. If you plan to share your custom built RPM packages with others, make sure.
Step: 5. Step: 6. You can use the following command to edit if you are on the server:. Step: 7. Sign your custom RPM package.
You can sign each RPM file individually:. Step: 8. Check the signature to make sure it was signed. Watch for 'gpg OK' as in this example:. Sign package during build.
0コメント