Signing and Creating a Repository for RPM Packages
Contents
Signing RPM packages
An RPM signature, like the digital signature used on many other software-signing systems, is a private key encryption of a checksum. RPM uses the GPG libraries for signing.
- Create a GPG key:
gpg --gen-key
- Add the e-mail address associated with your gpg key to the
%_gpg_name
macro in~/.rpmmacros
-- the line will look like this:%_gpg_name "e-mail-address"
- Find (or make) some packages to put in your repository. Make sure that the epoch-version-release is higher than that of any package with the same name in the Fedora repositories.
- Sign those packages with:
rpm --addsign packagefile
Creating a YUM repository
A yum repository is just a directory of packages and some metadata.
To create a yum repository:
- Create a directory that can be served. The protocol used to serve that directory could be http, ftp, nfs, or something else (the files can be served by putting them on a DVD too!). For http, create the directory within
/var/www/html
- Put your signed packages in that directory.
- Create the repository metadata for that directory:
createrepo /name/of/directory
(typically:createrepo .
)
Notice that the repository metadata will be placed in a subdirectory named repodata
Creating the Repo and Key Files
- Create a new repository file in
/etc/yum.repos.d
by copying and modifying an existing file in that directory. Keepgpgcheck=1
but comment out thegpgkey
file. - Confirm that you cannot install from that repository using yum, since the gpgkey is unavailable to yum/rpm.
- Uncomment the
gpgkey
line, and point it to a new file within/etc/pki/rpm-gpg/
- Create the ASCII gpg public key file by running (as your regular user):
gpg --export --armour e-mail-address
and saving the output to the new filename (note: you'll need to be your regular user to perform the export, but the root user to install the file). - Confirm that you can now install from your repository. You should be asked whether you wish to import the key for your repo the first time you use a package from that repo.
Creating a Repository-release RPM
To make it easier for users to access your repository, create a RPM containing:
- Your repo file
- Your GPG key
You can link to this repository-release RPM from a web page, and users can install access to your repository by simply clicking on that link. You can also include this package in a Spin or Remix. If you ever need to move your repository's location or make other adjustments, you can provide an updated repository-release package which will be installed when your users perform a yum update
.
Take a look at the RPMFusion release RPM for an example.