1,885
edits
Changes
Created page with 'SBR600DPI908RPM === Signing RPM packages === An RPM signature, like the digital signature used on many other software-signing systems, is a private key encryption of…'
[[SBR600]][[DPI908]][[RPM]]
=== Signing RPM packages ===
An RPM signature, like the digital signature used on many other software-signing systems, is a private key encryption of a checksum. RPM uses the GPG libraries for signing.
# Create a GPG key: <code>gpg --gen-key</code>
# Add the e-mail address associated with your gpg key to the <code>%_gpg_name</code> macro in <code>~/.rpmmacros</code> -- the line will look like this: <code>%_gpg_name "<i>e-mail-address</i>"</code>
# Find (or make) some packages to put in your repository. Make sure that the epoch-version-release is higher than that of any package with the same name in the Fedora repositories.
# Sign those packages with: <code>rpm --addsign <i>packagefile</i></code>
=== Creating a YUM repository ===
A yum repository is just a directory of packages and some metadata.
To create a yum repository:
# Create a directory that can be served. The protocol used to serve that directory could be http, ftp, nfs, or something else (the files can be served by putting them on a DVD too!). For http, create the directory within <code>/var/www/html</code>
# Put your signed packages in that directory.
# Create the repository metadata for that directory: <code>createrepo <i>/name/of/directory</i></code> (typically: <code>createrepo . </code>)
Notice that the repository metadata will be placed in a subdirectory named <code>repodata</code>
=== Testing ===
# Create a new repository file in <code>/etc/yum.repos.d</code> by copying and modifying an existing file in that directory. Keep <code>gpgcheck=1</code> but comment out the <code>gpgkey</code> file.
# Confirm that you cannot install from that repository using yum, since the gpgkey is unavailable to yum/rpm.
# Uncomment the <code>gpgkey</code> line, and point it to a new file within <code>/etc/pki/rpm-gpg/</code>
# Create that file by running (as your regular user): <code>gpg --export --armour <i>e-mail-address</i></code> and saving the output to the new filename (note: you'll need to be your regular user to perform the export, but the root user to install the file).
# Confirm that you can now install from your repository. You should be asked whether you wish to import the key for your repo the first time you use a package from that repo.
=== Creating a Repository-release RPM ===
To make it easier for users to access your repository, create a RPM containing:
# Your repo file
# Your GPG key
You can link to this repository-release RPM from a web page, and users can install access to your repository by simply clicking on that link. You can also include this package in a [[:fedora:Spin|Spin]] or [[:fedora:Remix|Remix]]. If you ever need to move your repository's location or make other adjustments, you can provide an updated repository-release package which will be installed when your users perform a <code>yum update</code>.
Take a look at the [http://rpmfusion.org/ RPMFusion] release RPM for an example.
=== Signing RPM packages ===
An RPM signature, like the digital signature used on many other software-signing systems, is a private key encryption of a checksum. RPM uses the GPG libraries for signing.
# Create a GPG key: <code>gpg --gen-key</code>
# Add the e-mail address associated with your gpg key to the <code>%_gpg_name</code> macro in <code>~/.rpmmacros</code> -- the line will look like this: <code>%_gpg_name "<i>e-mail-address</i>"</code>
# Find (or make) some packages to put in your repository. Make sure that the epoch-version-release is higher than that of any package with the same name in the Fedora repositories.
# Sign those packages with: <code>rpm --addsign <i>packagefile</i></code>
=== Creating a YUM repository ===
A yum repository is just a directory of packages and some metadata.
To create a yum repository:
# Create a directory that can be served. The protocol used to serve that directory could be http, ftp, nfs, or something else (the files can be served by putting them on a DVD too!). For http, create the directory within <code>/var/www/html</code>
# Put your signed packages in that directory.
# Create the repository metadata for that directory: <code>createrepo <i>/name/of/directory</i></code> (typically: <code>createrepo . </code>)
Notice that the repository metadata will be placed in a subdirectory named <code>repodata</code>
=== Testing ===
# Create a new repository file in <code>/etc/yum.repos.d</code> by copying and modifying an existing file in that directory. Keep <code>gpgcheck=1</code> but comment out the <code>gpgkey</code> file.
# Confirm that you cannot install from that repository using yum, since the gpgkey is unavailable to yum/rpm.
# Uncomment the <code>gpgkey</code> line, and point it to a new file within <code>/etc/pki/rpm-gpg/</code>
# Create that file by running (as your regular user): <code>gpg --export --armour <i>e-mail-address</i></code> and saving the output to the new filename (note: you'll need to be your regular user to perform the export, but the root user to install the file).
# Confirm that you can now install from your repository. You should be asked whether you wish to import the key for your repo the first time you use a package from that repo.
=== Creating a Repository-release RPM ===
To make it easier for users to access your repository, create a RPM containing:
# Your repo file
# Your GPG key
You can link to this repository-release RPM from a web page, and users can install access to your repository by simply clicking on that link. You can also include this package in a [[:fedora:Spin|Spin]] or [[:fedora:Remix|Remix]]. If you ever need to move your repository's location or make other adjustments, you can provide an updated repository-release package which will be installed when your users perform a <code>yum update</code>.
Take a look at the [http://rpmfusion.org/ RPMFusion] release RPM for an example.
