Date Series Part 4 of Building RPMs Tags rpm

Introduction

So far, we have setup an RPM build environment , setup our RPM signing key, and built RPMs. The last thing left to do is to use the rpm signing key to sign our newly built RPMs.

In this last part of this guide, we will sign the collectd RPMs that we built in the Part 3.


Configure %_gpg_name in Macro File

Before we can sign RPMs, we need to tell the rpm command which gpg key to use. In Part 1, we saw the .rpmmacros file, which included some default rpm macros.

We now need to add an additional macro, called %_gpg_name, along with our GPG key ID. To find the GPG key id, run the following command:

[makerpm@localhost ~]$ gpg --list-public-keys
/home/makerpm/.gnupg/pubring.gpg
---------------------------------
pub   2048R/512A2AA0 2015-11-30
uid                  Example Org Signing Key <support@example.com>
sub   2048R/D97540C0 2015-11-30

The GPG key ID is 512A2AA0.

Now, echo the macro and the GPG key ID to your ~/.rpmmacros file as follows:

echo "%_gpg_name 512A2AA0" >> ~/.rpmmacros


Signing RPMs

Change to the directory where the RPMs were created. Depending on the chosen method, the directory could be either of the following:

  • $HOME/rpmbuild/RPMS/x86_64/
  • /var/lib/mock/centos-6-x86_64/result/

Then, run the following rpm command to add a signature to a single RPM (you will be prompted for the GPG key passphrase):

[makerpm@localhost ~]$ rpm --addsign -v collectd-5.5.0-1.el6.x86_64.rpm 
Enter pass phrase: 
Pass phrase is good.
collectd-5.5.0-1.el6.x86_64.rpm:

You can sign all the RPMs at once using file globbing:

[makerpm@localhost x86_64]$ rpm --addsign -v *\.rpm
Enter pass phrase: 
Pass phrase is good.
collectd-5.5.0-1.el6.x86_64.rpm:
collectd-amqp-5.5.0-1.el6.x86_64.rpm:
collectd-apache-5.5.0-1.el6.x86_64.rpm:
collectd-ascent-5.5.0-1.el6.x86_64.rpm:
collectd-bind-5.5.0-1.el6.x86_64.rpm:
collectd-ceph-5.5.0-1.el6.x86_64.rpm:
collectd-collection3-5.5.0-1.el6.x86_64.rpm:
collectd-contrib-5.5.0-1.el6.x86_64.rpm:
collectd-curl-5.5.0-1.el6.x86_64.rpm:
collectd-curl_json-5.5.0-1.el6.x86_64.rpm:
collectd-curl_xml-5.5.0-1.el6.x86_64.rpm:
collectd-dbi-5.5.0-1.el6.x86_64.rpm:
collectd-debuginfo-5.5.0-1.el6.x86_64.rpm:
collectd-disk-5.5.0-1.el6.x86_64.rpm:
collectd-dns-5.5.0-1.el6.x86_64.rpm:
collectd-email-5.5.0-1.el6.x86_64.rpm:
collectd-gmond-5.5.0-1.el6.x86_64.rpm:
collectd-hddtemp-5.5.0-1.el6.x86_64.rpm:
collectd-ipmi-5.5.0-1.el6.x86_64.rpm:
collectd-iptables-5.5.0-1.el6.x86_64.rpm:
collectd-java-5.5.0-1.el6.x86_64.rpm:
collectd-log_logstash-5.5.0-1.el6.x86_64.rpm:
collectd-lvm-5.5.0-1.el6.x86_64.rpm:
collectd-memcachec-5.5.0-1.el6.x86_64.rpm:
collectd-modbus-5.5.0-1.el6.x86_64.rpm:
collectd-mysql-5.5.0-1.el6.x86_64.rpm:
collectd-netlink-5.5.0-1.el6.x86_64.rpm:
collectd-nginx-5.5.0-1.el6.x86_64.rpm:
collectd-notify_desktop-5.5.0-1.el6.x86_64.rpm:
collectd-notify_email-5.5.0-1.el6.x86_64.rpm:
collectd-nut-5.5.0-1.el6.x86_64.rpm:
collectd-openldap-5.5.0-1.el6.x86_64.rpm:
collectd-perl-5.5.0-1.el6.x86_64.rpm:
collectd-php-collection-5.5.0-1.el6.x86_64.rpm:
collectd-pinba-5.5.0-1.el6.x86_64.rpm:
collectd-ping-5.5.0-1.el6.x86_64.rpm:
collectd-postgresql-5.5.0-1.el6.x86_64.rpm:
collectd-python-5.5.0-1.el6.x86_64.rpm:
collectd-redis-5.5.0-1.el6.x86_64.rpm:
collectd-rrdtool-5.5.0-1.el6.x86_64.rpm:
collectd-sensors-5.5.0-1.el6.x86_64.rpm:
collectd-smart-5.5.0-1.el6.x86_64.rpm:
collectd-snmp-5.5.0-1.el6.x86_64.rpm:
collectd-utils-5.5.0-1.el6.x86_64.rpm:
collectd-varnish-5.5.0-1.el6.x86_64.rpm:
collectd-virt-5.5.0-1.el6.x86_64.rpm:
collectd-write_http-5.5.0-1.el6.x86_64.rpm:
collectd-write_redis-5.5.0-1.el6.x86_64.rpm:
collectd-write_riemann-5.5.0-1.el6.x86_64.rpm:
libcollectdclient-5.5.0-1.el6.x86_64.rpm:
libcollectdclient-devel-5.5.0-1.el6.x86_64.rpm:


Verifying RPMs

To verify the signature, use the --checksig rpm flag:

[makerpm@localhost x86_64]$ rpm --checksig collectd-5.5.0-1.el6.x86_64.rpm 
collectd-5.5.0-1.el6.x86_64.rpm: rsa sha1 (md5) pgp md5 OK

For a more verbose output, add the -v flag:

[makerpm@localhost x86_64]$ rpm --checksig -v collectd-5.5.0-1.el6.x86_64.rpm 
collectd-5.5.0-1.el6.x86_64.rpm:
    Header V4 RSA/SHA1 Signature, key ID 512a2aa0: OK
    Header SHA1 digest: OK (f62c64dc9938b6d86c91d4f430b293dbb4f4cad3)
    V4 RSA/SHA1 Signature, key ID 512a2aa0: OK
    MD5 digest: OK (53a3f30fffd28e5bfba65a7f2608e8a2)

Remember in Part 1, we exported the gpg key from the keyring and imported the key into the RPM database. If you forgot to import the key into the RPM database, you would see MISSING KEYS and NOKEY in the output instead:

[makerpm@localhost x86_64]$ rpm --checksig collectd-5.5.0-1.el6.x86_64.rpm 
collectd-5.5.0-1.el6.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#512a2aa0)
[makerpm@localhost x86_64]$ rpm --checksig -v collectd-5.5.0-1.el6.x86_64.rpm 
collectd-5.5.0-1.el6.x86_64.rpm:
    Header V4 RSA/SHA1 Signature, key ID 512a2aa0: NOKEY
    Header SHA1 digest: OK (f62c64dc9938b6d86c91d4f430b293dbb4f4cad3)
    V4 RSA/SHA1 Signature, key ID 512a2aa0: NOKEY
    MD5 digest: OK (53a3f30fffd28e5bfba65a7f2608e8a2)


RPM Distribution

Now that we have signed RPMs, we are ready to distribute them to other servers within the infrastructure. There are various ways to do this, so use a method that fits your workflow.

For example, you could use a configuration management tool, like Puppet, Ansible or Salt, to distribute the RPM GPG key to all machines and then install the RPM. Alternatively, if you are using Spacewalk, for example, to manage custom YUM repositories, you could add the RPM GPG key to Spacewalk and also add the signed RPMs to a custom repository.


Comments

comments powered by Disqus