Signing Packages

--sign — Sign a Package At Build-Time

The --sign the build will proceed. If not, the build stops immediately.

Here's an example of --sign in action:

# rpm -ba --sign blather-7.9.spec Enter pass phrase: <passphrase> (Not echoed) Pass phrase is good. * Package: blather … Binary Packaging: blather-7.9-1 Finding dependencies... … Generating signature: 1002 Wrote: /usr/src/redhat/RPMS/i386/blather-7.9-1.i386.rpm … Source Packaging: blather-7.9-1 … Generating signature: 1002 Wrote: /usr/src/redhat/SRPMS/blather-7.9-1.src.rpm #

Once the pass phrase is entered, there's very little that is different from a normal build. The only obvious difference is the Generating signature message in both the binary and source packaging sections. The number following the message indicates that the signature added was created using PGP. [1]

Notice, that since RPM only signs the source and binary package files, only the -bb, and -ba options make any sense when used with --sign. This is due to the fact that only the -bb and -ba options create package files.

If we issue a quick signature check using RPM's --checksig option, we can see that there is, in fact, a PGP signature present:

# rpm --checksig blather-7.9-1.i386.rpm blather-7.9-1.i386.rpm: size pgp md5 OK #

It's clear to see that, in addition to the usual size and MD5 signatures, the package has a PGP signature.

--resign — Replace a Package's Signature(s)

As we mentioned at the end of the previous section, from time to time it may be necessary to change your public key. Certainly this would be necessary if your key's security was compromised, but other, more mundane situations might require this.

Fortunately, RPM has an option that permits you to replace the signature on an already-built package, with a new one. The option is called --resign, and here's an example of its use:

# rpm --resign blather-7.9-1.i386.rpm Enter pass phrase: <passphrase> (Not echoed) Pass phrase is good. blather-7.9-1.i386.rpm: #

While the output is not as exciting as a package build, the --resign option can be a life-saver if you need to change a package's signature, and you don't want to rebuild.

As you might have guessed, the --resign option works properly on multiple package files:

# rpm --resign b*.rpm Enter pass phrase: <passphrase> (Not echoed) Pass phrase is good. blather-7.9-1.i386.rpm: bother-3.5-1.i386.rpm: #

--addsign — Add a Signature To a Package

The --addsign package builders. But what reason would there be for adding a signature to a package?

As an example, the division of a company creates a package and signs it with the division's key. The company's headquarters then checks the package's signature and adds the corporate signature to the package, in essence stating that the signed package received by them is authentic.

Continuing the example, the doubly-signed package makes its way to a retailer. The retailer checks the package's signatures and, when they check out, adds their signature to the package.

The package now makes its way to a company that wishes to deploy the package. After checking every signature on the package, they know that it is an authentic copy, unchanged since it was first created. Depending on the deploying company's internal controls, they may choose to add their own signature, thereby reassuring their employees that the package has received their corporate "blessing".

After this lengthy example, the actual output from the --addsign option is a bit anti-climactic:

# rpm --addsign blather-7.9-1.i386.rpm Enter pass phrase: <passphrase> (Not echoed) Pass phrase is good. blather-7.9-1.i386.rpm: #

If we check the signatures of this package, we'll be able to see the multiple signatures:

# rpm --checksig blather-7.9-1.i386.rpm blather-7.9-1.i386.rpm: size pgp pgp md5 OK #

The two pgp's in --checksig's output clearly shows that the package has been signed twice.