Signing and Creating a Repository for RPM Packages

Contents

Signing RPM packages

An RPM signature, like the digital signature used on many other software-signing systems, is a private key encryption of a checksum. RPM uses the GPG libraries for signing.

  1. Create a GPG key: gpg --gen-key
  2. Add the e-mail address associated with your gpg key to the %_gpg_name macro in ~/.rpmmacros -- the line will look like this: %_gpg_name "e-mail-address"
  3. Find (or make) some packages to put in your repository. Make sure that the epoch-version-release is higher than that of any package with the same name in the Fedora repositories.
  4. Sign those packages with: rpm --addsign packagefile

Creating a YUM repository

A yum repository is just a directory of packages and some metadata.

To create a yum repository:

  1. Create a directory that can be served. The protocol used to serve that directory could be http, ftp, nfs, or something else (the files can be served by putting them on a DVD too!). For http, create the directory within /var/www/html
  2. Put your signed packages in that directory.
  3. Create the repository metadata for that directory: createrepo /name/of/directory (typically: createrepo . )

Notice that the repository metadata will be placed in a subdirectory named repodata

Creating the Repo and Key Files

  1. Create a new repository file in /etc/yum.repos.d by copying and modifying an existing file in that directory. Keep gpgcheck=1 but comment out the gpgkey file.
  2. Confirm that you cannot install from that repository using yum, since the gpgkey is unavailable to yum/rpm.
  3. Uncomment the gpgkey line, and point it to a new file within /etc/pki/rpm-gpg/
  4. Create the ASCII gpg public key file by running (as your regular user): gpg --export --armour e-mail-address and saving the output to the new filename (note: you'll need to be your regular user to perform the export, but the root user to install the file).
  5. Confirm that you can now install from your repository. You should be asked whether you wish to import the key for your repo the first time you use a package from that repo.

Creating a Repository-release RPM

To make it easier for users to access your repository, create a RPM containing:

  1. Your repo file
  2. Your GPG key

You can link to this repository-release RPM from a web page, and users can install access to your repository by simply clicking on that link. You can also include this package in a Spin or Remix. If you ever need to move your repository's location or make other adjustments, you can provide an updated repository-release package which will be installed when your users perform a yum update.

Take a look at the RPMFusion release RPM for an example.