[Yum] rpmbuild --sign

Robert G. Brown rgb at phy.duke.edu
Tue Nov 30 20:15:11 UTC 2004

I'm trying to build rpm's that work with yum's checksig.

I've tried e.g.

rpmbuild -ba --sign wulfstat.spec

(after setting up .rpmacros to contain directions to my gpg keyring and
user name and telling it to use gpg).  The rpm builds correctly and
prompts me correctly for my gpg pass phrase to generate the required
signature.  I've also tried adding a signature to existing rpm's via
e.g. --

rgb at ganesh|B:1208>rpm --addsign wulfstat-1.0.1-1.i386.rpm 
Enter pass phrase: 
Pass phrase is good.
warning: wulfstat-1.0.1-1.i386.rpm: was already signed by key ID
e5637298, skipping

Note that the rpmbuild signature was already there, and rpm was smart
enough not to add it twice.

However, when I CHECK the signature, rpm doesn't like it.  Note that
I've already used (as per rpm man page)

  rpm --export -a > gpg.pubkey


  rpm --import gpg.pubkey

so that

[root at ganesh wulfware]# rpm -qa gpg-pubkey\*

shows that rpm on this system knows about e5637298's public key.  It
SHOULD then be able to check the signature in the rpm and verify it, but
neither rpm nor yum-arch -c can (apparently) do so:

rgb at ganesh|B:1209>rpm --checksig wulfstat-1.0.1-1.i386.rpm 
wulfstat-1.0.1-1.i386.rpm: (SHA1) DSA sha1 md5 GPG NOT OK

I'm trying to set up a way of using yum as a distribution mechanism for
a related set of personally maintained packages, and this is the only
remaining stumbling block.  Obviously I could use gpgcheck = 0, but it
seems equally obviously better/smarter to learn to build rpm's that
gpgcheck correctly.

So, what am I doing wrong, or leaving out?  


Robert G. Brown	                       http://www.phy.duke.edu/~rgb/
Duke University Dept. of Physics, Box 90305
Durham, N.C. 27708-0305
Phone: 1-919-660-2567  Fax: 919-660-2525     email:rgb at phy.duke.edu

More information about the Yum mailing list