RPM is RedHat's Package Manager utility for its Linux Distribution. It allows one to install software without compiling source or worrying if you have the latest version of some other software or library--it checks for "depencencies" automatically. RPM is also used in other Linux distributions.
With RedHat 6.x a new version of RPM, 3.0, was introduced. It made major changes that were not upward compatible and it impossible for most people to build new packages. These changes are NOT documented. However, by reverse-engineering the software, with source code, I was able to figure out how to use the software.
By the way, here's a list of RedHat Linux RPM packages I produced.
This HOWTO focuses on how to "sign" packages. That is, with PGP (Pretty-good Privacy) or with its successor GPG (GNU Privacy Guard). PGP or GPG add a digital "signature" that verifies the signer (and not someone else) built the package.
Update: The features to support GPG were added to RPM 4.0. Usage is similar--see details below.
A good book on PGP is Garfinkel's PGP: Pretty Good Privacy
Documentation is outdated. (Somewhat dated) RPM documentation can be found at http://www.rpm.org/ A (outdated) book, Bailey's Maximum RPM, is available there for downloading (I understand it's being revised). More (outdated) notes are in directory /usr/doc/rpm-* or /usr/share/doc/rpm-* if you have Linux installed.
This informal HOWTO started as a message posted to newsgroup redhat.rpm.general. My posting was picked up by Linux Weekly News and published in their 24 June 1999 edition:
Distributions: Red Hat
A Signing RPMS HOWTO, or at least a draft version of one, was posted to the redhat.rpm.general by Dan Anderson, who has filed a bug report about the inaccuracies he sees in Red Hat's 6.x Documentation for RPM 2.0. While we're waiting for a bug fix from Red Hat, he thought he'd pass on his hard-earned knowledge.
However, the message contained a few typos, so I'm posting a
slightly-corrected version below.
From: Dan Anderson Subject: Signing RPMS HOWTO (Undocumented RPM Secrets) Date: Wed, 23 Jun 1999 06:25:44 +0000
RedHat's 6.x Documentation for RPM 2.0 is not only incomplete--it's inaccurate.
I filed this as bug #
But I thought while we're waiting a few years for it to be corrected,
I'll summarize below.
Basically, almost everything that used to be in /etc/rpmrc (except include, macrofiles, optflags, & provides) now goes in file /etc/rpm/macros. This is documented NOWHERE but in the source code!!!
Also, if you use rpm --sign, it is now BROKEN. To fix it (also UNDOCUMENTED), add this undocumented statement to file /etc/rpm/macros:
%_pgpbin /usr/local/bin/pgp(or whereever your pgp is located).
If you are using PGP 2.6.x, you must have another file in the same
directory named "pgp26"
or "pgp50" depending on whether you are using PGP 2.6.x or PGP 5.x
(another undocumented secret).
That is either:
ln -s /usr/local/bin/pgp /usr/local/bin/pgp26
ln -s /usr/local/bin/pgp /usr/local/bin/pgp50
If you're confused about PGP versions, I recommend using PGP 2.6.x over PGP 5 since the former is more popular and many pgp programs don't understand the newer format.
Next, you need your .pgp directory set up and have the directory and files owned by root or whatever user ID you set up the RPMs with. Here's my /etc/rpmrc:
#/etc/rpmrc optflags: i386 -O2 -m486 -fno-strength-reduce optflags: alpha -O2 optflags: sparc -O2Here's my /etc/rpm/macros:
%_signature pgp %_pgp_path ~/.pgp %_pgpbin /usr/local/bin/pgp %_pgp_name "Dan Anderson <email@example.com>" %vendor: Dan E. Anderson http://dan.drydog.com/ %packager: Dan E. Anderson <firstname.lastname@example.org> %distribution: Dan E. Anderson http://dan.drydog.com/Here's my ~/.pgp directory (sorry, no content--some files are intentionally secret!):
[.pgp]# ls -la total 22 drwx------ 2 root root 1024 Jun 22 20:06 ./ drwxr-x--- 27 root root 2048 Jun 22 23:16 ../ -rw------- 1 root root 4002 Jun 22 09:22 config.txt -rw------- 1 root root 582 Jun 22 12:57 dan.asc -r-------- 1 root root 5802 Sep 2 1994 keys.asc -rw-r--r-- 1 root root 77 Dec 22 1998 pgp.cfg -rw------- 1 root root 4833 Jun 22 12:52 pubring.pgp -rw------- 1 root root 408 Jun 22 22:26 randseed.bin -r-------- 1 root root 668 Jun 22 12:52 secring.pgp
As a reminder, the US Government considers PGP and other strong-encryption software a "munition" and prohibits the export of PGP software to countries other than the US and Canada without an export license. Certain other governments (e.g., France?) even prohibit possession of encryption software.
If you have RedHat 6 or RPM 3 installed, a macro to convert RPM 2 file /etc/rpmrc to RPM 3 files /etc/rpmrc and /etc/rpm/macros is at /usr/lib/rpm/convertrpmrc.sh Default macros are defined in files /usr/lib/rpm/rpmrc and macros.
RPM 3.0 is full of bugs. I strongly advise upgrading to 3.0.2. The RedHat 6 Intel version is at ftp://updates.redhat.com/6.0/en/os/i386/rpm-3.0.2-6.0.i386.rpm Other versions for other architectures and earlier RedHat versions are also available.
RPM 4 (and recent versions of RPM 3.x) has the ability to use GPG instead of PGP. GPG appears to be replacing PGP (at least in the Open Source world). Here's my /etc/rpm/macros for GPG:
%_signature gpg %_gpg_path ~/.gnupg %_gpg_name Dan Anderson <email@example.com> %vendor: Dan E. Anderson http://dan.drydog.com/ %packager Dan E. Anderson http://dan.drydog.com/ %distribution Dan E. Anderson http://dan.drydog.com/
Note that it's not required to use %_gpgbin if gpg is located in /usr/bin/gpg Here's my ~/.gnupg directory (sorry, no content--some files are intentionally secret!):
[dan@dan .gnupg]$ ls -la total 28 drwx------ 2 dan dan 4096 Apr 5 19:04 ./ drwxr-xr-x 36 dan dan 4096 Apr 5 19:45 ../ -rw-r--r-- 1 dan dan 2823 Nov 8 1999 options -rw-r--r-- 1 dan dan 1367 Apr 5 18:56 public.key.txt -rw-r--r-- 1 dan dan 892 Apr 5 18:53 pubring.gpg -rw------- 1 dan dan 600 Apr 5 19:55 random_seed -rw------- 1 dan dan 1114 Apr 5 18:53 secring.gpg
The public.key.txt, containing my public key in ASCII form was created
from the binary pubring.pgp file with:
gpg --export --armor
For other gpg options, type gpg --help or man gpg
Here's a copy of the original bug report (bugzilla bug 3638):
|Product:||Red Hat Linux||Reporter:||firstname.lastname@example.org|
|Assigned To:||email@example.com||No email for Bug #3638|
|Summary:||rpm --sign setup misdocumented/not documented|
Cc: firstname.lastname@example.org Summary: rpm --sign setup misdocumented/not documented I was trying to create rpms for the rhcn Contrib|Net. However, lots of things are misdocumented/not documented. I had to add debug to the rpm source to find how to use it. Please correct!!!!!!!! 1. /usr/man/man8/rpm.8 (section PGP_SIGNATURES) 1a. The "pgp" must be on the same line as %_signature 1b. Same with %_pgp_name 1c. Same with %pgp_name 1d. %_pgp_name's value is missing the initial double quote (") 2. Add a line line in the man page %_pgpbin /usr/local/bin/pgp (if pgp is not in /usr/bin/pgp) Also another file must exist with the version appended in the same directory. E.g., /usr/local/bin/pgp26 or /usr/local/bin/pgp50 (Ref: pgp source file lib/signature.c) 2. File /usr/doc/rpm-3.0.1/signatures 2a. Change references to rpmrc to "/etc/rpm/macros or ~/.rpmmacros" 2b. Change "signature" to "%_signature" 2c. Change "pgp_name" to "%_pgp_name" 2d. Add "%_pgpbin" ------- Additional Comments From 06/23/99 ------- The RPM HOWTO (v2.0) has the same problems. Also the RPM HOWTO should mention file "/etc/rpm/macros or ~/.rpmmacros" ------- Additional Comments From 06/26/99 ------- In the RPM HOWTO, also remove mention of the /etc/rpmrc vendor, packager, and distribution keywords. They are now in the /etc/rpm/macros or ~/.rpmmacros file and are renamed %vendor, %packager, and %distribution