RedHat RPM 3.0/4.0 Signing HOW-TO

[Last revised 5 April 2001 ]

[ladybug] Introduction

RPM is RedHat's Package Manager utility for its Linux Distribution. It allows one to install software without compiling source or worrying if you have the latest version of some other software or library--it checks for "depencencies" automatically. RPM is also used in other Linux distributions.

With RedHat 6.x a new version of RPM, 3.0, was introduced. It made major changes that were not upward compatible and it impossible for most people to build new packages. These changes are NOT documented. However, by reverse-engineering the software, with source code, I was able to figure out how to use the software.

By the way, here's a list of RedHat Linux RPM packages I produced.

[ladybug] Digital Signatures and PGP/GPG

This HOWTO focuses on how to "sign" packages. That is, with PGP (Pretty-good Privacy) or with its successor GPG (GNU Privacy Guard). PGP or GPG add a digital "signature" that verifies the signer (and not someone else) built the package.

Update: The features to support GPG were added to RPM 4.0. Usage is similar--see details below.

A good book on PGP is Garfinkel's PGP: Pretty Good Privacy

[ladybug] RPM Documentation

Documentation is outdated. (Somewhat dated) RPM documentation can be found at A (outdated) book, Bailey's Maximum RPM, is available there for downloading (I understand it's being revised). More (outdated) notes are in directory /usr/doc/rpm-* or /usr/share/doc/rpm-* if you have Linux installed.

[ladybug] Background

This informal HOWTO started as a message posted to newsgroup redhat.rpm.general. My posting was picked up by Linux Weekly News and published in their 24 June 1999 edition:

Distributions: Red Hat
A Signing RPMS HOWTO, or at least a draft version of one, was posted to the redhat.rpm.general by Dan Anderson, who has filed a bug report about the inaccuracies he sees in Red Hat's 6.x Documentation for RPM 2.0. While we're waiting for a bug fix from Red Hat, he thought he'd pass on his hard-earned knowledge.

However, the message contained a few typos, so I'm posting a slightly-corrected version below.
- Dan

[ladybug]From: Dan Anderson
Subject: Signing RPMS HOWTO (Undocumented RPM Secrets)
Date: Wed, 23 Jun 1999 06:25:44 +0000

RedHat's 6.x Documentation for RPM 2.0 is not only incomplete--it's inaccurate.

I filed this as bug # 3638 with RedHat's Bugzilla But I thought while we're waiting a few years for it to be corrected, I'll summarize below.
- Dan

Basically, almost everything that used to be in /etc/rpmrc (except include, macrofiles, optflags, & provides) now goes in file /etc/rpm/macros. This is documented NOWHERE but in the source code!!!

Also, if you use rpm --sign, it is now BROKEN. To fix it (also UNDOCUMENTED), add this undocumented statement to file /etc/rpm/macros:

%_pgpbin /usr/local/bin/pgp
(or whereever your pgp is located).

If you are using PGP 2.6.x, you must have another file in the same directory named "pgp26" or "pgp50" depending on whether you are using PGP 2.6.x or PGP 5.x (another undocumented secret). That is either:
ln -s /usr/local/bin/pgp /usr/local/bin/pgp26
ln -s /usr/local/bin/pgp /usr/local/bin/pgp50

If you're confused about PGP versions, I recommend using PGP 2.6.x over PGP 5 since the former is more popular and many pgp programs don't understand the newer format.

Next, you need your .pgp directory set up and have the directory and files owned by root or whatever user ID you set up the RPMs with. Here's my /etc/rpmrc:

optflags: i386 -O2 -m486 -fno-strength-reduce
optflags: alpha -O2
optflags: sparc -O2
Here's my /etc/rpm/macros:
%_signature pgp
%_pgp_path ~/.pgp
%_pgpbin /usr/local/bin/pgp
%_pgp_name "Dan Anderson <>"
%vendor: Dan E. Anderson
%packager: Dan E. Anderson <>
%distribution: Dan E. Anderson
Here's my ~/.pgp directory (sorry, no content--some files are intentionally secret!):
[.pgp]# ls -la
total 22
drwx------   2 root     root         1024 Jun 22 20:06 ./
drwxr-x---  27 root     root         2048 Jun 22 23:16 ../
-rw-------   1 root     root         4002 Jun 22 09:22 config.txt
-rw-------   1 root     root          582 Jun 22 12:57 dan.asc
-r--------   1 root     root         5802 Sep  2  1994 keys.asc
-rw-r--r--   1 root     root           77 Dec 22  1998 pgp.cfg
-rw-------   1 root     root         4833 Jun 22 12:52 pubring.pgp
-rw-------   1 root     root          408 Jun 22 22:26 randseed.bin
-r--------   1 root     root          668 Jun 22 12:52 secring.pgp

As a reminder, the US Government considers PGP and other strong-encryption software a "munition" and prohibits the export of PGP software to countries other than the US and Canada without an export license. Certain other governments (e.g., France?) even prohibit possession of encryption software.

If you have RedHat 6 or RPM 3 installed, a macro to convert RPM 2 file /etc/rpmrc to RPM 3 files /etc/rpmrc and /etc/rpm/macros is at /usr/lib/rpm/ Default macros are defined in files /usr/lib/rpm/rpmrc and macros.

[ladybug] RPM 3.0 Bugs

RPM 3.0 is full of bugs. I strongly advise upgrading to 3.0.2. The RedHat 6 Intel version is at Other versions for other architectures and earlier RedHat versions are also available.

[ladybug] Update: Using GPG with RPM

RPM 4 (and recent versions of RPM 3.x) has the ability to use GPG instead of PGP. GPG appears to be replacing PGP (at least in the Open Source world). Here's my /etc/rpm/macros for GPG:

%_signature gpg
%_gpg_path ~/.gnupg
%_gpg_name Dan Anderson <>
%vendor: Dan E. Anderson
%packager Dan E. Anderson
%distribution Dan E. Anderson

Note that it's not required to use %_gpgbin if gpg is located in /usr/bin/gpg Here's my ~/.gnupg directory (sorry, no content--some files are intentionally secret!):

[dan@dan .gnupg]$ ls -la
total 28
drwx------    2 dan      dan          4096 Apr  5 19:04 ./
drwxr-xr-x   36 dan      dan          4096 Apr  5 19:45 ../
-rw-r--r--    1 dan      dan          2823 Nov  8  1999 options
-rw-r--r--    1 dan      dan          1367 Apr  5 18:56 public.key.txt
-rw-r--r--    1 dan      dan           892 Apr  5 18:53 pubring.gpg
-rw-------    1 dan      dan           600 Apr  5 19:55 random_seed
-rw-------    1 dan      dan          1114 Apr  5 18:53 secring.gpg

The public.key.txt, containing my public key in ASCII form was created from the binary pubring.pgp file with:
gpg --export --armor
For other gpg options, type gpg --help or man gpg

[ladybug] Bug 3638 -- rpm --sign setup misdocumented/not documented

Here's a copy of the original bug report (bugzilla bug 3638):

Bug#: 3638 Architecture: All Version: 6.0
Product: Red Hat Linux Reporter:
Status: ASSIGNED Priority: normal
Resolution: Severity: normal Component: rpm
Assigned To: No email for Bug #3638
Summary: rpm --sign setup misdocumented/not documented
 Summary: rpm --sign setup misdocumented/not documented
 I was trying to create rpms for the rhcn Contrib|Net.
 However, lots of things are misdocumented/not documented.
 I had to add debug to the rpm source to find how to use it.
 Please correct!!!!!!!!
 1. /usr/man/man8/rpm.8 (section PGP_SIGNATURES)
 1a. The "pgp" must be on the same line as %_signature
 1b. Same with %_pgp_name
 1c. Same with %pgp_name
 1d. %_pgp_name's value is missing the initial double quote
 2. Add a line line in the man page
 %_pgpbin /usr/local/bin/pgp
 (if pgp is not in /usr/bin/pgp)
 Also another file must exist with the version appended in
 the same directory.
 E.g., /usr/local/bin/pgp26 or /usr/local/bin/pgp50
 (Ref: pgp source file lib/signature.c)
 2. File /usr/doc/rpm-3.0.1/signatures
 2a. Change references to rpmrc to
  "/etc/rpm/macros or ~/.rpmmacros"
 2b. Change "signature" to "%_signature"
 2c. Change "pgp_name" to "%_pgp_name"
 2d. Add "%_pgpbin"

------- Additional Comments From   06/23/99 -------
The RPM HOWTO (v2.0) has the same problems.
Also the RPM HOWTO should mention file
"/etc/rpm/macros or ~/.rpmmacros"

------- Additional Comments From   06/26/99 -------
In the RPM HOWTO, also remove mention of the /etc/rpmrc
vendor, packager, and distribution
 keywords.  They are now in the
/etc/rpm/macros or ~/.rpmmacros file and are renamed
%vendor, %packager, and %distribution