.\" Generated by scdoc 1.11.4
.\" Complete documentation for this program is not available as a GNU info page
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.nh
.ad l
.\" Begin generated content:
.TH "RPMSIGN" "1" "2026-01-08" "RPM 6.0.1"
.PP
.SH NAME
rpmsign - RPM Package Signing
.PP
.SH SYNOPSIS
\fBrpmsign\fR {\fB--addsign\fR|\fB--resign\fR} [options] [sign-options] \fIPACKAGE_FILE\fR .\&.\&.\&
.PP
\fBrpmsign\fR \fB--delsign\fR [options] \fIPACKAGE_FILE\fR .\&.\&.\&
.PP
\fBrpmsign\fR \fB--delfilesign\fR [options] \fIPACKAGE_FILE\fR .\&.\&.\&
.PP
.SH DESCRIPTION
\fBrpmsign\fR is used to manipulate digital OpenPGP signatures on \fBrpm\fR package
files.\&
.PP
To create a signature rpmsign needs to verify the package'\&s checksum.\& As a
result V4 packages with MD5/SHA1 checksums cannot be signed in FIPS mode.\&
.PP
.SH OPERATIONS
\fB--addsign\fR
.RS 4
Generate and insert a new OpenPGP signature
for each \fIPACKAGE_FILE\fR given unless a signature with identical
parameters already exists, in which case no action is taken.\&
Arbitrary number of V6 signatures can be added.\&
.PP
.RE
\fB--resign\fR
.RS 4
Generates and inserts a new OpenPGP signature
for each \fIPACKAGE_FILE\fR, replacing any and all previous signatures.\&
.PP
.RE
\fB--delsign\fR
.RS 4
Delete all OpenPGP signatures from each package \fIPACKAGE_FILE\fR given.\&
.PP
.RE
\fB--delfilesign\fR
.RS 4
Delete all IMA and fsverity file signatures from each package
\fIPACKAGE_FILE\fR given.\&
.PP
.RE
.SH ARGUMENTS
\fIPACKAGE_FILE\fR
.RS 4
An \fBrpm\fR package file.\&
.PP
.RE
.SH OPTIONS
See \fBrpm-common\fR(8) for the options common to all \fBrpm\fR executables.\&
.PP
.SH SIGN OPTIONS
\fB--certpath\fR \fICERT\fR
.RS 4
Used with \fB--signverity\fR, use file signing certificate \fICERT\fR.\&
.PP
.RE
\fB--fskpath\fR \fIKEY\fR
.RS 4
Used with \fB--signfiles\fR, use file signing key \fIKEY\fR.\&
.PP
.RE
\fB--key-id\fR \fIKEYID\fR
.RS 4
Use key \fIKEYID\fR for signing.\& Overrides \fB%_openpgp_sign_id\fR
configuration.\&
.PP
.RE
\fB--rpmv3\fR
.RS 4
Request RPM V3 header+payload signature addition on V4 packages.\&
These signatures are expensive
and redundant baggage on packages where a separate payload digest
exists (packages built with rpm >= 4.\&14).\& Rpmsign will automatically
detect the need for V3 signatures, but this option can be used to
request their creation if the packages must be fully signature
verifiable with rpm < 4.\&14 or other interoperability reasons.\&
.PP
Has no effect when signing V6 packages.\&
.PP
.RE
\fB--rpmv4\fR
.RS 4
Request RPM V4 header signature addition on V6 packages.\&
Useful for making V6 packages signature verifiable
with rpm 4.\&x versions.\&
.PP
V4 compatibility signatures are only ever added if the signing
algorithm is one of those known to V4: RSA, EcDSA, EdDSA
(and original DSA).\&
Only one V4 signature can be present in a package, so this is
added only on the first \fB--addsign\fR with a V4 compatible
algorithm, and ignored otherwise.\&
.PP
Has no effect when signing V4 packages.\&
.PP
.RE
\fB--rpmv6\fR
.RS 4
Request RPM V6 header signature addition on V4 packages.\&
.PP
This generally always succeeds as there can be arbitrary number of
V6 signatures on a package.\& A V3/V4 compatibility signatures are
added using the same logic as \fB--rpmv4\fR on a V6 package.\&
.PP
Has no effect when signing V6 packages.\&
.PP
.RE
\fB--signfiles\fR
.RS 4
Sign package files.\& The file signing key (RSA private key) must
be set before signing the package, it can be configured on the
command line with \fB--fskpath\fR or the macro %_file_signing_key.\&
.PP
.RE
\fB--signverity\fR
.RS 4
Sign package files with fsverity signatures.\& The file signing key
(RSA private key) and the signing certificate must be set before
signing the package.\& The key can be configured on the command line
with \fB--fskpath\fR or the macro %_file_signing_key, and the cert
can be configured on the command line with \fB--certpath\fR or the
macro %_file_signing_cert.\&
.PP
.RE
\fB--verityalgo\fR \fIALG\fR
.RS 4
Used with \fB--signverity\fR, to specify the signing algorithm.\&
sha256 and sha512 are supported, with sha256 being the default if
this argument is not specified.\& This can also be specified with the
macro \fB%_verity_algorithm\fR.\&
.PP
.RE
.SH CONFIGURATION
In order to sign packages, you need to create your own OpenPGP key pair
(aka certificate) and configure \fBrpm\fR(8) to use it.\& The following macros are
available:
.PP
\fB%_openpgp_sign_id\fR
.RS 4
The fingerprint or keyid of the signing key to use.\& Typically
this is the only configuration needed.\& If omitted,
\fB--key-id\fR must be explicitly specified when signing.\&
.PP
.RE
\fB%_openpgp_sign\fR
.RS 4
The OpenPGP implementation to use for signing.\& Supported values are
"gpg" for GnuPG (default and traditional) and "sq" for Sequoia PGP.\&
.PP
.RE
Implementation specific macros:
.PP
\fB%_gpg_path\fR
.RS 4
The location of your GnuPG keyring if not the default \fB$GNUPGHOME\fR.\&
.PP
.RE
\fB%_gpg_name\fR
.RS 4
Legacy macro for configuring user id with GnuPG.\& Use the implementation
independent and non-ambiguous \fB%_openpgp_sign_id\fR instead.\&
.PP
.RE
\fB%_sq_path\fR
.RS 4
The location of your Sequoia configuration if not the default.\&
.PP
.RE
.SH EXAMPLES
.SS Example 1. Basic setup
Configure RPM to sign packages with Sequoia PGP and a specific key by adding the
following contents to the user'\&s \fBrpm-config\fR(5) file (typically
\fI\(ti/.\&config/rpm/macros\fR):
.PP
.nf
.RS 4
%_openpgp_sign sq
%_openpgp_sign_id 7B36C3EE0CCE86EDBC3EFF2685B274E29F798E08
.fi
.RE
.PP
.SS Example 2. Basic operations
\fBrpmsign --addsign hello-2.\&0-1.\&x64_rpm\fR
.RS 4
Add a signature to \fIhello-2.\&0-1.\&x64_rpm\fR package.\&
.PP
.RE
\fBrpmsign --resign --key-id 771b18d3d7baa28734333c424344591e1964c5fc hello-2.\&0-1.\&x64_rpm\fR
.RS 4
Replace all signatures in \fIhello-2.\&0-1.\&x64_rpm\fR package by
a signature using key \fB771b18d3d7baa28734333c424344591e1964c5fc\fR.\&
.PP
.RE
\fBrpmsign --delsign --delfilesign hello-2.\&0-1.\&x64_rpm\fR
.RS 4
Delete all signatures from \fIhello-2.\&0-1.\&x64_rpm\fR package.\&
.PP
.RE
.SH EXIT STATUS
On success, 0 is returned, a nonzero failure code otherwise.\&
.PP
.SH SEE ALSO
\fBpopt\fR(3), \fBrpm\fR(8), \fBrpm-common\fR(8), \fBrpmkeys\fR(8), \fBrpmbuild\fR(1)
.PP
\fBrpmsign --help\fR - as rpm supports customizing the options via popt
aliases it'\&s impossible to guarantee that what'\&s described in the
manual matches what'\&s available.\&
.PP
\fBhttp://www.\&rpm.\&org/\fR