.\" Automatically generated by Pandoc 3.1.11.1
.\"
.TH "RPMSIGN" "8" "Red Hat, Inc" "" ""
.SH NAME
rpmsign \- RPM Package Signing
.SH SYNOPSIS
.SS SIGNING PACKAGES:
\f[B]rpmsign\f[R] \f[B]\-\-addsign|\-\-resign\f[R]
[\f[B]rpmsign\-options\f[R]] \f[I]PACKAGE_FILE ...\f[R]
.PP
\f[B]rpmsign\f[R] \f[B]\-\-delsign\f[R] \f[I]PACKAGE_FILE ...\f[R]
.PP
\f[B]rpmsign\f[R] \f[B]\-\-delfilesign\f[R] \f[I]PACKAGE_FILE ...\f[R]
.SS rpmsign\-options
[\f[B]\-\-rpmv3\f[R]] [\f[B]\-\-fskpath\f[R] \f[I]KEY\f[R]]
[\f[B]\-\-signfiles\f[R]]
.SH DESCRIPTION
Both of the \f[B]\-\-addsign\f[R] and \f[B]\-\-resign\f[R] options
generate and insert new signatures for each package
\f[I]PACKAGE_FILE\f[R] given, replacing any existing signatures.
There are two options for historical reasons, there is no difference in
behavior currently.
.PP
To create a signature rpmsign needs to verify the package\[aq]s
checksum.
As a result packages with a MD5/SHA1 checksums cannot be signed in FIPS
mode.
.PP
\f[B]rpmsign\f[R] \f[B]\-\-delsign\f[R] \f[I]PACKAGE_FILE ...\f[R]
.PP
Delete all signatures from each package \f[I]PACKAGE_FILE\f[R] given.
.PP
\f[B]rpmsign\f[R] \f[B]\-\-delfilesign\f[R] \f[I]PACKAGE_FILE ...\f[R]
.PP
Delete all IMA and fsverity file signatures from each package
\f[I]PACKAGE_FILE\f[R] given.
.SS SIGN OPTIONS
.TP
\f[B]\-\-rpmv3\f[R]
Force RPM V3 header+payload signature addition.
These are expensive and redundant baggage on packages where a separate
payload digest exists (packages built with rpm >= 4.14).
Rpmsign will automatically detect the need for V3 signatures, but this
option can be used to force their creation if the packages must be fully
signature verifiable with rpm < 4.14 or other interoperability reasons.
.TP
\f[B]\-\-fskpath\f[R] \f[I]KEY\f[R]
Used with \f[B]\-\-signfiles\f[R], use file signing key \f[I]KEY\f[R].
.TP
\f[B]\-\-certpath\f[R] \f[I]CERT\f[R]
Used with \f[B]\-\-signverity\f[R], use file signing certificate
\f[I]CERT\f[R].
.TP
\f[B]\-\-verityalgo\f[R] \f[I]ALG\f[R]
Used with \f[B]\-\-signverity\f[R], to specify the signing algorithm.
sha256 and sha512 are supported, with sha256 being the default if this
argument is not specified.
This can also be specified with the macro \f[I]%_verity_algorithm\f[R].
.TP
\f[B]\-\-signfiles\f[R]
Sign package files.
The macro \f[B]%_binary_filedigest_algorithm\f[R] must be set to a
supported algorithm before building the package.
The supported algorithms are SHA1, SHA256, SHA384, and SHA512, which are
represented as 2, 8, 9, and 10 respectively.
The file signing key (RSA private key) must be set before signing the
package, it can be configured on the command line with
\f[B]\-\-fskpath\f[R] or the macro %_file_signing_key.
.TP
\f[B]\-\-signverity\f[R]
Sign package files with fsverity signatures.
The file signing key (RSA private key) and the signing certificate must
be set before signing the package.
The key can be configured on the command line with \f[B]\-\-fskpath\f[R]
or the macro %_file_signing_key, and the cert can be configured on the
command line with \f[B]\-\-certpath\f[R] or the macro
%_file_signing_cert.
.SS CONFIGURING SIGNING KEYS
In order to sign packages, you need to create your own public and secret
key pair (see the GnuPG manual).
In addition, \f[B]rpm\f[R](8) must be configured to find GnuPG and the
appropriate keys with the following macros:
.TP
\f[B]%_gpg_name\f[R]
The name of the \[dq]user\[dq] whose key you wish to use to sign your
packages.
Typically this is the only configuration needed.
.TP
\f[B]%_gpg_path\f[R]
The location of your GnuPG keyring if not the default
\f[B]$GNUPGHOME\f[R].
.TP
\f[B]%__gpg\f[R]
The path of the GnuPG executable.
Normally pre\-configured.
.PP
For example, to be able to use GnuPG to sign packages as the user
\f[I]\[dq]John Doe <jdoe\[at]foo.com>\[dq]\f[R] from the key rings
located in \f[I]/etc/rpm/.gpg\f[R] using the executable
\f[I]/opt/bin/gpg\f[R] you would include
.IP
.EX
%_gpg_path /etc/rpm/.gpg
%_gpg_name John Doe <jdoe\[at]foo.com>
%__gpg /opt/bin/gpg
.EE
.PP
in a macro configuration file, typically \[ti]/.config/rpm/macros.
See \f[B]Macro Configuration\f[R] in \f[B]rpm\f[R](8) for more details.
.SH SEE ALSO
\f[B]popt\f[R](3), \f[B]rpm\f[R](8), \f[B]rpmdb\f[R](8),
\f[B]rpmkeys\f[R](8), \f[B]rpm2cpio\f[R](8), \f[B]rpmbuild\f[R](8),
\f[B]rpmspec\f[R](8)
.PP
\f[B]rpmsign \-\-help\f[R] \- as rpm supports customizing the options
via popt aliases it\[aq]s impossible to guarantee that what\[aq]s
described in the manual matches what\[aq]s available.
.PP
\f[B]http://www.rpm.org/ <URL:http://www.rpm.org/>\f[R]
.SH AUTHORS
.IP
.EX
Marc Ewing <marc\[at]redhat.com>
Jeff Johnson <jbj\[at]redhat.com>
Erik Troan <ewt\[at]redhat.com>
Panu Matilainen <pmatilai\[at]redhat.com>
Fionnuala Gunter <fin\[at]linux.vnet.ibm.com>
Jes Sorensen <jsorensen\[at]fb.com>
.EE