3.2. Digital Signatures for RHN Packages

All RPM packages distributed through RHN should have a digital signature. A digital signature is created with a unique private key and can be verified with the corresponding public key. After creating a package, the SRPM (Source RPM) and the RPM can be digitally signed with a GnuPG key. Before the package is installed, the public key can be used to verify the package was signed by a trusted party and the package has not changed since it was signed.

3.2.1. Generating a GnuPG Keypair

A GnuPG keypair consists of the private and public keys. To generate a keypair, as root at a shell prompt, type the following command:

gpg --gen-key

If you execute this command as a non-root user, you will see the following message:

gpg: Warning: using insecure memory!

This message appears because non-root users cannot lock memory pages. If such users could lock memory pages, they could perform out-of-memory denial of service attacks. Since you do not want anyone else to have your private GnuPG key or your passphrase, you should generate the keypair as root. The root user can lock memory pages, which means the information is never written to disk.

After executing the command to generate a keypair, you will see an introductory screen containing key options similar to the following:

gpg (GnuPG) 1.0.7; Copyright (C) 2002 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Please select what kind of key you want:
   (1) DSA and ElGamal (default)
   (2) DSA (sign only)
   (4) ElGamal (sign and encrypt)
   (5) RSA (sign only)
Your selection?

Accept the default option: (1) DSA and ElGamal. This option will allow you to create a digital signature and encrypt (and decrypt) with two types of technologies. Type 1 and then press [Enter].

Next, choose the key size or how long the key should be. The longer the key, the more resistant against attacks your messages will be. Thus, creating a key of at least 1024 bits in size is recommended.

The next option asks you to specify how long you want your key to be valid. If you do choose an expiration date, remember that anyone with whom you exchanged your public key will also have to be informed of its expiration and supplied with a new public key. It is recommended that you select no expiration date. If you do not choose an expiration date, you will be asked to confirm your decision:

Key does not expire at all
Is this correct (y/n)?

Press [y] to confirm your decision.

Your next task is to provide a User ID containing your name, your email address, and an optional comment. Each will be requested individually. When you are finished, you will be presented with a summary of the information you entered.

Once you accept your choices, you will have to enter a passphrase.


Like your account passwords, a good passphrase is essential for optimal security in GnuPG. Mix your passphrase with uppercase and lowercase letters, use numbers, and/or include punctuation marks.

Once you enter and verify your passphrase, your keys will be generated. You will see a message similar to the following:

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

When the activity on the screen ceases, your new keys will be made and placed in the directory .gnupg in root's home directory (since you are running the command as root). To list your keys, (still as root) use the command:

gpg --list-keys

You will see something similar to the following:

pub  1024D/B7085C8A 2002-02-18 Your Name <[email protected]>
sub  1024g/E12AF9C4 2002-02-18

To retrieve your public key, use the following command:

gpg --export -a 'Your Name' > public_key.txt 

Your public key will be written to the file public_key.txt.

This public key is quite important. It's the key that must be deployed to all client systems that will receive custom software through up2date. Techniques for deploying this key across an organization are covered in the Red Hat Network Client Configuration Guide.

3.2.2. Signing packages

Before you can sign packages, you need to configure your ~/.rpmmacros file to include the following:

%_signature gpg
%_gpg_name AB6E2B72

The _gpg_name is the key ID, which tells RPM which signature in your GPG keyring to use. This value can be derived from the command:

gpg --list-keys 

To sign the package package-name-1.0-1.noarch.rpm, use the following command:

rpm --resign package-name-1.0-1.noarch.rpm 

Enter your passphrase. To make sure the package is signed, use the following command:

rpm --checksig -v package-name-1.0-1.noarch.rpm 

You should see the phrase Good signature from "Your Name" in the output.