Chapter 4. Importing Custom GPG Keys

For customers who plan to build and distribute their own RPMs securely, it's strongly recommended that all custom RPMs are signed using GNU Privacy Guard (GPG). Generating GPG keys and building GPG-signed packages are covered in the Red Hat Network Channel Management Guide.

Once the packages are signed, the public key must be deployed on all systems importing these RPMs. So this task has two steps: first, creating a central location for the public key so that clients may retrieve it, and second, adding the key to the local GPG keyring for each system.

The first step is common and may be handled using the website approach recommended for deploying RHN client applications. (Refer to Section 2.1 Deploying the Latest Red Hat Network Client RPMs.) To do this, create a public directory on the Web server and place the GPG public signature in it:

cp /some/path/YOUR-RPM-GPG-KEY /var/www/html/pub/

The key can then be downloaded by client systems using Wget:

wget -O- -q http://your_proxy_or_sat.your_domain.com/pub/YOUR-RPM-GPG-KEY

The -O- option sends results to standard output while the -q option sets Wget to run in quiet mode. Remember to replace the YOUR-RPM-GPG-KEY variable with the filename of your key.

Once the key is available on the client filesystem, the next step is to import it into the local GPG keyring. Different operating systems require different methods.

For Red Hat Enterprise Linux 3 or newer, use the following command:

rpm --import /path/to/YOUR-RPM-GPG-KEY

For Red Hat Enterprise Linux 2.1, use the following command:

gpg $(up2date --gpg-flags) --import /path/to/YOUR-RPM-GPG-KEY

Once the GPG key has been successfully added to the client, the system should be able to validate custom RPMs signed with the corresponding key.