[Rpm-ecosystem] [PATCH v6 11/11] Documentation for file signing

Mimi Zohar zohar at linux.vnet.ibm.com
Mon Jul 6 18:52:25 UTC 2015


From: "fin at linux.vnet.ibm.com" <fin at linux.vnet.ibm.com>

This patch adds documentation for signing files.

Changelog:
- Update RPM macro example for files signatures - Mimi
---
 doc/rpmsign.8 | 32 ++++++++++++++++++++++++++++++--
 1 file changed, 30 insertions(+), 2 deletions(-)

diff --git a/doc/rpmsign.8 b/doc/rpmsign.8
index 53f2d70..27145ce 100644
--- a/doc/rpmsign.8
+++ b/doc/rpmsign.8
@@ -2,11 +2,17 @@
 .SH NAME
 rpmsign \- RPM Package Signing
 .SH SYNOPSIS
+.SS "SIGNING PACKAGES:"
+.PP
 
-\fBrpm\fR \fB--addsign|--resign\fR \fB\fIPACKAGE_FILE\fB\fR\fI ...\fR
+\fBrpm\fR \fB--addsign|--resign\fR [\fBrpmsign-options\fR] \fB\fIPACKAGE_FILE\fB\fR\fI ...\fR
 
 \fBrpm\fR \fB--delsign\fR \fB\fIPACKAGE_FILE\fB\fR\fI ...\fR
 
+.SS "rpmsign-options"
+.PP
+ \fB--fskpath \fIKEY\fB\fR] [\fB--signfiles\fR]
+
 .SH DESCRIPTION
 .PP
 Both of the \fB--addsign\fR and \fB--resign\fR
@@ -20,6 +26,19 @@ there is no difference in behavior currently.
 .PP
 Delete all signatures from each package \fIPACKAGE_FILE\fR given.
 
+.SS "SIGN OPTIONS"
+.PP
+.TP
+\fB--fskpath \fIKEY\fB\fR
+Used with \fB--signfiles\fR, use file signing key \fIKEY\fR.
+.TP
+\fB--signfiles\fR
+Sign package files. The macro \fB%_binary_filedigest_algorithm\fR must be set
+before building the package, and the macro must be set to a supported algorithm:
+2, 8, 9, or 10, which represent SHA1, SHA256, SHA384, and SHA512, respectively.
+The file signing key (RSA private key) can be configured on the command line
+with \fB--fskpath\fR or the macro \fB%_file_signing_key\fR.
+
 .SS "USING GPG TO SIGN PACKAGES"
 .PP
 In order to sign packages using GPG, \fBrpm\fR
@@ -52,7 +71,15 @@ using the executable \fI/usr/bin/gpg\fR you would include
 in a macro configuration file. Use \fI/etc/rpm/macros\fR
 for per-system configuration and \fI~/.rpmmacros\fR
 for per-user configuration. Typically it's sufficient to set just %_gpg_name.
-
+.PP
+In addition, for signing the file digests and installing the file signatures
+as "security.ima" extended attributes, define the following macros.
+.PP
+.nf
+%__plugindir /usr/local/lib/rpm-plugins
+%_binary_filedigest_algorithm 8
+%_file_signing_key  < private key pathname (PEM format) >
+.fi
 .SH "SEE ALSO"
 .nf
 \fBpopt\fR(3),
@@ -78,4 +105,5 @@ Marc Ewing <marc at redhat.com>
 Jeff Johnson <jbj at redhat.com>
 Erik Troan <ewt at redhat.com>
 Panu Matilainen <pmatilai at redhat.com>
+Fionnuala Gunter <fin at linux.vnet.ibm.com>
 .fi
-- 
2.1.0



More information about the Rpm-ecosystem mailing list