Signing RPM packages

Stuart D. Gathman stuart at bmsi.com
Sat Mar 19 01:08:35 UTC 2011


On Fri, 18 Mar 2011, Keith Roberts wrote:

>> 	http://www.gnupg.org/documentation/guides.en.html
>> 
>> The more people you can get to sign your public key (building the web of
>> trust), the better.  Read up on key-signing parties.
>
> Thanks Tim.
>
> I've created a file with my public key in, and have resigned the packages I 
> have already built. So I just need to check all this works by installing one 
> of my built packages.

I highly recommend also making a "release" package (e.g. kroberts-release)
that installs kroberts.repo in /etc/yum.repos.d and your key file
in /etc/pki/rpm-gpg.  This can then be updated to add a signing key
or another repo (e.g. kroberts-testing).

--
 	      Stuart D. Gathman <stuart at bmsi.com>
     Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.


More information about the Rpm-list mailing list