rpm, signed

Creating a Signed RPM repo

When using Puppet for Infrastructure automation, it can be usefull to have your own RPM repository. In this repository you can put your own created RPMS. Or you can used it as a RPM repository that you get from companies. In these blog I will tell you about creating a signed RPM repository.

First create an encryption key.

# gpg --gen-key
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation,    Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
     0 = key does not expire
  <n>  = key expires in n days
  <n>w = key expires in n weeks
  <n>m = key expires in n months
  <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: blablabla
Email address: blabla@bla.com
Comment: Public key for blablabla
You selected this USER-ID:
    "blablabla (Public key for blablabla) 
<blabla@bla.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

Check the gpg key list.

# gpg --list-keys
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
/root/.gnupg/pubring.gpg
------------------------
pub   2048R/B794F9D0 2017-01-09
uid                  blablabla (Public key for blablabla)     <blabla@bla.com>
sub   2048R/E241B4AB 2017-01-09

Export this key

# gpg --export -a 'blablabla' > /etc/pki/rpm-gpg/RPM-GPG-KEY-blablabla
# chmod go+r /etc/pki/rpm-gpg/RPM-GPG-KEY-blablabla

Add the following in in your repo:

vi /etc/yum.repos.d/myrepo.repo
[myrepo]
name = This is my repo
baseurl = file:///srv/my/repo/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-blablabla

Import the created key in your rpm database.

# rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-blablabla

Check if it exist:

# rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'

gpg-pubkey-b794f9d0-5873d223 --> gpg(blablabla (Public key for blablabla) <blabla@bla.com>)

At last sign your custom RPM package.

You can sign each RPM file individually:

rpm --addsign git-1.7.7.3-1.el6.x86_64.rpm 

Or you can cd /srv/my/repo/ into your RPMS folder and sign them all:

# rpm --addsign *.rpm
Enter pass phrase:
Pass phrase is good.
bbc-1.9e-1.el6.x86_64.rpm:
elasticsearch-2.3.5.rpm:
kibana-4.5.4-1.x86_64.rpm:
logstash-2.3.4-1.noarch.rpm:

To create the repo:

# createrepo /srv/my/repo/
Spawning worker 0 with 15 pkgs
Workers Finished
Gathering worker results
Saving Primary metadata
Saving file lists metadata
Saving other metadata
Generating sqlite DBs
Sqlite DBs complete

Check if you can install a package:

yum install kibana

Delete gpg key:

gpg --delete-key blablabla
gpg --delete-secret-keys blablabla