rpmsign(8) — Linux manual page

RPMSIGN(8)                                                     RPMSIGN(8)

NAME         top

       rpmsign - RPM Package Signing

SYNOPSIS         top

   SIGNING PACKAGES:
       rpmsign --addsign|--resign [rpmsign-options] PACKAGE_FILE ...

       rpmsign --delsign PACKAGE_FILE ...

       rpmsign --delfilesign PACKAGE_FILE ...

   rpmsign-options
       [--rpmv3] [--rpmv4] [--fskpath KEY] [--signfiles]

DESCRIPTION         top

       rpmsign --addsign generates and inserts a new OpenPGP signature
       for each PACKAGE_FILE given unless a signature with identical
       parameters already exists, in which case no action is taken.
       Arbitrary number of V6 signatures can be added.

       rpmsign --resign generates and inserts a new OpenPGP signature for
       each PACKAGE_FILE, replacing any and all previous signatures.

       To create a signature rpmsign needs to verify the package's
       checksum.  As a result V4 packages with MD5/SHA1 checksums cannot
       be signed in FIPS mode.

       rpmsign --delsign PACKAGE_FILE ...

       Delete all OpenPGP signatures from each package PACKAGE_FILE
       given.

       rpmsign --delfilesign PACKAGE_FILE ...

       Delete all IMA and fsverity file signatures from each package
       PACKAGE_FILE given.

   SIGN OPTIONS
       --rpmv3
              Request RPM V3 header+payload signature addition on V4
              packages.  These signatures are expensive and redundant
              baggage on packages where a separate payload digest exists
              (packages built with rpm >= 4.14).  Rpmsign will
              automatically detect the need for V3 signatures, but this
              option can be used to request their creation if the
              packages must be fully signature verifiable with rpm < 4.14
              or other interoperability reasons.

              Has no effect when signing V6 packages.

       --rpmv4
              Request RPM V4 header signature addition on V6 packages.
              Useful for making V6 packages signature verifiable with rpm
              4.x versions.

              V4 compatibility signatures are only ever added if the
              signing algorithm is one of those known to V4: RSA, EcDSA,
              EdDSA (and original DSA).  Only one V4 signature can be
              present in a package, so this is added only on the first
              --addsign with a V4 compatible algorithm, and ignored
              otherwise.

              Has no effect when signing V4 packages.

       --rpmv6
              Request RPM V6 header signature addition on V4 packages.

              This generally always succeeds as there can be arbitrary
              number of V6 signatures on a package.  A V3/V4
              compatibility signatures are added usign the same logic as
              --rpmv4 on a V6 package.

              Has no effect when signing V6 packages.

       --fskpath KEY
              Used with --signfiles, use file signing key KEY.

       --certpath CERT
              Used with --signverity, use file signing certificate CERT.

       --verityalgo ALG
              Used with --signverity, to specify the signing algorithm.
              sha256 and sha512 are supported, with sha256 being the
              default if this argument is not specified.  This can also
              be specified with the macro %_verity_algorithm.

       --signfiles
              Sign package files.  The macro
              %_binary_filedigest_algorithm must be set to a supported
              algorithm before building the package.  The supported
              algorithms are SHA1, SHA256, SHA384, and SHA512, which are
              represented as 2, 8, 9, and 10 respectively.  The file
              signing key (RSA private key) must be set before signing
              the package, it can be configured on the command line with
              --fskpath or the macro %_file_signing_key.

       --signverity
              Sign package files with fsverity signatures.  The file
              signing key (RSA private key) and the signing certificate
              must be set before signing the package.  The key can be
              configured on the command line with --fskpath or the macro
              %_file_signing_key, and the cert can be configured on the
              command line with --certpath or the macro
              %_file_signing_cert.

   CONFIGURING SIGNING KEYS
       In order to sign packages, you need to create your own OpenPGP key
       pair (aka certificate) and configure rpm(8) to use it.  The
       following macros are available:

       %_openpgp_sign_id
              The fingerprint or keyid of the signing key to use.
              Typically this is the only configuration needed.  If
              omitted, –key-id must be explicitly specified when signing.

       %_openpgp_sign
              The OpenPGP implementation to use for signing.  Supported
              values are "gpg" for GnuPG (default and traditional) and
              "sq" for Sequoia PGP.

       Implementation specific macros:

       %_gpg_path
              The location of your GnuPG keyring if not the default
              $GNUPGHOME.

       %_gpg_name
              Legacy macro for configuring user id with GnuPG.  Use the
              implementation independent and non-ambiguous
              %_openpgp_sign_id instead.

       %_sq_path
              The location of your Sequoia configuration if not the
              default.

       For example, to configure rpm to sign with Sequoia PGP using a key
       with fingerprint of 7B36C3EE0CCE86EDBC3EFF2685B274E29F798E08 you
       would include

       %_openpgp_sign sq %_openpgp_signer
       7B36C3EE0CCE86EDBC3EFF2685B274E29F798E08

       in a macro configuration file, typically ~/.config/rpm/macros.
       See Macro Configuration in rpm(8) for more details.

SEE ALSO         top

       popt(3), rpm(8), rpmdb(8), rpmkeys(8), rpm2cpio(8), rpmbuild(8),
       rpmspec(8)

       rpmsign --help - as rpm supports customizing the options via popt
       aliases it's impossible to guarantee that what's described in the
       manual matches what's available.

       http://www.rpm.org/ <URL:http://www.rpm.org/>

AUTHORS         top

              Marc Ewing <marc@redhat.com>
              Jeff Johnson <jbj@redhat.com>
              Erik Troan <ewt@redhat.com>
              Panu Matilainen <pmatilai@redhat.com>
              Fionnuala Gunter <fin@linux.vnet.ibm.com>
              Jes Sorensen <jsorensen@fb.com>

COLOPHON         top

       This page is part of the rpm (RPM Package Manager) project.
       Information about the project can be found at 
       ⟨https://github.com/rpm-software-management/rpm⟩.  It is not known
       how to report bugs for this man page; if you know, please send a
       mail to man-pages@man7.org.  This page was obtained from the
       project's upstream Git repository
       ⟨https://github.com/rpm-software-management/rpm.git⟩ on
       2025-02-02.  (At that time, the date of the most recent commit
       that was found in the repository was 2025-01-31.)  If you discover
       any rendering problems in this HTML version of the page, or you
       believe there is a better or more up-to-date source for the page,
       or you have corrections or improvements to the information in this
       COLOPHON (which is not part of the original manual page), send a
       mail to man-pages@man7.org

                               Red Hat, Inc                    RPMSIGN(8)

Pages that refer to this page: rpm(8),  rpmbuild(8),  rpmdb(8),  rpmkeys(8),  rpm-plugin-ima(8),  rpmspec(8)

HTML rendering created 2025-09-06 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH.