Signing rpm packages with GPG

The user will have an increased sense of security when downloading RPM packages that are signed since the digital signature can help authenticate the packages being provided.  If you do this, your packages will be more reputable.  In my previous post “How to install and configure yum server for Cloudstack 4.0 on CentOS 6.4“, I’ve showed you how to deploy a yum server. Now I’ll show you how to sign it with GPG.

On server side

1. Generate a GPG key
# gpg –gen-key

Note: it asked me to input some info, I choose default for everything except for name, email, and passphrase. My inputs are simonljb(name), myemail@gmail.com(email), and simonljb(passphrase).

2. Confirm if the GPG key was created successfully
# gpg –list-keys
/root/.gnupg/pubring.gpg
————————
pub   2048R/8F5BA5B1 2013-06-06
uid               simonljb <myemail@gmail.com>
sub   2048R/563294AD 2013-06-06

3. Export the key
# gpg –export -a simonljb > /var/www/html/cloudstack4.0/RPM-GPG-KEY-Cloudstack4.0

4. Add the GPG signing details to your rpm environment
# echo “%_signature gpg” > ~/.rpmmacros
# echo “%_gpg_name simonljb” >> ~/.rpmmacros

5. Sign RPMs with the GPG key
# cd /var/www/html/cloudstack4.0/
# rpm –resign *.rpm

6. Create the repository
# createrepo –database /var/www/html/cloudstack4.0/


On client side

1. Configure yum repository
# cd /etc/yum.repos.d/

Create the CloudStack.repo file, add the following:

[cloudstack]
name=cloudstack
baseurl=http://192.168.0.9/cloudstack4.0
enabled=1
gpgcheck=1
gpgkey=http://192.168.0.9/cloudstack4.0/RPM-GPG-KEY-Cloudstack4.0

Note: I assume the IP of my yum server is 192.168.0.9

# yum makecache

2. List availabe repositories to check if there is cloudstack
# yum repolist

3. Install cloud-agent package to check if it works. If it works, it will give the similar following info:

# yum install cloud-agent

(159/159): zip-3.0-1.el6.x86_64.rpm                                                               | 260 kB   00:00
—————————————————————————————
Total                                                                                                    39 MB/s | 146 MB     00:03    warning: rpmts_HdrFromFdno: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
Importing GPG key 0xC105B9DE:
Userid : CentOS-6 Key (CentOS 6 Official Signing Key) <centos-6-key@centos.org>
Package: centos-release-6-4.el6.centos.10.x86_64 (@anaconda-CentOS-201303020151.x86_64/6.4)
From   : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
Is this ok [y/N]: y
warning: rpmts_HdrFromFdno: Header V4 RSA/SHA1 Signature, key ID 8f5ba5b1: NOKEY
Retrieving key from http://192.168.0.9/cloudstack4.0/RPM-GPG-KEY-Cloudstack4.0
Importing GPG key 0x8F5BA5B1:
Userid: “simonljb <myemail@gmail.com>”
From  : http://192.168.0.9/cloudstack4.0/RPM-GPG-KEY-Cloudstack4.0
Is this ok [y/N]: y

Reference
http://linuxsysconfig.com/2013/04/create-a-yum-repository-with-custom-gpg-signed-packages/

Advertisements
This entry was posted in CloudStack 4.0. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s