%_topdir %(echo $HOME)/rpmbuild
%_smp_mflags -j3
%__arch_install_post /usr/lib/rpm/check-rpaths /usr/lib/rpm/check-buildroot
# add these lines: MNEMONIC for myself: tsgops
%_signature %gpg
%_gpg_name rpmbuild
create your gpg signature:
[rpmbuild@satellite ~]$ gpg --gen-key
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: directory `/home/rpmbuild/.gnupg' created
gpg: new configuration file `/home/rpmbuild/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/rpmbuild/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/rpmbuild/.gnupg/secring.gpg' created
gpg: keyring `/home/rpmbuild/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: rpmbuild
Email address: rpmbuild@example.com
Comment:
You selected this USER-ID:
"rpmbuild "
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
can't connect to `/home/rpmbuild/.gnupg/S.gpg-agent': No such file or directory
gpg-agent[2964]: directory `/home/rpmbuild/.gnupg/private-keys-v1.d' created
gpg-agent[2964]: command get_passphrase failed: Operation cancelled
gpg: cancelled by user
gpg: Key generation canceled.
Okay, we've got two issues. One is the missing "/home/rpmbuild/.gnupg/S.gpg-agent" file, and the other is get_passphrase failure.
The get_passphares issue stems from how terminal sessions are created:
[root@satellite ~]# ll `tty`
crw--w----. 1 root tty 136, 1 May 15 09:29 /dev/pts/1
[root@satellite ~]# su - rpmbuild
[rpmbuild@satellite ~]$ ll `tty`
crw--w----. 1 root tty 136, 1 May 15 09:29 /dev/pts/1
More information here.
So this can simply be solved by logging in directly, e.g. ssh rpmbuild@localhost
The issue with the missing /home/rpmbuild/.gnupg/S.gpg-agent file can be resolved with:
[rpmbuild@satellite ~]$ gpg-agent --use-standard-socket --daemon
putting all the pieces together:
[rpmbuild@satellite ~]$ rm -rf .gnupg
[rpmbuild@satellite ~]$ ps -ef | grep gpg | grep -v grep
[rpmbuild@satellite ~]$ gpg-agent -v --use-standard-socket --daemon
gpg-agent[3823]: directory `/home/rpmbuild/.gnupg' created
gpg-agent[3823]: directory `/home/rpmbuild/.gnupg/private-keys-v1.d' created
gpg-agent[3823]: listening on socket `/home/rpmbuild/.gnupg/S.gpg-agent'
GPG_AGENT_INFO=/home/rpmbuild/.gnupg/S.gpg-agent:3824:1; export GPG_AGENT_INFO;
[rpmbuild@satellite ~]$ gpg-agent[3824]: gpg-agent (GnuPG) 2.0.14 started
[rpmbuild@satellite ~]$ gpg --gen-key
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: keyring `/home/rpmbuild/.gnupg/secring.gpg' created
gpg: keyring `/home/rpmbuild/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: rpmbuild
Email address: rpmbuild@example.com
Comment:
You selected this USER-ID:
"rpmbuild "
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
gpg-agent[3824]: handler 0x192f720 for fd 6 started
gpg-agent[3824]: S2K calibration: 9868288 iterations for 100ms
gpg-agent[3824]: starting a new PIN Entry
gpg-agent[3824]: starting a new PIN Entry
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg-agent[3824]: handler 0x19313a0 for fd 8 started
gpg-agent[3824]: handler 0x19313a0 for fd 8 terminated
gpg: /home/rpmbuild/.gnupg/trustdb.gpg: trustdb created
gpg: key DF1FDC54 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 2048R/DF1FDC54 2012-05-15
Key fingerprint = B017 B8A5 87EC C541 5F2A 9944 D7B1 D47B DF1F DC54
uid rpmbuild
sub 2048R/D0388310 2012-05-15
[rpmbuild@satellite ~]$
[rpmbuild@satellite ~]$ gpg --list-keys
/home/rpmbuild/.gnupg/pubring.gpg
---------------------------------
+-------------------------------------> Key ID, take note
| for key verification
pub 2048R/DF1FDC54 2012-05-15
uid rpmbuild
sub 2048R/D0388310 2012-05-15
So much for gnupg, let's go ahead and sign our rpm package:
[rpmbuild@satellite ~]$ rpm -qpi rpmbuild/RPMS/x86_64/fping-2.4b2-1.el6.x86_64.rpm
Name : fping Relocations: (not relocatable)
Version : 2.4b2 Vendor: (none)
Release : 1.el6 Build Date: Thu 10 May 2012 12:48:59 AM SGT
Install Date: (not installed) Build Host: satellite.localdomain
Group : Application/System Source RPM: fping-2.4b2-1.el6.src.rpm
Size : 36298 License: GPL
Signature : (none)
URL : http://ftp.gnu.org/gnu/fping/fping-2.4b2.tar.gz
Summary : fping compiled on the satellite server
[rpmbuild@satellite ~]$ rpm --resign rpmbuild/RPMS/x86_64/fping-2.4b2-1.el6.x86_64.rpm
Enter pass phrase:
Pass phrase is good.
rpmbuild/RPMS/x86_64/fping-2.4b2-1.el6.x86_64.rpm:
[rpmbuild@satellite ~]$ rpm -qpi rpmbuild/RPMS/x86_64/fping-2.4b2-1.el6.x86_64.rpm
warning: rpmbuild/RPMS/x86_64/fping-2.4b2-1.el6.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID df1fdc54: NOKEY
Name : fping Relocations: (not relocatable)
Version : 2.4b2 Vendor: (none)
Release : 1.el6 Build Date: Thu 10 May 2012 12:48:59 AM SGT
Install Date: (not installed) Build Host: satellite.localdomain
Group : Application/System Source RPM: fping-2.4b2-1.el6.src.rpm
Size : 36298 License: GPL
Signature : RSA/SHA1, Tue 15 May 2012 09:47:58 AM SGT, Key ID d7b1d47bdf1fdc54
URL : http://ftp.gnu.org/gnu/fping/fping-2.4b2.tar.gz
Summary : fping compiled on the satellite server
[rpmbuild@satellite ~]$ rpm -K -v rpmbuild/RPMS/x86_64/fping-2.4b2-1.el6.x86_64.rpm
rpmbuild/RPMS/x86_64/fping-2.4b2-1.el6.x86_64.rpm:
Header V4 RSA/SHA1 Signature, key ID df1fdc54: NOKEY
Header SHA1 digest: OK (403ad9c435ece72e34fc778c92607fac2e121dea)
V4 RSA/SHA1 Signature, key ID df1fdc54: NOKEY
MD5 digest: OK (4f5fd526622b0ee27388d7ea5357270c)
Export the gpg key:
[rpmbuild@satellite ~]$ gpg --export --armor DF1FDC54 > RPM-GPG-KEY
[rpmbuild@satellite ~]$ cat RPM-GPG-KEY
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.14 (GNU/Linux)
mQENBE+xsAUBCADxCaVz/LFqaL4UDhTQeYorUIRldojUbe+GygH1wBKkZjTQO683
wtrBDwp5s39b5rw8mI6FGNXeBE/KN4aVk0zLpWIlQDOisirc92C0Pa9kIbFsOxY9
HkgBjWWNIEHmaHo85Uhj40SNXudvpQ5QPUDp8YtFJ3TgXQKJPvBE9DnwUbh/I+uJ
nMlkBa5zO5sNxEH5zyNh58jjF9CsVrIzc9PvL7rAfLRGfz9J8tQxa3JgeOu5Gffq
PC2FbSYOw+DNCSS7XsgRCGkFwZYDvHzmSaaSbH8vye3Kx3ckX0nnX0nbHdjAO/gs
koTz3O2PDw3agO9K2IihcWZA17JeSkePgn01ABEBAAG0H3JwbWJ1aWxkIDxycG1i
dWlsZEBleGFtcGxlLmNvbT6JATgEEwECACIFAk+xsAUCGwMGCwkIBwMCBhUIAgkK
CwQWAgMBAh4BAheAAAoJENex1HvfH9xUC4QH/RvK1Cudk/tSOYHep048BmJmxto9
uXNgrmWK/3VD0vvEITpEFW01On+L2hO5Ef4cCIPVlkzS31mePTQjfuCrtmMtX0aw
tDnP79yVoWSdMrQ4Xz8VVoquus5A1XbhFlubOKni0PPg5ReTIpTVP6DJbWKuOzNf
pVWl49AlfDi93BeKQsjsFYPTlpvNocK/U7lM/feHxx/ML2FLN0r7lGmxYUAQ30HS
Q7b8+EpbNSbOPorfOP4ifuqIFYt8gP3vJWh9W9/qQKnGDBRQDrmiMfF1WuRd8sfi
f4dx9CmsNmZcvs5650Ae38UEsLAff4cpGZHxTKQwENwkvsw+LWqQqugh7/u5AQ0E
T7GwBQEIANulyPo4hoEYmx69vlQ5T32DWoqjafw2B2eb4z4BMZJd/n3HIPRa2a1B
CE+G0y70h6gf6NgNuMEIB9U5WBnm/Y/UYMe0MbQaRFI/TH4TMPPS9jUcUZ/xi0na
LaYYE3QYj7PvJpgRTtc/E6W5RlqH+64MiTJSewsxkAcvbydRxBzS738WjsqmTQ3A
fCb/WT1GxQTNF9QAeSNy01h9Xuy0b1+W5ikCMkfDd6pvBNC6FzsRWg/VBT98c5zP
XbE99dIqOZBE/Tf7L4wp12IMCelnGPmQ7LrSFkxO0NlPQh7dQHjeDYv0hDiZayrW
H5N/iA2w1K0JTdNbRn+LfbJ4MkBP3OEAEQEAAYkBHwQYAQIACQUCT7GwBQIbDAAK
CRDXsdR73x/cVIGpB/42MFSSvfxf1m6iloo1XDm/vaPQlqUM4ESJBW3ULnsPvzq1
f+C2++KlGBqWlK1HAUH9f0C0kIlO1zUZ1vP5ZImNjiJAWNMVPbxgpjjMLhAEablp
5+a0pv0zVJA7rWO/aSIcYHJAwrTUUcvzUIAMohbOAiLQuVkKptepGHoz0I1YDTRi
AV51W0FzGYxX/w3EvFk2NYdwJZ4z0ZfrFLd0966EQ7m0CJVnFTWsaTzffsct4m+s
tSigARrBxwEgu6FWaoaBymZ1dwf1FWk/BX8NVizOXnv4OtwjO+sJNYmlGUbdQB12
6wqWk9MHFiyIeiAWObJnHNO9Ii4tfuF5tmiF2yjG
=bH4l
-----END PGP PUBLIC KEY BLOCK-----
copy the key to the satellite webserver's pub directory:
[root@satellite ~]# cd /home/rpmbuild/
[root@satellite rpmbuild]# cp RPM-GPG-KEY /var/www/html/pub/rpmbuild-RPM-GPG-KEY
This key is now available to client systems for import, e.g.:
[root@clientmachine ~]# rpm --import http://satellite/pub/rpmbuild-RPM-GPG-KEY
As channel administrator, create a new software channel (you'll need the gpg Key ID, fingerprint, and the gpg key url location) and upload the newly-signed RPM.
[rpmbuild@satellite ~]$ rhnpush --server=http://satellite/APP \
rpmbuild/RPMS/x86_64/fping-2.4b2-1.el6.x86_64.rpm -c sysadmin-tools
Red Hat Network username: channeladmin
Red Hat Network password:
No comments:
Post a Comment