Creating Signed RPMs and a Repository

Create signed RPMs and set up an RPM repository to make your RPMs available to install on Red Hat-style systems including AlmaLinux, CentOS, Fedora, Red Hat Enterprise Linux, and Rocky Linux. This guide assumes you already have a publicly-accessible web server as described in WordPress on LAMP with Session Encryption and Backup to host your repository. Unless otherwise stated, all commands should be run as the root user.

Environment

AlmaLinux 9

Conventions

Commands run as root will appear on a black background:

cd ~

Commands run as your regular user will appear on a blue background:

cd ~

Prerequisite Steps

Install required packages:

dnf -y install createrepo git gpg pinentry rpm-sign rpmdevtools rpmlint

Create a Group and Directory

This is used for staging RPMs. Substitute your username for USERNAME:

groupadd rpmbuild
mkdir /srv/rpmbuild
chgrp rpmbuild /srv/rpmbuild
setfacl -m d:g:rpmbuild:rwx,d:g::rwx,g:rpmbuild:rwx,g::rwx /srv/rpmbuild
mkdir -p /srv/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}
usermod -a -G rpmbuild USERNAME

Generate RPM Signing Key

Open a new shell as your regular user so the updated group memberships and permissions will take effect, then create an RPM signing key. You will need to provide a REALNAME, EMAIL, and passphrase for the key.

gpg --homedir /srv/rpmbuild/.gnupg --gen-key

Name: REALNAME
Email: EMAIL

Export the public key, substituting the real name you used during key generation for REALNAME:

gpg --homedir /srv/rpmbuild/.gnupg --export -a 'REALNAME' > /etc/pki/rpm-gpg/RPM-GPG-KEY-REALNAME

Import the public key into the RPM database, substituting the real name you used during key generation for REALNAME:

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-REALNAME

Define RPM Macros

Create an .rpmmacros file in your home directory.

vi ~/.rpmmacros

%_signature gpg
%_gpg_path /srv/rpmbuild/.gnupg
%_gpg_name REALNAME

Create an RPM

Follow this guide to create an RPM.

How to create a Linux RPM package (redhat.com)

Sign an RPM

Sign the RPM:

rpm --addsign /srv/rpmbuild/RPMS/noarch/hello-0.0.1-3.el9.rpm

Create a Repository

Use these steps to create a repository directory structure, copy in the new created and signed RPM, and build the repository metadata. Each time you add a new RPM to the repository, you should repeat the createrepo command to refresh the metadata.

mkdir -p /var/www/html/repositories.onezeroone.dev/el/10/{noarch,x86_64,aarch64}
cp /srv/rpmbuild/RPMS/noarch/hello-0.0.1-3.el9.rpm /var/www/html/repositories.onezeroone.dev/el/10/noarch/
createrepo /var/www/html/repositories.onezeroone.dev/el/9/noarch

Relevant Links

• How to create a Linux RPM package | Enable Sysadmin (redhat.com)
• How to sign rpms with GPG – Red Hat Customer Portal
• How to create a custom rpm repository on Linux – Linux Tutorials – Learn Linux Configuration