Creating Signed RPMs and a Repository

Create signed RPMs and set up an RPM repository to make your RPMs available to install on Red Hat-style systems including AlmaLinux, CentOS, Fedora, Red Hat Enterprise Linux, and Rocky Linux. This guide assumes you already have a publicly-accessible web server as described in WordPress on LAMP with Session Encryption and Backup to host your repository.

Environment

AlmaLinux 9

Prerequisite Steps

Install required packages:

# dnf -y install createrepo git gpg pinentry rpm-sign rpmdevtools rpmlint

Create a Group and Directory

This is used for staging RPMs. Substitute your username for USERNAME:

# groupadd rpmbuild
# mkdir /srv/rpmbuild
# chgrp rpm /srv/rpmbuild
# setfacl -m d:g:rpmbuild:rwx,d:g::rwx,g:rpmbuild:rwx,g::rwx /srv/rpmbuild
# mkdir -p /srv/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}
# usermod -a -G rpmbuild USERNAME

Generate RPM Signing Key

Open a new shell as your regular user so the permissions will take effect, then create an RPM signing key. You will need to provide a REALNAME, EMAIL, and passphrase for the key.

$ gpg --homedir /srv/rpmbuild/.gnupg --gen-key

Name: REALNAME
Email: EMAIL

Export the public key, substituting the real name you used during key generation for REALNAME:

$ gpg --homedir /srv/rpmbuild/.gnupg --export -a 'REALNAME' > /etc/pki/rpm-gpg/RPM-GPG-KEY-REALNAME

As root, import the public key into the RPM database, substituting the real name you used during key generation for REALNAME:

# rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-REALNAME

Create an RPM

Create an rpmbuild symlink in your user home directory.

$ ln -s /srv/rpmbuild ~/rpmbuild

Follow this guide to create an RPM.

How to create a Linux RPM package (redhat.com)

Sign an RPM

Create an rpmmacros file in your user home directory.

$ nano ~/.rpmmacros

%_signature gpg
%_gpg_path /srv/rpmbuild/.gnupg
%_gpg_name REALNAME

As your regular user, sign the RPM:

$ rpm --addsign /srv/rpmbuild/RPMS/noarch/hello-0.0.1-3.el9.rpm

Create a Repository

# mkdir -p /var/www/html/repositories.onezeroone.dev/el/9/{noarch,x86_64,aarch64}
# cp /srv/rpmbuild/RPMS/noarch/hello-0.0.1-3.el9.rpm /var/www/html/repositories.onezeroone.dev/el/9/noarch/
# createrepo /var/www/html/repositories.onezeroone.dev/el/9/noarch

Relevant Links

• How to create a Linux RPM package | Enable Sysadmin (redhat.com)
• How to sign rpms with GPG – Red Hat Customer Portal
• How to create a custom rpm repository on Linux – Linux Tutorials – Learn Linux Configuration