Creating Signed RPMs and a Repository

Create signed RPMs and set up an RPM repository to make your RPMs available to install on Red Hat-style systems including AlmaLinux, CentOS, Fedora, Red Hat Enterprise Linux, and Rocky Linux. This guide assumes you already have a publicly-accessible web server as described in WordPress on LAMP with Session Encryption and Backup to host your repository. Unless otherwise stated, all commands should be run as the root user.

Environment

AlmaLinux 9

Conventions

Commands run as root will appear on a black background:

cd ~

Commands run as your regular user will appear on a grey background:

cd ~

Prerequisite Steps

Install required packages:

dnf -y install createrepo git gpg pinentry rpm-sign rpmdevtools rpmlint

Create a Group and Directory

This is used for staging RPMs. Substitute your username for USERNAME:

groupadd rpmbuild
mkdir /srv/rpmbuild
chgrp rpm /srv/rpmbuild
setfacl -m d:g:rpmbuild:rwx,d:g::rwx,g:rpmbuild:rwx,g::rwx /srv/rpmbuild
mkdir -p /srv/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}
usermod -a -G rpmbuild USERNAME

Generate RPM Signing Key

Open a new shell as your regular user so the permissions will take effect, then create an RPM signing key. You will need to provide a REALNAME, EMAIL, and passphrase for the key.

gpg --homedir /srv/rpmbuild/.gnupg --gen-key

Name: REALNAME
Email: EMAIL

Export the public key, substituting the real name you used during key generation for REALNAME:

gpg --homedir /srv/rpmbuild/.gnupg --export -a 'REALNAME' > /etc/pki/rpm-gpg/RPM-GPG-KEY-REALNAME

Import the public key into the RPM database, substituting the real name you used during key generation for REALNAME:

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-REALNAME

Create an RPM

Create an rpmbuild symlink in your user home directory.

ln -s /srv/rpmbuild ~/rpmbuild

Follow this guide to create an RPM.

How to create a Linux RPM package (redhat.com)

Sign an RPM

Create a .rpmmacros file in your home directory.

vi ~/.rpmmacros

%_signature gpg
%_gpg_path /srv/rpmbuild/.gnupg
%_gpg_name REALNAME

Sign the RPM:

rpm --addsign /srv/rpmbuild/RPMS/noarch/hello-0.0.1-3.el9.rpm

Create a Repository

mkdir -p /var/www/html/repositories.onezeroone.dev/el/9/{noarch,x86_64,aarch64}
cp /srv/rpmbuild/RPMS/noarch/hello-0.0.1-3.el9.rpm /var/www/html/repositories.onezeroone.dev/el/9/noarch/
createrepo /var/www/html/repositories.onezeroone.dev/el/9/noarch

Relevant Links

• How to create a Linux RPM package | Enable Sysadmin (redhat.com)
• How to sign rpms with GPG – Red Hat Customer Portal
• How to create a custom rpm repository on Linux – Linux Tutorials – Learn Linux Configuration