Simply, signing a repository, packages do not necessarily need to be signed, and vice versa. Doing both seems like overkill. So, seems like signing a repository is much simpler since for every package that is added to the repository, the index/contents of the repo needs to be recreated anyway.
  1. Create a GPG key pair, and store it somewhere. Its less important where, because it need not be permanent since we're only signing the RPM repo, and can recreate it whenever.
  2. In the top level directory of the repository, run:
     createrepo --update . 
  3. Then to sign the repo, go to the repodata directory and run:
     gpg -a -u <user key> --detach-sign repomd.xml 

If you really want to sign an RPM package, you can do so by creating a file in your homedir named .rpmmacros, whose contents are:
%_signature gpg
%_gpg_name <key name>
rpm --addsign <package>
The package is now signed, but rpm knows not about the signature, so you need to import it:
rpm --import <public key>
You can check the existance of a key with:
rpm -qa gpg-pubkey* 
or
 rpm -qi gpg-pubkey 

-- DavidLeBlanc - 2019-10-04
Topic revision: r2 - 2019-10-17, DavidLeBlanc
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding CMS Wiki? Send feedback