Simply, signing a repository, packages do not necessarily need to be signed, and vice versa. Doing both seems like overkill. So, seems like signing a repository is much simpler since for every package that is added to the repository, the index/contents of the repo needs to be recreated anyway.
- Create a GPG key pair, and store it somewhere. Its less important where, because it need not be permanent since we're only signing the RPM repo, and can recreate it whenever.
- In the top level directory of the repository, run:
createrepo --update .
- Then to sign the repo, go to the repodata directory and run:
gpg -a -u <user key> --detach-sign repomd.xml
If you really want to sign an RPM package, you can do so by creating a file in your homedir named .rpmmacros, whose contents are:
%_signature gpg
%_gpg_name <key name>
rpm --addsign <package>
The package is now signed, but rpm knows not about the signature, so you need to import it:
rpm --import <public key>
You can check the existance of a key with:
rpm -qa gpg-pubkey*
or
rpm -qi gpg-pubkey
--
DavidLeBlanc - 2019-10-04