11.4.2. Configuring a signature
To configure a signature, you first need to create a new key with the gpg command, using the --gen-key option, as shown following:
$ gpg --gen-key
gpg (GnuPG) 1.0.7; Copyright (C) 2002 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
gpg: Warning: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: keyring `/home2/ericfj/.gnupg/secring.gpg' created
gpg: keyring `/home2/ericfj/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) DSA and ElGamal (default)
(2) DSA (sign only)
(4) ElGamal (sign and encrypt)
(5) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
About to generate a new ELG-E keypair.
minimum keysize is 768 bits
default keysize is 1024 bits
highest suggested keysize is 2048 bits
What keysize do you want? (1024)
Requested keysize is 1024 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Eric Foster-Johnson
Email address: please_no_spam@nospam.com
Comment: Example for Red Hat RPM Guide
You selected this USER-ID:
"Eric Foster-Johnson (Example for Red Hat RPM Guide) <erc@no_spam.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?
O
You need a Passphrase to protect your secret key.
Enter passphrase:
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++..+++++..++++++++++>++++++++++........+++++
gpg: /home2/ericfj/.gnupg/trustdb.gpg: trustdb created
public and secret key created and signed.
key marked as ultimately trusted.
pub 1024D/01681C24 2002-11-05 Eric Foster-Johnson (Example for Red Hat RPM
Guide) <please_no_spam@nospam.com>
Key fingerprint = 8C14 A2E9 47D1 301B 2153 7CDF BEE5 9C10 0268 1D24
sub 1024g/1A15D6C8 2002-11-05
You can choose the default options for most choices. You need to enter a real name, an e-mail address, and a pass phrase. Remember the pass phrase. You will need to enter the pass phrase every time you wish to sign a package.
Once you have a key, the next step is to set up some RPM macros. There are a number of places you can do this, but using the .rpmmacros file in your home directory is one of the easiest. Edit this file as shown in the following example:
%_signature gpg
%_gpg_path /home2/ericfj/.gnupg
%_gpg_name EricFJ (Eric Key) <erc@no_spam.com>
%_gpgbin /usr/bin/gpg
Add lines like these to the $HOME/.rpmmacros file. (Create this file if it does not exist.)
Cross Reference
Inside the file, change the %gpg_path macro to the .gnupg directory under your home directory (or the root user’s home directory). Change the %_gpg_name macro to the name you have entered into the gpg program.
