LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora
User Name
Password
Fedora This forum is for the discussion of the Fedora Project.

Notices


Reply
  Search this Thread
Old 05-11-2007, 01:51 PM   #1
hollywoodb
Member
 
Registered: Aug 2003
Location: Minnesota, U.S.A.
Distribution: Debian, openSUSE
Posts: 400

Rep: Reputation: 30
How to GPG sign packages ?


I've a few packages I use for Fedora that aren't available from the official repos or livna, so I decided to make a public repository.

I've set up the repo, have the -release.rpm to get it set up, but I can't seem to find any information on how to gpg sign packages and enable gpg encryption via the repo file.

Is there a definitive doc or howto on this, or is it trivial enough to be explained here?

FWIW: repo @ http://rpm.offbeatlounge.com
 
Old 05-12-2007, 03:50 PM   #2
Randux
Senior Member
 
Registered: Feb 2006
Location: Siberia
Distribution: Slackware & Slamd64. What else is there?
Posts: 1,705

Rep: Reputation: 55
Quote:
Originally Posted by hollywoodb
I've a few packages I use for Fedora that aren't available from the official repos or livna, so I decided to make a public repository.

I've set up the repo, have the -release.rpm to get it set up, but I can't seem to find any information on how to gpg sign packages and enable gpg encryption via the repo file.

Is there a definitive doc or howto on this, or is it trivial enough to be explained here?

FWIW: repo @ http://rpm.offbeatlounge.com
You should have an understanding of what public key crypto is and how to use the gpg command line. A couple of nice pages that everybody refers to are

http://www.mccune.cc/PGP.htm
http://www.rossde.com/PGP/

But this is a lot of reading.

It's very simple to sign anything. The steps are

1 Create your signing key(s)
2 Upload your keys to key servers and/or publish them on your web page
3 Create a detached signature for each package you want to sign and make it available for download with the package

Signing just guarantees whoever downloads the package that it's the package *you* created. It proves it didn't get changed by anybody and that it downloaded exactly correctly without errors.
I don't think you want to encrypt anything.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
sign on invisible in gaim - NOT invi after sign on saravkrish Linux - Software 7 09-12-2005 11:55 PM
squirrelmail gpg plugin - can't sign mails phil.d.g General 3 05-29-2005 01:29 PM
startx on sign-on spuppett Linux - Newbie 2 04-12-2004 02:30 PM
sign in hythemr Red Hat 1 08-31-2003 08:52 PM
$,# sign eye Linux - Software 2 05-31-2003 10:00 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora

All times are GMT -5. The time now is 09:02 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration