1/*! \page signatures Signature header 2 3The 2.1 release of RPM had a few improvements in the area of 4digital package signatures. The usage of PGP has been cleaned 5up and extended, the signature section in the RPM file format 6has been made easily extensible with new signature types, and 7packages can have multiple signatures. 8 9\section signatures_pgp PGP 10 11Legacy usage of PGP in rpm-2.0 was cumbersome, and only supported 121024 bit keys. Both of these problems have been corrected in rpm-2.1. 13 14Whereas previously you needed many rpmrc entries to clue in 15RPM about keyring locations and such, RPM now behaves as PGP 16users would expect. The PGPPATH environment variable can be 17used to specify keyring locations. You can also use a 18"%_pgpbin" line in your macros file to specify a different value 19for RPM to use for PGPPATH. If neither of these are used PGP 20uses its default ($HOME/.pgp). 21 22If you just want to verify packages, you need to supply values 23for the macros 24\verbatim 25 %_pgpbin the path to the pgp executable 26 %_signature the type of signature to use 27\endverbatim 28 29In order to be able to sign packages, you may also have to 30supply values for 31\verbatim 32 %_pgp_name the pgp signature to use for signing 33 %_pgp_path the path to the key ring 34\endverbatim 35 36\section signatures_signing Signing Packages 37 38Signature creation is the same as previous releases: just add 39a --sign to your build command line. You can sign a package 40after the package is built with: 41 42\verbatim 43 rpm --resign <package> 44\endverbatim 45 46Using --resign removes any previous signature in the package. 47To *add* a signature to a package, leaving all existing 48signatures use: 49 50\verbatim 51 rpm --addsign <package> 52\endverbatim 53 54RPM always creates MD5 and SIZE signatures when it build 55packages, which means that packages built without --sign can 56be "verified" to some extent. The MD5 signature should catch 57problems like corrupt packages, faulty downloads, etc. 58 59\section signatures_verifying Verifying Package Signatures 60 61Package signature verification is the same as previous releases: 62 63\verbatim 64 rpm -K <package> 65\endverbatim 66 67RPM will verify every signature in the package, which may include 68more than one PGP signature. The output indicates what types of 69signatures are being checked. If any checks fail you'll see a 70"NOT OK" message, and you should be worried. 71 72If you have a package with PGP signatures, but don't have PGP 73installed, but still want to verify it as much as possible, you 74can do: 75 76\verbatim 77 rpm -K --nopgp <package> 78\endverbatim 79 80That will cause RPM to skip any PGP signatures, but still check 81any others (currently only MD5 and SIZE). 82 83*/ 84