Create a yum repository with custom GPG-signed RPM packages
If you want to distribute RPMs to multiple machines that use yum (e.g. Red Hat / CentOS, Fedora) it is easier to create your own yum repository and populate it with packages. You can include any rpm you want provided that the package license allows distribution (I initially wanted to include jre in this guide, but I wasn’t sure whether Oracle allowed its (re)distribution so I chose LibreOffice instead).
This guide shows how to create a custom yum repo on CentOS 6, but it should work fairly similar on other yum based Linux distros. As said above I only included the LibreOffice suite which consists of 51 packages, I’ll call this repo office and its root folder will be /opt/office. Most operations will be performed as linuxsysconfig which is a user account defined with sudo privileges.
Create the repo path
sudo mkdir -p -m 775 /opt/office sudo chown -R linuxsysconfig /opt/office
Add packages
Assuming you downloaded the LibreOffice tarball in ~/Downloads:
cd ~/Downloads tar zxvf LibreOffice_4.0.2_Linux_x86-64_rpm.tar.gz find ./LibreOffice_4.0.2.2_Linux_x86-64_rpm/ -maxdepth 2 -name "*.rpm" -exec cp {} /opt/office \; rm -f LibreOffice_4.0.2_Linux_x86-64_rpm.tar.gz
At this point all required RPMs are copied to the root path. Now the repository is almost ready, but first there’s one more important step:
GPG-sign the RPMs
- create ~/.gnupg if it doesn’t exist (my CentOS 6.4 installation doesn’t automatically create this folder for all users)
[[ -d ~/.gnupg ]] || mkdir -p -m 700 ~/.gnupg
- start the gpg-agent daemon which is needed by gpg2 (RHEL6 no longer supports gpg1)
gpg-agent --daemon --use-standard-socket --pinentry-program /usr/bin/pinentry-curses
Note: you can replace pinentry-curses with pinentry-gtk if you prefer GUIs but that will require pinentry-gtk to be installed.
- generate a GPG key (you can use the defaults, select a name and an email address)
gpg --gen-key
- [optional] confirm the GPG key was created successfully
gpg --list-keys
That should return the key details e.g.
pub 2048R/519BAE20 2013-04-25 uid linuxsysconfigsub 2048R/103A8066 2013-04-25
- export the key
gpg --export -a linuxsysconfig > RPM-GPG-KEY-linuxsysconfig
- copy the key to the default path
sudo cp RPM-GPG-KEY-linuxsysconfig /etc/pki/rpm-gpg/
- import the key into the RPM database
sudo rpm --import RPM-GPG-KEY-linuxsysconfig
- [optional] confirm the key was successfully imported
rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
This should return your key details alongside with other keys e.g.:
gpg-pubkey-c105b9de-4e0fd3a3 gpg(CentOS-6 Key (CentOS 6 Official Signing Key)) gpg-pubkey-00f97f56-467e318a gpg(Remi Collet ) gpg-pubkey-0608b895-4bd22942 gpg(EPEL (6) ) gpg-pubkey-6b8d79e6-3f49313d gpg(Dag Wieers (Dag Apt Repository v1.0) ) gpg-pubkey-41a40948-4ce19266 gpg(PUIAS Linux Distribution (RPM Integrity Signature) ) gpg-pubkey-519bae20-517946ed gpg(linuxsysconfig )
Add the GPG signing details to your rpm environment
echo "%_signature gpg" > ~/.rpmmacros echo "%_gpg_name linuxsysconfig" >> ~/.rpmmacros
Now the user linuxsysconfig is configured to sign RPMs with the GPG key
cd /opt/office rpm --resign *.rpm
If everything goes well (and it should) all packages will be successfully signed. You can confirm that with randomly querying the packages or do a block query to return the singature line for each:
rpm -qpi *.rpm | awk '/Signature/'
Finally create the repository
- generate repository configuration
sudo yum install createrepo cd /opt/office createrepo .
Local repo
cat /etc/yum.repos.d/office.repo [office] name=Libre Office repository baseurl=file:///opt/office/ gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-linuxsysconfig enabled=1
FTP repo
- copy /opt/office to the FTP path (e.g. /var/ftp/)
- copy the RPM GPG key from /etc/pki/rpm-gpg/RPM-GPG-KEY-linuxsysconfig to the remote FTP path (e.g. /var/ftp/office)
- create the repository file (e.g. office-ftp.repo)
cat /etc/yum.repos.d/office-ftp.repo [office-ftp] name=Libre Office FTP repository baseurl=ftp://192.168.0.100/office/ gpgcheck=1 gpgkey=ftp://192.168.0.100/office/RPM-GPG-KEY-linuxsysconfig enabled=1
Running sudo yum repolist should return the 2 new repositories. You can modify them at your will (to add or delete packages), but remember to re-run the createrepo command to save the changes.
I got as far as the step for verifing the signature:
rpm -qpi *.rpm | awk ‘/Signature/’
And got an error that suggests the signature to have made the package unrecognizable:
[makerpm@localhost x86_64]$ rpm -qpi suri*.rpm | awk ‘/Signature/’
error: skipping package with unverifiable V4 signature
error: suricata-1.4.6-1.kmsearch.el6.x86_64.rpm: not an rpm package (or package manifest)
Please advise.
Thanks