Home
  »    »  
Create a yum repository with custom GPG-signed RPM packages

Create a yum repository with custom GPG-signed RPM packages

Author: |
Apr
25
2013
 Posted in howto 1 Comment

If you want to distribute RPMs to multiple machines that use yum (e.g. Red Hat / CentOS, Fedora) it is easier to create your own yum repository and populate it with packages. You can include any rpm you want provided that the package license allows distribution (I initially wanted to include jre in this guide, but I wasn’t sure whether Oracle allowed its (re)distribution so I chose LibreOffice instead).

This guide shows how to create a custom yum repo on CentOS 6, but it should work fairly similar on other yum based Linux distros. As said above I only included the LibreOffice suite which consists of 51 packages, I’ll call this repo office and its root folder will be /opt/office. Most operations will be performed as linuxsysconfig which is a user account defined with sudo privileges.

 

Create the repo path

 

sudo mkdir -p -m 775 /opt/office
sudo chown -R linuxsysconfig /opt/office

 

Add packages

 

Assuming you downloaded the LibreOffice tarball in ~/Downloads:

cd ~/Downloads
tar zxvf LibreOffice_4.0.2_Linux_x86-64_rpm.tar.gz
find ./LibreOffice_4.0.2.2_Linux_x86-64_rpm/ -maxdepth 2 -name "*.rpm" -exec cp {} /opt/office \;
rm -f LibreOffice_4.0.2_Linux_x86-64_rpm.tar.gz

At this point all required RPMs are copied to the root path. Now the repository is almost ready, but first there’s one more important step:

 

GPG-sign the RPMs

 

  • create ~/.gnupg if it doesn’t exist (my CentOS 6.4 installation doesn’t automatically create this folder for all users)
[[ -d ~/.gnupg ]] || mkdir -p -m 700 ~/.gnupg

 

  • start the gpg-agent daemon which is needed by gpg2 (RHEL6 no longer supports gpg1)
gpg-agent --daemon --use-standard-socket --pinentry-program /usr/bin/pinentry-curses

Note: you can replace pinentry-curses with pinentry-gtk if you prefer GUIs but that will require pinentry-gtk to be installed.

 

  • generate a GPG key (you can use the defaults, select a name and an email address)
gpg --gen-key

 

  • [optional] confirm the GPG key was created successfully
gpg --list-keys

That should return the key details e.g.

pub   2048R/519BAE20 2013-04-25
uid                  linuxsysconfig 
sub   2048R/103A8066 2013-04-25

 

  • export the key
gpg --export -a linuxsysconfig > RPM-GPG-KEY-linuxsysconfig

 

  • copy the key to the default path
sudo cp RPM-GPG-KEY-linuxsysconfig /etc/pki/rpm-gpg/

 

  • import the key into the RPM database
sudo rpm --import RPM-GPG-KEY-linuxsysconfig

 

  • [optional] confirm the key was successfully imported
rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'

This should return your key details alongside with other  keys e.g.:

gpg-pubkey-c105b9de-4e0fd3a3    gpg(CentOS-6 Key (CentOS 6 Official Signing Key) )
gpg-pubkey-00f97f56-467e318a    gpg(Remi Collet )
gpg-pubkey-0608b895-4bd22942    gpg(EPEL (6) )
gpg-pubkey-6b8d79e6-3f49313d    gpg(Dag Wieers (Dag Apt Repository v1.0) )
gpg-pubkey-41a40948-4ce19266    gpg(PUIAS Linux Distribution (RPM Integrity Signature) )
gpg-pubkey-519bae20-517946ed    gpg(linuxsysconfig )

 

Add the GPG signing details to your rpm environment

echo "%_signature gpg" > ~/.rpmmacros
echo "%_gpg_name linuxsysconfig" >> ~/.rpmmacros

 Now the user linuxsysconfig is configured to sign RPMs with the GPG key

cd /opt/office
rpm --resign *.rpm

If everything goes well (and it should) all packages will be successfully signed. You can confirm that with randomly querying the packages or do a block query to return the singature line for each:

rpm -qpi *.rpm | awk '/Signature/'

 

Finally create the repository

 

  • generate repository configuration
sudo yum install createrepo
cd /opt/office
createrepo .

 

Local repo

cat /etc/yum.repos.d/office.repo

[office]
name=Libre Office repository
baseurl=file:///opt/office/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-linuxsysconfig
enabled=1

 

FTP repo

 

  • copy /opt/office to the FTP path (e.g. /var/ftp/)
  • copy the RPM GPG key from /etc/pki/rpm-gpg/RPM-GPG-KEY-linuxsysconfig to the remote FTP path (e.g. /var/ftp/office)
  • create the repository file (e.g. office-ftp.repo)
cat /etc/yum.repos.d/office-ftp.repo

[office-ftp]
name=Libre Office FTP repository
baseurl=ftp://192.168.0.100/office/
gpgcheck=1
gpgkey=ftp://192.168.0.100/office/RPM-GPG-KEY-linuxsysconfig
enabled=1

Running sudo yum repolist should return the 2 new repositories. You can modify them at your will (to add or delete packages), but remember to re-run the createrepo command to save the changes.

Comments
  1. Posted by Sam

    I got as far as the step for verifing the signature:
    rpm -qpi *.rpm | awk ‘/Signature/’
    And got an error that suggests the signature to have made the package unrecognizable:

    [makerpm@localhost x86_64]$ rpm -qpi suri*.rpm | awk ‘/Signature/’
    error: skipping package with unverifiable V4 signature
    error: suricata-1.4.6-1.kmsearch.el6.x86_64.rpm: not an rpm package (or package manifest)

    Please advise.
    Thanks

    Reply

Add Your Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.