在本文中，将介绍将 GPG 密钥签名到 rpm 的步骤

第 1 步：生成 GPG 密钥

执行以下命令以生成密钥。
我们可以根据要求选择它们的密钥类型和位大小。

# gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N)
GnuPG needs to construct a user ID to identify your key.
Real name: onitroad
Email address: onitroad1@gmail.com
Comment: Test
You selected this USER-ID:
    "onitroad (Test) <onitroad1@gmail.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway.  You can change your passphrase at any time,
using this program with the option "--edit-key".
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 5CC4FA77 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/5CC4FA77 2015-05-12
      Key fingerprint = 9CDE 27AC C1DD C0F9 8377  F5A9 A605 65CD 5CC4 FA77
uid                  onitroad (Test) <onitroad1@gmail.com>
sub   2048R/17D27D49 2015-05-12

2. 导出公钥

将公钥从密钥环导出到一个文本文件

# gpg --export -a '5CC4FA77' > /root/RPM-GPG-KEY-jack

3. 将公钥导入 RPM 数据库

# rpm --import /root/RPM-GPG-KEY-jack

4. 配置你的 rpmmacros 文件

在主文件夹中创建（如果尚未存在）rpmmacros 文件并添加以下内容

# vim /root/.rpmmacros
%_gpg_path /root/.gnupg
%_gpg_name onitroad

5. 添加标志

接下来你需要为你的 rpm 添加签名

# rpm --resign /tmp/rpmbuild/RPMS/x86_64/jack-1.0.0-1.x86_64.rpm
Enter pass phrase:
Pass phrase is good.
/tmp/rpmbuild/RPMS/x86_64/jack-1.0.0-1.x86_64.rpm:

或者我们也可以执行以下命令

# rpm --addsign /tmp/rpmbuild/RPMS/x86_64/jack-1.0.0-1.x86_64.rpm
Enter pass phrase:
Pass phrase is good.
/tmp/rpmbuild/RPMS/x86_64/jack-1.0.0-1.x86_64.rpm:

6.检查签名

接下来在我们刚刚分配的 rpm 上验证签名

# rpm --checksig /tmp/rpmbuild/RPMS/x86_64/jack-1.0.0-1.x86_64.rpm
/tmp/rpmbuild/RPMS/x86_64/jack-1.0.0-1.x86_64.rpm: sha1 md5 OK

或者我们可以使用以下命令来验证相同

# rpm -K /tmp/rpmbuild/RPMS/x86_64/jack-1.0.0-1.x86_64.rpm
/tmp/rpmbuild/RPMS/x86_64/jack-1.0.0-1.x86_64.rpm: sha1 md5 OK

7. 用签名构建rpm

如果我们打算构建更多 rpm，那么我们可以在使用以下命令构建相同的 rpm 时分配签名

# rpmbuild -ba --sign /tmp/rpmbuild/SPECS/jack.spec