[Document] Siging process of rpm package, both V3 and V4

[TommyLike]

Recently, we are integrating our OBS server with remote signing server(HSM), considering the existing components are all require openPGP private key on local host, the possible ways are seperating the RPM Header&Payload&Signature and combine them together in correct way after all signed remotely, therefore my quesiton is what exactly the signing process of rpm package, including V3 and V4 version, with which we can assembly it correctly. I can't find any detail on this(I could be wrong). Thanks

[DemiMarie]

You just need to make an OpenPGP signature. RPM handles the rest. You can provide a macro that tells RPM what command to use to make the signature.

[TommyLike]

You just need to make an OpenPGP signature. RPM handles the rest. You can provide a macro that tells RPM what command to use to make the signature.

Thanks @DemiMarie, to be confirm, let's take a look at the marco configuration for rpm singature 1:

[root@localhost ~]# vi .rpmmacros 
[root@localhost ~]# cat .rpmmacros 
%_signature gpg
%_gpg_path /root/.gnupg
%_gpg_name Package Manager
%_gpgbin /usr/bin/gpg2
%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}'

In order to sign rpm with remote signature service, we need develop a client which communicates with our HSM, also read original content from file and generate the signature file as specified?

We don't need to worry about the rpm header and payload, since rpm handles the rest we do the sign things only?

[DemiMarie]

@TommyLike Exactly! You do need to generate the proper OpenPGP signature, but that is doable.