RPM sign

[minas2666]

Hi, can you provide a complete example of how to sign RPM using:
signingKeyId
signingKeyPassphrase
signingKeyRingFile

I've tried to use the Key ID or what I think the ID is or pointing to the Key Ring File. None of that worked even though my build suceeds. That means I cannot track where the problem is, signature field is just empty when I check RPM.

[kpb]

+1

I'm having trouble getting this to work also.

[dataethos]

+1

I'm trying to sign Debian packages with no luck. (I'm using Gradle 3.0 on Windows)

Based on the plug-in's documentation and unit test code, I have the following in my build.gradle:

plugins {
    id 'nebula.ospackage' version '4.0.0'
}

ospackage {
    packageName = 'mypackage'
    version = '1.2.3'
    ....
    signingKeyId = '12345678'
    signingKeyPassphrase = 'mypassphrase'
    signingKeyRingFile = new File(System.properties['user.home'] + '/secring.gpg')
}

# A production Debian created with dpkg-deb and signed with dpkg-sig
$ dpkg-sig --list mypackage_1.2.3_all.deb
Processing mypackage_1.2.3_all.deb
builder
$ ar x mypackage_1.2.3.all.deb && ls *gpg*
_gpgbuilder

# Debian created with nebula.ospackage
$ dpkg-sig --list mypackage_1.2.3_all.deb
Processing mypackage_1.2.3_all.deb
$ ar x mypackage_1.2.3.all.deb && ls *gpg*

I'm using the same .gnupg directory from the production Debian build machine, so my GPG setup ought to be good.

I also provided invalid values for signingKeyId and signingKeyPassphrase and still got a successful build.

I also don't see the signature file from the Scanner class referenced in the DebPluginTest unit test.

[farrukhnajmi]

+1 I have the same need.

[sghill]

Here's a walkthrough of the signing feature for RPMs and Debs.

RPM

I set up an example for this with the latest centos docker image.

Keys

I'm generating one just for this example.

$ gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub   2048R/DEA5D717 2016-12-28
uid                  Github Issue (#179) <[email protected]>

We want the long form:

$ gpg --keyid-format LONG -k DEA5D717
pub   2048R/E12BECFCDEA5D717 2016-12-28
uid                          Github Issue (#179) <[email protected]>

Public key has to be imported into rpm to verify:

$ gpg --export --armor E12BECFCDEA5D717 > /tmp/mykey.pub
$ rpm --import /tmp/mykey.pub

Build RPM

plugins {
    id 'java'
    id 'nebula.ospackage' version '4.3.0'
}

ospackage {
    version '1.0.0'
    release '1'
    from(jar.outputs.files) {
        into '/lib'
    }

    signingKeyId = 'E12BECFCDEA5D717' // note: short key works here too
    signingKeyPassphrase = System.getenv('SIGNING_PASSPHRASE')
    signingKeyRingFile = new File(System.properties['user.home'] + '/.gnupg/secring.gpg') // this is the default value, only include if reading from a different key ring
}

$ SIGNING_PASSPHRASE=s3cret ./gradlew clean buildRpm --info --stacktrace

Verify RPM

note the Signature field from rpm -qpi:

$ rpm -qpi build/distributions/issue-179-pkg-1.0.0-1.noarch.rpm
Name        : issue-179-pkg
Epoch       : 0
Version     : 1.0.0
Release     : 1
Architecture: noarch
Install Date: (not installed)
Group       : (none)
Size        : 659
License     :
Signature   : RSA/SHA1, Wed Dec 28 01:35:44 2016, Key ID e12becfcdea5d717
Source RPM  : issue-179-pkg-1.0.0-1-src.rpm
Build Date  : Wed Dec 28 01:35:43 2016
Build Host  : e37413c33c03
Relocations : (not relocatable)
Packager    : root
Vendor      :
URL         :
Summary     : issue-179-pkg
Description :

And the OK result from rpm -K:

$ rpm -K build/distributions/issue-179-pkg-1.0.0-1.noarch.rpm
build/distributions/issue-179-pkg-1.0.0-1.noarch.rpm: rsa sha1 (md5) pgp md5 OK

RPM Notes

• there is a problem with 4096 bit keys: keys with bigger RSA headers fail craigwblake/redline#62

Deb

Verified with the latest Ubuntu docker image.

Keys for Deb

$ gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub   2048R/64D9E5F5 2016-12-28
uid                  Github Issue (#179) <[email protected]>

$ gpg --keyid-format LONG -k 64D9E5F5
pub   2048R/EAB7864D64D9E5F5 2016-12-28
uid                          Github Issue (#179) <[email protected]>

$ gpg --export --armor EAB7864D64D9E5F5 > /tmp/mykey.pub

I followed this blog post for the importing and policy creation below.

$ mkdir /usr/share/debsig/keyrings/EAB7864D64D9E5F5
$ gpg --no-default-keyring \
      --keyring /usr/share/debsig/keyrings/EAB7864D64D9E5F5/debsig.gpg \
      --import /tmp/mykey.pub

$ mkdir /etc/debsig/policies/EAB7864D64D9E5F5

Create the policy document, see the blog post mentioned or /usr/share/doc/debsig-verify/examples for the format.

Build Deb

plugins {
    id 'java'
    id 'nebula.ospackage' version '4.3.0'
}

ospackage {
    version '1.0.0'
    release '1'
    from(jar.outputs.files) {
        into '/lib'
    }

    signingKeyId = '64D9E5F5' // note: long key id does not work here
    signingKeyPassphrase = System.getenv('SIGNING_PASSPHRASE')
    signingKeyRingFile = new File(System.properties['user.home'] + '/.gnupg/secring.gpg')
}

$ SIGNING_PASSPHRASE=s3cret ./gradlew clean buildDeb --info --stacktrace

Verify Deb

$ debsig-verify build/distributions/issue-179-pkg_1.0.0-1_all.deb
debsig: Verified package from 'Test package' (test)

Deb Notes

• Using the long key id in the ospackage block throws an error:
  org.vafer.jdeb.shaded.bc.openpgp.PGPException: Specified key EAB7864D64D9E5F5 does not exist in key ring java.io.FileInputStream@9357322
• (cc: @dataethos) jDeb can sign for verification by two different methods: debsig-verify or dpkg-sig --verify. debsig-verify is the default, and because this isn't being explicitly set, that's the method it uses for now. It'd be great to support both -- pull requests are always welcome.