Skip to main content
Skip table of contents

Code Signing with RPM Signatures

Instead of a dedicated RPM package signer, SignServer leverages OpenPGP Signer and SignWrapper-GPG to secure RPM packages with code signing.

The RPM code signing setup includes the following steps:

The OpenPGP Signer is configured for creating the signatures and uses OpenPGP public keys/certificates instead of X.509 certificates. The OpenPGP public key can instead be obtained from the worker's status output. Additionally, the Generate CSR functionality allows adding a user ID to the public key and storing the new public key in the PGPPUBLICKEY worker property. For RPM signing and when using RSA keys, this step is required in order to get the correct key type in the public key/certificate.

The SignServer SignWrapper-GPG can leverage the SignClient for securing RPM packages. The SignWrapper-GPG is a script calling SignClient and is made to behave like the gpg (GnuPG) command. The script configures the rpm-sign tool to use signwrapper-gpg instead of gpg.

For signature formats, such as RPM, where the signature is embedded within the file, this scheme requires some logic on the client side first for preparing the file for signing, then to hash it and finally to include the signature within the data structure. For more information on signing RPM packages with gpg, refer to the Red Hat Documentation.

Step 1: Add an OpenPGP Signer

To add the OpenPGP signer, follow the steps and use the sample configuration file openpgpsigner.properties as a template:

  1. Go to the SignServer Admin Web Workers page and click Add to add a new worker.

  2. On the Add Worker / Load Configuration page, choose the method From Template.

  3. In the Load From Template list menu, select openpgpsigner.properties and click Next.

  4. Click Apply and select the worker name OpenPGPSigner.

  5. Click the Configuration tab and make the appropriate adjustments for:

    • NAME: Specify a name.

    • CRYPTOTOKEN: If using SignServer Enterprise, this should match the name of the crypto token configured in the SignServer software installation section. If you are on an Appliance, this crypto token was created for you with the name HSMCryptoToken10. If using SignServer Cloud, a CryptoTokenP12 is provided with the instance, containing all the sample keys and certificates you need, and you can continue to the last step and ensure that your signer is in an ACTIVE state.

  6. Configure other necessary properties. The most relevant properties to configure are DETACHEDSIGNATURE, DIGEST_ALGORITHM, and RESPONSE_FORMAT. For descriptions of the OpenPGP Signer-specific properties, see OpenPGP Signer.

  7. Generate a new key pair for the signer, by clicking the Status Summary tab and then Renew Key.

  8. Select a Key Algorithm, such as RSA, and a Key Specification such as 2048, and click Generate.

  9. Select the worker in the list and confirm that the Worker status is Active and without errors listed. If not, confirm that the DEFAULTKEY property is correct and check in the Crypto Token tab of the crypto worker that a key with the specified name exists.

Step 2: Add User ID / Certification

Follow the steps to use the Generate CSR option to add User ID / Certification for the OpenPGP public key:

  1. Select the SignServer AdminWeb Workers tab.

  2. Click the OpenPGP worker.

  3. Click Generate CSR and specify the following:

  4. Specify a Signature Algorithm, for example SHA256withRSA or SHA256withECDSA. Note that the OpenPGPSigner also accepts only specifying the OpenPGP Hash Algorithm.

  5. Specify DN as the wanted User Id, for example: Signer001 (Code Signing) <signer001@example.com>

  6. Click Generate, and then click Download.

  7. Open the downloaded file using any text editor and copy its content.

  8. Select the worker and click the Configuration tab.

  9. For the PGPPUBLICKEY property, click Edit.

  10. Paste the public key content in the Value field, and click Submit.

  11. Click Status Summary and confirm that fields like PGP Key ID and PGP Public key are listed. Also, note that the User ID is listed.

Step 3: Generate and Store Revocation Certificate

Follow the steps to generate and store a revocation certificate:

  1. On the AdminWeb Worker page, click the Configuration tab.

  2. For the GENERATE_REVOCATION_CERTIFICATE property, click Edit.

  3. Set Value true and click Submit.

  4. Click Generate CSR.

  5. Specify a Signature Algorithm, for example SHA256withRSA or SHA256withECDSA. Note that the OpenPGPSigner also accepts only specifying the OpenPGP Hash Algorithm.

  6. Specify any DN value as this field is not used when generating a revocation certificate.

  7. Click Generate, and then click Download.

  8. Store the revocation certificate securely so that it can be accessed by authorized personnel in case the public key needs to be revoked.

  9. Click the Configuration tab.

  10. For the GENERATE_REVOCATION_CERTIFICATE property, click Edit.

  11. Set Value false and click Submit.

Step 4: Set up RPM for Signing using SignWrapper-GPG

  1. Configure rpm tool using .rpmmacros.

For the user that should run the rpm command, configure .rpmmacros in the user’s home folder:

CODE 
%_signature gpg
%_gpg_name OpenPGPSigner
%__gpg /opt/signserver/bin/signwrapper-gpg

The %_gpg_name should have the name of the configured OpenPGPSigner.

The %__gpg should contain the path to the signwrapper-gpg.

  1. Configure environment variables for SignWrapper-GPG to locate SignClient.

Unless the signwrapper-gpg script is kept in SignClient folder, make sure an environment variable is set so the script can find SignClient. Set either SIGNCLIENT_CMD to point to the bin/signserver script or set SIGNCLIENT_HOME or SIGNSERVER_HOME to point to the folder with the SignClient distribution.

  1. Configure environment variables for SignClient.

    • SIGNCLIENT_HOSTS: Value for the -hosts HOSTS SignClient parameter is the hostname or IP-address of the SignServer host or a comma separated list of hosts. Example: signserver1.example.com

    • SIGNCLIENT_PORT: Value for the -port PORT SignClient parameter is the TCP port on the SignServer host to use. Example: 8080

    • SIGNCLIENT_PARAMS: (Optional) Value for any extra paramaters to put on the SignClient command line. Example: -truststore TRUSTSTORE -truststorepwd PWD

See also SignWrapper-GPG for more details on the command.

Step 5: Signing RPM

The standard RPM tool is used to request signing by using the SignWrapper-GPG and SignClient.

The following example shows how to sign using the RPM tool which has been configured to use SignWrapper-GPG instead of GPG.

  1. Execute the following commands sign the release.rpm package:

CODE 
rpm --addsign release.rpm

  1. Store the resulting signed file.

Step 6: (Optional) Verify Signature

You can verify the signature using the RPM tool.

If needed, first import the public key to RPM before verifying the signature in the third step:

  1. Store the public key (from PGPPUBLICKEY property) as signer001-pub.asc.

  2. Import the key to RPM:

    CODE 
    $ rpm --import signer001-pub.asc

  3. Run the following to verify the signature:

    CODE 
    $ rpm --checksig release.rpm

    Additionally to get some more details:

    CODE 
    rpm -qp --qf '%|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:{(none)}|}|\n' release.rpm

You can optionally distribute the OpenPGP Public Key to clients, for example by publishing the public key to any online key server.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close