rpmsign(1) — Linux manual page

RPMSIGN(1)               General Commands Manual               RPMSIGN(1)

NAME         top

       rpmsign - RPM Package Signing

SYNOPSIS         top

       rpmsign {--addsign|--resign} [options] [sign-options] PACKAGE_FILE
       ...

       rpmsign --delsign [options] PACKAGE_FILE ...

       rpmsign --delfilesign [options] PACKAGE_FILE ...

DESCRIPTION         top

       rpmsign is used to manipulate digital OpenPGP signatures on rpm
       package files.

       To create a signature rpmsign needs to verify the package's
       checksum. As a result V4 packages with MD5/SHA1 checksums cannot
       be signed in FIPS mode.

OPERATIONS         top

       --addsign
           Generate and insert a new OpenPGP signature for each
           PACKAGE_FILE given unless a signature with identical
           parameters already exists, in which case no action is taken.
           Arbitrary number of V6 signatures can be added.

       --resign
           Generates and inserts a new OpenPGP signature for each
           PACKAGE_FILE, replacing any and all previous signatures.

       --delsign
           Delete all OpenPGP signatures from each package PACKAGE_FILE
           given.

       --delfilesign
           Delete all IMA and fsverity file signatures from each package
           PACKAGE_FILE given.

ARGUMENTS         top

       PACKAGE_FILE
           An rpm package file.

OPTIONS         top

       See rpm-common(8) for the options common to all rpm executables.

SIGN OPTIONS         top

       --certpath CERT
           Used with --signverity, use file signing certificate CERT.

       --fskpath KEY
           Used with --signfiles, use file signing key KEY.

       --key-id KEYID
           Use key KEYID for signing. Overrides %_openpgp_sign_id
           configuration.

       --rpmv3
           Request RPM V3 header+payload signature addition on V4
           packages. These signatures are expensive and redundant baggage
           on packages where a separate payload digest exists (packages
           built with rpm >= 4.14). Rpmsign will automatically detect the
           need for V3 signatures, but this option can be used to request
           their creation if the packages must be fully signature
           verifiable with rpm < 4.14 or other interoperability reasons.

           Has no effect when signing V6 packages.

       --rpmv4
           Request RPM V4 header signature addition on V6 packages.
           Useful for making V6 packages signature verifiable with rpm
           4.x versions.

           V4 compatibility signatures are only ever added if the signing
           algorithm is one of those known to V4: RSA, EcDSA, EdDSA (and
           original DSA). Only one V4 signature can be present in a
           package, so this is added only on the first --addsign with a
           V4 compatible algorithm, and ignored otherwise.

           Has no effect when signing V4 packages.

       --rpmv6
           Request RPM V6 header signature addition on V4 packages.

           This generally always succeeds as there can be arbitrary
           number of V6 signatures on a package. A V3/V4 compatibility
           signatures are added using the same logic as --rpmv4 on a V6
           package.

           Has no effect when signing V6 packages.

       --signfiles
           Sign package files. The file signing key (RSA private key)
           must be set before signing the package, it can be configured
           on the command line with --fskpath or the macro
           %_file_signing_key.

       --signverity
           Sign package files with fsverity signatures. The file signing
           key (RSA private key) and the signing certificate must be set
           before signing the package. The key can be configured on the
           command line with --fskpath or the macro %_file_signing_key,
           and the cert can be configured on the command line with
           --certpath or the macro %_file_signing_cert.

       --verityalgo ALG
           Used with --signverity, to specify the signing algorithm.
           sha256 and sha512 are supported, with sha256 being the default
           if this argument is not specified. This can also be specified
           with the macro %_verity_algorithm.

CONFIGURATION         top

       In order to sign packages, you need to create your own OpenPGP key
       pair (aka certificate) and configure rpm(8) to use it. The
       following macros are available:

       %_openpgp_sign_id
           The fingerprint or keyid of the signing key to use. Typically
           this is the only configuration needed. If omitted, --key-id
           must be explicitly specified when signing.

       %_openpgp_sign
           The OpenPGP implementation to use for signing. Supported
           values are "gpg" for GnuPG (default and traditional) and "sq"
           for Sequoia PGP.

       Implementation specific macros:

       %_gpg_path
           The location of your GnuPG keyring if not the default
           $GNUPGHOME.

       %_gpg_name
           Legacy macro for configuring user id with GnuPG. Use the
           implementation independent and non-ambiguous %_openpgp_sign_id
           instead.

       %_sq_path
           The location of your Sequoia configuration if not the default.

EXAMPLES         top

   Example 1. Basic setup
       Configure RPM to sign packages with Sequoia PGP and a specific key
       by adding the following contents to the user's rpm-config(5) file
       (typically ~/.config/rpm/macros):

           %_openpgp_sign sq
           %_openpgp_sign_id 7B36C3EE0CCE86EDBC3EFF2685B274E29F798E08

   Example 2. Basic operations
       rpmsign --addsign hello-2.0-1.x64_rpm
           Add a signature to hello-2.0-1.x64_rpm package.

       rpmsign --resign --key-id 771b18d3d7baa28734333c424344591e1964c5fc
       hello-2.0-1.x64_rpm
           Replace all signatures in hello-2.0-1.x64_rpm package by a
           signature using key 771b18d3d7baa28734333c424344591e1964c5fc.

       rpmsign --delsign --delfilesign hello-2.0-1.x64_rpm
           Delete all signatures from hello-2.0-1.x64_rpm package.

EXIT STATUS         top

       On success, 0 is returned, a nonzero failure code otherwise.

SEE ALSO         top

       popt(3), rpm(8), rpm-common(8), rpmkeys(8), rpmbuild(1)

       rpmsign --help - as rpm supports customizing the options via popt
       aliases it's impossible to guarantee that what's described in the
       manual matches what's available.

       http://www.rpm.org/ 

COLOPHON         top

       This page is part of the rpm (RPM Package Manager) project.
       Information about the project can be found at 
       ⟨https://github.com/rpm-software-management/rpm⟩.  It is not known
       how to report bugs for this man page; if you know, please send a
       mail to [email protected].  This page was obtained from the
       project's upstream Git repository
       ⟨https://github.com/rpm-software-management/rpm.git⟩ on
       2026-01-16.  (At that time, the date of the most recent commit
       that was found in the repository was 2026-01-15.)  If you discover
       any rendering problems in this HTML version of the page, or you
       believe there is a better or more up-to-date source for the page,
       or you have corrections or improvements to the information in this
       COLOPHON (which is not part of the original manual page), send a
       mail to [email protected]

RPM 6.0.90                      2026-01-16                     RPMSIGN(1)

Pages that refer to this page: rpmbuild(1),  rpm-setup-autosign(1),  rpmbuild-config(5),  rpm(8),  rpm-common(8),  rpmkeys(8),  rpm-plugin-ima(8)

HTML rendering created 2026-01-16 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH.