Signing RPM packages

Signature Problems

RedHat Package Manager (RPM) built with old versions of rpmbuild cannot be signed, due to bugs in the old rpmbuild command. Worse, signing the bad RPM corrupts the file. To fix, the source RPM should be rebuilt with a modern version of rpmbuild. If no source RPM is available, the package will have to be handled specially, as it cannot be used where clients check for valid Pretty Good Privacy (PGP) signatures, for example on Yellowdog Updater, Modified (YUM) client systems.

$ wget -q --passive-ftp ftp://ftp.compaq.com/pub/products/servers/\
supportsoftware/linux/hpacucli-7.50-18.linux.rpm

$ rpm -K hpacucli-7.50-18.linux.rpm
hpacucli-7.50-18.linux.rpm: md5 OK
$ rpm --addsign hpacucli-7.50-18.linux.rpm
Enter pass phrase:
Pass phrase is good.
hpacucli-7.50-18.linux.rpm:
$ rpm -K hpacucli-7.50-18.linux.rpm
error: hpacucli-7.50-18.linux.rpm: rpmReadSignature failed: region
trailer: BAD, tag 61 type 7 offset 48 count 16
$ rm hpacucli-7.50-18.linux.rpm