Just a very few words about public key cryptography (for indepth information you should read the GPG-HOWTO).

Public key crypto systems are based on a key pair consisting of a secret and a public key. The secret key can be used by its owner to sign or encrypt files, while the public key can be used to prove the origin of files.

This section is a short introduction in the GnuPG features you might need with apt4rpm.

This is especially true if you use the signed-pkgs-only which means only signed packages are used for updates. You need to have the corresponding public key on your key ring to validate those packages.

Most distributions have the vendor key attached by default to root's key ring. However aptate supports all operations to be done by a non-root user (for security reasons), and this one is likely to start with an empty key ring (which might cause all packages to be marked "insecure" and to be dropped).


If you get this behaviour, make sure to check your key ring!

For further information visit the GPG homepage and the related matrial webpage at the apt4rpm website. Here you find at least 1 reference to "Signing rpms with gpg".


Signed repositories

A signed repository is required if your apt repository is being mirrored and you want to prevent that others are sneaking in faulty packages.

Create a key: gpg --gen-key

You are asked a lot of questions - if unsure simply press return. If you get some messages about "missing entropy" and the program seems to hang - simply do something on your system -> gpg is still alive! But it may take some time.

After you finished you can check for your new key by typing: gpg --list-keys

If you want to use encrypted repositories you need to export the corresponding key to your client machines. To do so type (replace EMAIL with the e-mail address you entered when creating your key pair): gpg --armour --export EMAIL > /tmp/public.key

Before creating the repository databases by calling aptate, make sure to change the following values in your aptate.conf file: (MYKEY is shorthand for the key)


Or use the corresponding arguments options, which are respectively: --gpg-key and --gpg-key-email.

Signed packages

To sign RPM packages you need to tell rpm what key to use. This can be done by entries in your $HOME/.rpmmacros file. Replace EMAIL in the following example with your GPG key pair e-mail adress.

       %_signature gpg
       %_gpg_name EMAIL

After you did this you can use rpm --addsign *.rpm to add your signature to existing RPM files. If you build new ones make sure to add option --sign.


Import the repository key on the client: gpg --import /tmp/public.key