Bug 1564079

Summary: [RFE]: Add details of RPM package signing in RPM Packaging Guide
Product: Red Hat Enterprise Linux 7 Reporter: Melanie Corr <mcorr>
Component: doc-Packagers_GuideAssignee: Adam Kvitek <akvitek>
Status: CLOSED CURRENTRELEASE QA Contact: ecs-bugs
Severity: unspecified Docs Contact: Petr Kovar <pkovar>
Priority: unspecified    
Version: 7.7-AltCC: msuchy, pkovar, rhel-docs, swadeley
Target Milestone: rcKeywords: Documentation, FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-19 16:05:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Melanie Corr 2018-04-05 10:03:07 UTC 
Document URL: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/rpm_packaging_guide/

Section Number and Name: RPM Packaging Guide

Describe the issue: This guide is missing info on how to sign a package

Suggestions for improvement: Include info on how to sign the package, how to sign it with a GPG key and how to make a GPG copy in ASC format 

Additional information: The RPM packaging guide is fantastic. I have used it step by step with success. The Satellite docs team have a BZ [1] that has a use case which requires the creation of an RPM, signing of that RPM, and uploading to Satellite as custom content. The Satellite part of this is documented, as is the creation of the RPM, however the signing of the RPM seems to be the responsibility of the package creator, so that would probably best fit in the RPM packaging guide. 

Any queries, let me know.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1363863
Comment 3 Miroslav Suchý 2018-04-25 11:11:59 UTC 
This is described in 
  https://access.redhat.com/blogs/766093/posts/1976693
and in older:
  http://ftp.rpm.org/max-rpm/s1-rpm-pgp-signing-packages.html
  (RH is the copyright holder of this documentation, so you can copy it).

It is definitely better to first build a package and only the sign it with --addsign.
Comment 6 Adam Kvitek 2018-05-30 10:10:13 UTC 
New chapter submitted in a pull request: https://github.com/redhat-developer/rpm-packaging-guide/pull/40/files
Comment 7 Adam Kvitek 2018-07-19 16:14:00 UTC 
New chapter published on customer portal: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/rpm_packaging_guide/#Signing-Packages