replace or remove GPG signature on RPM

Question

Is there a way to remove or replace an existing GPG signature on an RPM?

I am placing a few obscure RPMs on an internal repo we use for supplementary rhel/centos packages. A few of those RPMs are already signed. I would like to remove those signatures and resign them with a GPG signature we use for our local repo.

score 4 · Accepted Answer · answered Mar 05 '15 at 19:41

4

Simply (re-) sign the packages with your own key...

rpm --addsign package.rpm

The --addsign option generates and inserts new signatures for each package. Any existing signatures will be discarded.

The --resign option generates and appends signatures for the listed packages while preserving the existing signatures.

If you had imported the public key you can validate the new signature

rpm --checksig -v package.rpm

You should see the phrase Good signature from "Your Name" in the output.

AFAIK removing signatures isn't supported.

answered Mar 05 '15 at 19:41

HBruijn

77,029
24
135
201

1

slight clarification for --resign, it will force resign if a key with the same sig exists or does not exist, and for --addsign, existing signatures are not automatically discarded if the signature you're trying to sign with is the same (or even different it seems) from the existing signature, i.e. --resign is basically the equivalent of force sign and overwrite any existing signatures. – sabujp Oct 23 '17 at 20:34

score 2 · Answer 2 · answered Jan 11 '22 at 10:38

2

HBruijn's answer is largely correct and useful but, for completeness, removing signatures is supported, using the rpmsign --delsign package.rpm.

answered Jan 11 '22 at 10:38

MHStag

21
1

replace or remove GPG signature on RPM

2 Answers2