Skip to content

Register Signing Services

Create a SigningService for signing RPM metadata (repomd.xml) or RPM Packages.

Metadata Signing

RPM metadata signing uses detached signature, which is already provided by pulpcore. To register such a service, follow the general instructions in pulpcore.

Package Signing

New in 3.26.0 (Tech Preview)

Package signing is not detached as metadata signing, so it uses a different type of SigningService. Nevertheless, the process of registering is very similar.


  • Get familiar with the general SigningService registration here.


  1. Create a signing script capable of signing an RPM Package.
    • The script receives a file path as its first argument.
    • The script should return a json-formatted output. No signature is required, since its embedded.
      {"file": "filename"}
  2. Register it with pulpcore-manager add-signing-service.
    • The --class should be rpm:RpmPackageSigningService.
    • The key provided here serves only for validating the script. The signing fingerprint is provided dynamically, as on upload signing.
  3. Retrieve the signing service for usage.


Write a signing script. The following example is roughly what we use for testing.
#!/usr/bin/env bash

# Input provided to the script

# Specific signing logic
rpm \
    --define "_signature gpg" \
    --define "_gpg_path ${GPG_HOME}" \
    --define "_gpg_name ${FINGERPRINT}" \
    --define "_gpgbin ${GPG_BIN}" \
    --addsign "${FILE_PATH}" 1> /dev/null

# Output
if [[ ${STATUS} -eq 0 ]]; then
   echo {\"rpm_package\": \"${FILE_PATH}\"}
   exit ${STATUS}

Register the signing service and retrieve information about it.

pulpcore-manager add-signing-service \
  "SimpleRpmSigningService" \
  ${KEYID} \
  --class "rpm:RpmPackageSigningService"

pulp signing-service show --name "SimpleRpmSigningService"