Chapter 3. Building Custom Packages 713. It may be tempting to create an RPM by archiving files and then unarchiving them in the post-install script, but do not do it. This defeats the purpose of RPM. If the files in the archive are notincluded in the file list, they cannot be verified or examined for conflicts. In the vast majorityof cases, RPM itself can pack and unpack archives most effectively anyway. For instance, don’tcreate files in a %post that you don’t clean up in a %postun section.3.2. Digital Signatures for RHN PackagesAll RPM packages distributed through RHN should have a digital signature. A digital signature iscreated with a unique private key and can be verified with the corresponding public key. After creatinga package, the SRPM (Source RPM) and the RPM can be digitally signed with a GnuPG key. Beforethe package is installed, the public key can be used to verify the package was signed by a trusted partyand the package has not changed since it was signed.3.2.1. Generating a GnuPG KeypairA GnuPG keypair consists of the private and public keys. To generate a keypair, as root at a shellprompt, type the following command:gpg --gen-keyIf you execute this command as a non-root user, you will see the following message:gpg: Warning: using insecure memory!This message appears because non-root users cannot lock memory pages. If such users could lockmemory pages, they could perform out-of-memory denial of service attacks. Since you do not wantanyone else to have your private GnuPG key or your passphrase, you should generate the keypair asroot. The root user can lock memory pages, which means the information is never written to disk.After executing the command to generate a keypair, you will see an introductory screen containingkey options similar to the following:gpg (GnuPG) 1.0.7; Copyright (C) 2002 Free Software Foundation, Inc.This program comes with ABSOLUTELY NO WARRANTY.This is free software, and you are welcome to redistribute itunder certain conditions. See the file COPYING for details.Please select what kind of key you want:(1) DSA and ElGamal (default)(2) DSA (sign only)(4) ElGamal (sign and encrypt)(5) RSA (sign only)Your selection?Accept the default option: (1) DSA and ElGamal. This option will allow you to create a digitalsignature and encrypt (and decrypt) with two types of technologies. Type 1 and then press [Enter].Next, choose the key size or how long the key should be. The longer the key, the more resistant againstattacks your messages will be. Thus, creating a key of at least 1024 bits in size is recommended.The next option asks you to specify how long you want your key to be valid. If you do choose anexpiration date, remember that anyone with whom you exchanged your public key will also have tobe informed of its expiration and supplied with a new public key. It is recommended that you select noexpiration date. If you do not choose an expiration date, you will be asked to confirm your decision:Key does not expire at all