Chapter 4.Importing Custom GPG KeysFor customers who plan to build and distribute their own RPMs securely, it is stronglyrecommended that all custom RPMs are signed using GNU Privacy Guard (GPG). Gener-ating GPG keys and building GPG-signed packages are covered in the Red Hat NetworkChannel Management Guide.Once the packages are signed, the public key must be deployed on all systems importingthese RPMs. This task has two steps: first, create a central location for the public key sothat clients may retrieve it, and second, adding the key to the local GPG keyring for eachsystem.The first step is common and may be handled using the websiteapproach recommended for deploying RHN client applications. (Refer toSection 2.1 Deploying the Latest Red Hat Network Client RPMs.) To do this, create apublic directory on the Web server and place the GPG public signature in it:cp /some/path/YOUR-RPM-GPG-KEY /var/www/html/pub/The key can then be downloaded by client systems using Wget:wget -O- -q http://your_proxy_or_sat.your_domain.com/pub/YOUR-RPM-GPG-KEYThe -O- option sends results to standard output while the -q option sets Wget to run inquiet mode. Remember to replace the YOUR-RPM-GPG-KEY variable with the filenameof your key.Once the key is available on the client file system, import it into the local GPG keyring.Different operating systems require different methods.For Red Hat Enterprise Linux 3 or newer, use the following command:rpm --import /path/to/YOUR-RPM-GPG-KEYFor Red Hat Enterprise Linux 2.1, use the following command:gpg $(up2date --gpg-flags) --import /path/to/YOUR-RPM-GPG-KEYOnce the GPG key has been successfully added to the client, the system should be able tovalidate custom RPMs signed with the corresponding key.