From Fedora Project Wiki

Appendix H

Signing RPM files

Up2date will complain about installing RPM files that are not signed. We highly encourage you to GPG sign all RPM files that you build. You will need to create a GPG key, and include the public key on your discs (you may also want to add it to the , with the RPM-GPG-KEY-fedora.

We highly recommend that you create your key with the same user that you used to setup your RPM build area .

Create a GPG key

gpg --gen-key

I usually accept the default answers, but you may want to set the key to expire or use a different keysize. It also asks for your real name, email address and comment. For this document, I used:

Real name:  Testing
Email address:
Comment:  Test

It then asks for a passphrase that will be required when signing RPMs. Put in a passphrase that you will remember. It will store the public/private keys in ~/.gnupg/. You will need to add this information into your .rpmmacros file:

%_signature gpg
%_gpg_name Testing (Test)
%_gpgbin /usr/bin/gpg
%_gpg_path ~/.gnupg

Now, when you create your RPM files, use the --sign option to rpmbuild:

rpmbuild -ba --sign anaconda.spec

It will ask for the passphrase, and if you enter it correctly, it will build the RPM files and sign them.