~3 min read • Updated Feb 21, 2026
1. Overview
Third-party developers who want to create their own package repositories must generate sha512 digest files, create GPG signatures, and prepare the necessary package files. cPanel’s update system relies on these files to verify package integrity and authenticity.
Most cPanel software dependencies are distributed as package archives stored on a public HTTP repository. The url_templates field in the rpm.versions file determines where the system retrieves these packages.
Each package directory contains a sha512 digest file listing the checksums of all packages. The system also uses a GPG signature to verify the digest file and prevent tampering.
2. Generate sha512 Digest Files
In every directory containing package files, you must create a sha512 digest file.
Example Directory:
root@httpupdate1:/home/www/thirdparty_pkg/11.92/centos/7/x86_64# ls -l
total 6876
-rw-r--r-- 1 tux tux 6191460 Aug 12 18:57 cpanel-angularjs-1.4.3-1.cp1154.noarch.rpm
-rw-r--r-- 1 tux tux 843872 Sep 11 17:33 cpanel-angularjs-1.4.4-1.cp1154.noarch.rpm
Create the digest file:
sha512sum *.rpm > sha512Example digest output:
01fe3fefade91693d2e03cd2f2a2cde7613e54586e994f3477658eefbe24c6ba0347129286789ad9fc8f1aa3f32859896aed16d39055031808eea057557691d2 cpanel-angularjs-1.4.3-1.cp1154.noarch.rpm
f91a02c9fd3ef6551809ebb23e726cbe460fa8c334f592f53c773cbccc1b0cede9d139386b7e60b91bf25cd640ce9ecfd948c077bac12d2d8e069ca08a257da2 cpanel-angularjs-1.4.4-1.cp1154.noarch.rpm
Note: On Ubuntu servers, replace .rpm with .deb package names.
3. Generate a GPG Key Pair
After creating the digest file, generate a GPG key pair to sign it. Use the GPG command-line utilities for key creation.
Important: Generate the key on a secure, non-public system to protect the private key.
Refer to the official GnuPG documentation for detailed instructions.
4. Sign the sha512 Digest File
To prevent rollback or file-copy attacks, cPanel uses a specific GPG signature notation that includes the file’s HTTP path.
Example:
If the digest file is located at:
http://example.com/pkg_repo/11.92/centos/7/x86_64/sha512
Then the notation must be:
/pkg_repo/11.92/centos/7/x86_64/sha512
Sign the digest file:
gpg --output sha512.asc -u "[email protected]" --armor \
--sig-notation "[email protected]=/thirdparty_pkg/11.92/centos/7/x86_64/sha512" \
--detach-sign sha512
5. Add Your Key to the Vendor Keystore
To allow cPanel & WHM servers to verify your signed digests, add your public key to each server.
Export the public key:
gpg --output example_pkg_repo.pub.asc --armor --exportStore this key in a publicly accessible HTTPS location, such as:
https://example.com/pkg_repo/example_pkg_repo.pub.asc
Add the key to the local system:
/scripts/updatesigningkey --vendor thirdparty --category release \
--url https://example.com/pkg_repo/example_pkg_repo.pub.asc
6. Add the Repository to the Local Versions File
Update the /var/cpanel/rpm.versions.d/local.versions file to configure the system to use your repository.
Each package entry includes:
url_templates— package download locationlocation_keys— vendor and category values
Refer to cPanel’s documentation for rpm.versions and update_local_rpm_versions.
7. Repositories Without GPG Signatures
Warning: We strongly discourage creating repositories without GPG signatures. Without signatures, you cannot verify file authenticity.
To disable signature verification for a package, add a disabled entry:
---
file_format:
version: 2
location_keys:
thirdparty_rpm:
disabled: 1
rpm_locations:
cpanel-angularjs: thirdparty_rpm
url_templates:
thirdparty_rpm: 'http://example.com/pkg_repo/11.92/centos/[% rpm_dist_ver %]/[% rpm_arch %]/[% package %]-[% package_version %]-[% package_revision %].noarch.rpm'
Conclusion
Setting up a third‑party repository with sha512 digests and GPG signatures ensures secure and verifiable package distribution. By generating digests, signing them, configuring keystores, and updating the rpm.versions file, you can safely integrate custom repositories into cPanel & WHM systems.
Written & researched by Dr. Shahin Siami