Hi,
I need to sign a bunch of RPM packages that have interdepencies:
build #1, sign #1, install #1, build #2, sign #2, install #2 etc.
Based on the info in bz436812 [1] I have created the key (RSA sign only,
4096bit, no sub keys) and put this in .rpmmacros:
%_signature gpg
%_gpg_path ~/.gnupg
%_gpg_name <KEY_ID>
%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs \
--digest-algo=sha1 --batch --no-verbose --no-armor \
--passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" \
-sbo %{__signature_filename} %{__plaintext_filename}
Now I don't want to type in a rather long and difficult passphrase every
time one of dozens of packages need to be signed and I also don't want
to temporarily remove the passphrase so am looking for a better solution
that works unattended after giving the passphrase once.
I looked at gpgwrap (part of pgp-tools in Fedora) but from the docs I
could not figure out how to make that work.
Anyone know howto set this up?
Thanks!
Patrick
[1] https://bugzilla.redhat.com/show_bug.cgi?id=436812
On Thu, 2010-12-09 at 23:28 +0100, Patrick Lists wrote: What's so hard about: #!/bin/expect It will take care of all that for you in a jiffie... Yea you need a passphrase of which expect can handle for you. John
From: Patrick Lists <centos-list at puzzled.xs4all.nl>> I need to sign a bunch of RPM packages that have interdepencies: > build #1, sign #1, install #1, build #2, sign #2, install #2 etc. > Now I don't want to type in a rather long and difficult passphrase every > time one of dozens of packages need to be signed and I also don't want > to temporarily remove the passphrase so am looking for a better solution > that works unattended after giving the passphrase once. > I looked at gpgwrap (part of pgp-tools in Fedora) but from the docs I > could not figure out how to make that work. > Anyone know howto set this up?What about: '--passphrase-file file' ? JD
Patrick Lists ?????:> Hi, > > I need to sign a bunch of RPM packages that have interdepencies: > build #1, sign #1, install #1, build #2, sign #2, install #2 etc. > > Based on the info in bz436812 [1] I have created the key (RSA sign only, > 4096bit, no sub keys) and put this in .rpmmacros: > > %_signature gpg > %_gpg_path ~/.gnupg > %_gpg_name<KEY_ID> > %__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs \ > --digest-algo=sha1 --batch --no-verbose --no-armor \ > --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" \ > -sbo %{__signature_filename} %{__plaintext_filename} > > Now I don't want to type in a rather long and difficult passphrase every > time one of dozens of packages need to be signed and I also don't want > to temporarily remove the passphrase so am looking for a better solution > that works unattended after giving the passphrase once. > I looked at gpgwrap (part of pgp-tools in Fedora) but from the docs I > could not figure out how to make that work. > > Anyone know howto set this up? >After building a bunch of packages it can be easily signed by this way: rpm --resign *.rpm if you need to sign packages from other account: su -c "rpm --resign *.rpm" username So it requires to type password only once. It may be worth to move packages to some directory to avoid resigning of another packages, or you can change command and use names of packages instead of wildmarked name.