[CentOS] Howto batch sign RPM packages?

Patrick Lists

centos-list at puzzled.xs4all.nl
Thu Dec 9 22:28:51 UTC 2010


Hi,

I need to sign a bunch of RPM packages that have interdepencies:
build #1, sign #1, install #1, build #2, sign #2, install #2 etc.

Based on the info in bz436812 [1] I have created the key (RSA sign only,
4096bit, no sub keys) and put this in .rpmmacros:

%_signature gpg
%_gpg_path ~/.gnupg
%_gpg_name <KEY_ID>
%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs \
   --digest-algo=sha1 --batch --no-verbose --no-armor \
    --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" \
    -sbo %{__signature_filename} %{__plaintext_filename}

Now I don't want to type in a rather long and difficult passphrase every
time one of dozens of packages need to be signed and I also don't want
to temporarily remove the passphrase so am looking for a better solution
that works unattended after giving the passphrase once.
I looked at gpgwrap (part of pgp-tools in Fedora) but from the docs I
could not figure out how to make that work.

Anyone know howto set this up?

Thanks!
Patrick

[1] https://bugzilla.redhat.com/show_bug.cgi?id=436812



More information about the CentOS mailing list