[CentOS] Howto batch sign RPM packages?

Sergey Podushkin posev at sibmail.com
Sat Dec 11 11:22:45 UTC 2010


Patrick Lists пишет:
> Hi,
>
> I need to sign a bunch of RPM packages that have interdepencies:
> build #1, sign #1, install #1, build #2, sign #2, install #2 etc.
>
> Based on the info in bz436812 [1] I have created the key (RSA sign only,
> 4096bit, no sub keys) and put this in .rpmmacros:
>
> %_signature gpg
> %_gpg_path ~/.gnupg
> %_gpg_name<KEY_ID>
> %__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs \
>     --digest-algo=sha1 --batch --no-verbose --no-armor \
>      --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" \
>      -sbo %{__signature_filename} %{__plaintext_filename}
>
> Now I don't want to type in a rather long and difficult passphrase every
> time one of dozens of packages need to be signed and I also don't want
> to temporarily remove the passphrase so am looking for a better solution
> that works unattended after giving the passphrase once.
> I looked at gpgwrap (part of pgp-tools in Fedora) but from the docs I
> could not figure out how to make that work.
>
> Anyone know howto set this up?
>    
After building a bunch of packages it can be easily signed by this way:

rpm --resign *.rpm

if you need to sign packages from other account:

su -c "rpm --resign *.rpm" username

So it requires to type password only once.
It may be worth to move packages to some directory to avoid resigning of 
another packages, or you can change command and use names of packages 
instead of wildmarked name.




More information about the CentOS mailing list