Hi,
I need to sign a bunch of RPM packages that have interdepencies: build #1, sign #1, install #1, build #2, sign #2, install #2 etc.
Based on the info in bz436812 [1] I have created the key (RSA sign only, 4096bit, no sub keys) and put this in .rpmmacros:
%_signature gpg %_gpg_path ~/.gnupg %_gpg_name <KEY_ID> %__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs \ --digest-algo=sha1 --batch --no-verbose --no-armor \ --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" \ -sbo %{__signature_filename} %{__plaintext_filename}
Now I don't want to type in a rather long and difficult passphrase every time one of dozens of packages need to be signed and I also don't want to temporarily remove the passphrase so am looking for a better solution that works unattended after giving the passphrase once. I looked at gpgwrap (part of pgp-tools in Fedora) but from the docs I could not figure out how to make that work.
Anyone know howto set this up?
Thanks! Patrick
On Thu, 2010-12-09 at 23:28 +0100, Patrick Lists wrote:
What's so hard about:
#!/bin/expect
It will take care of all that for you in a jiffie... Yea you need a passphrase of which expect can handle for you.
John
On 12/09/2010 11:56 PM, JohnS wrote:
On Thu, 2010-12-09 at 23:28 +0100, Patrick Lists wrote:
What's so hard about:
#!/bin/expect
It will take care of all that for you in a jiffie... Yea you need a passphrase of which expect can handle for you.
Thanks John. Never thought about expect.
Regards, Patrick
From: Patrick Lists centos-list@puzzled.xs4all.nl
I need to sign a bunch of RPM packages that have interdepencies: build #1, sign #1, install #1, build #2, sign #2, install #2 etc. Now I don't want to type in a rather long and difficult passphrase every time one of dozens of packages need to be signed and I also don't want to temporarily remove the passphrase so am looking for a better solution that works unattended after giving the passphrase once. I looked at gpgwrap (part of pgp-tools in Fedora) but from the docs I could not figure out how to make that work. Anyone know howto set this up?
What about: '--passphrase-file file' ?
JD
On 12/10/2010 11:05 AM, John Doe wrote:
From: Patrick Lists centos-list@puzzled.xs4all.nl
I need to sign a bunch of RPM packages that have interdepencies: build #1, sign #1, install #1, build #2, sign #2, install #2 etc. Now I don't want to type in a rather long and difficult passphrase every time one of dozens of packages need to be signed and I also don't want to temporarily remove the passphrase so am looking for a better solution that works unattended after giving the passphrase once. I looked at gpgwrap (part of pgp-tools in Fedora) but from the docs I could not figure out how to make that work. Anyone know howto set this up?
What about: '--passphrase-file file' ?
Excellent suggestion which obviously I missed in the gpg manpage. Probably because I was focused on --passphrase-fd n in combination with gpgwrap.
Thanks! Patrick
On 12/10/2010 02:05 AM, John Doe wrote:
What about: '--passphrase-file file' ?
If you're going to put the key and its passphrase file on the same host, you might as well not encrypt the key at all. You're better off encrypting the filesystem that contains the key.
If you decide to use a passphrase file anyway, at least put it on a tmpfs so that you have to recreate it every time you reboot.
Patrick Lists пишет:
Hi,
I need to sign a bunch of RPM packages that have interdepencies: build #1, sign #1, install #1, build #2, sign #2, install #2 etc.
Based on the info in bz436812 [1] I have created the key (RSA sign only, 4096bit, no sub keys) and put this in .rpmmacros:
%_signature gpg %_gpg_path ~/.gnupg %_gpg_name<KEY_ID> %__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs \ --digest-algo=sha1 --batch --no-verbose --no-armor \ --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" \ -sbo %{__signature_filename} %{__plaintext_filename}
Now I don't want to type in a rather long and difficult passphrase every time one of dozens of packages need to be signed and I also don't want to temporarily remove the passphrase so am looking for a better solution that works unattended after giving the passphrase once. I looked at gpgwrap (part of pgp-tools in Fedora) but from the docs I could not figure out how to make that work.
Anyone know howto set this up?
After building a bunch of packages it can be easily signed by this way:
rpm --resign *.rpm
if you need to sign packages from other account:
su -c "rpm --resign *.rpm" username
So it requires to type password only once. It may be worth to move packages to some directory to avoid resigning of another packages, or you can change command and use names of packages instead of wildmarked name.
On 12/11/2010 12:22 PM, Sergey Podushkin wrote:
After building a bunch of packages it can be easily signed by this way:
rpm --resign *.rpm
if you need to sign packages from other account:
su -c "rpm --resign *.rpm" username
So it requires to type password only once. It may be worth to move packages to some directory to avoid resigning of another packages, or you can change command and use names of packages instead of wildmarked name.
Thanks Sergey. This is how I now have it setup and it works fine.
Regards, Patrick
-
Gordon Messmer -
John Doe -
JohnS -
Patrick Lists -
Sergey Podushkin