Hi,
I need to sign a bunch of RPM packages that have interdepencies:
build #1, sign #1, install #1, build #2, sign #2, install #2 etc.
Based on the info in bz436812 [1] I have created the key (RSA sign only,
4096bit, no sub keys) and put this in .rpmmacros:
%_signature gpg
%_gpg_path ~/.gnupg
%_gpg_name <KEY_ID>
%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs \
--digest-algo=sha1 --batch --no-verbose --no-armor \
--passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" \
-sbo %{__signature_filename} %{__plaintext_filename}
Now I don't want to type in a rather long and difficult passphrase every
time one of dozens of packages need to be signed and I also don't want
to temporarily remove the passphrase so am looking for a better solution
that works unattended after giving the passphrase once.
I looked at gpgwrap (part of pgp-tools in Fedora) but from the docs I
could not figure out how to make that work.
Anyone know howto set this up?
Thanks!
Patrick
[1] https://bugzilla.redhat.com/show_bug.cgi?id=436812