Aaron S. Hawley (aaronhawley) wrote,

GPG signing RPMs unattended

At my office we package our work on Fedora systems into RPMs. I have been trying to cobble a build server to take our work from Subversion, build it, and upload it to our office's Yum repository. Sounds easy.

Fedora provides a lot of packages for automating a build server. Unfortunately, one of the final steps in the process of signing the packages with a GPG secret key cannot be automated. I've tried using an empty passphrase, and using the gpg-agent feature of GnuPG. I had to write a wrapper to fake sending the passphrase, see below.

My understanding of the problem is that RPM uses the getpass function to get the key passphrase and there's no way around this.

According to package maintainer documentation on the the Fedora Project Web site:

A Release Engineer [signs] and pushes out your updates. The signing step is currently a manual process, so your updates will not be instantly released once submitted to bodhi.

Related, Fedora is working on a putting together signing server. Apparently, they've had issues with "separating 'Who can sign' from 'Who knows the gpg passphrase'".

To get around this RPM flaw, I wrote an Expect wrapper to automatically sign RPM packages. I'm not an expert at Expect programming, but fortunately autoexpect helps.

Using the wrapper is as simple as the RPM signing command.

  $ ./rpm-sign.exp PACKAGE-FILE

Here's the script.

  #!/usr/bin/expect -f
  ### rpm-sign.exp -- Sign RPMs by sending the passphrase.
  spawn rpm --addsign {*}$argv
  expect -exact "Enter pass phrase: "
  send -- "Secret passphrase\r"
  expect eof
  ## end of rpm-sign.exp

Thank goodness for Tcl hackers.

Tags: free software, howto, programming
  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded