Aaron S. Hawley (aaronhawley) wrote,
Aaron S. Hawley
aaronhawley

GPG signing RPMs unattended

At my office we package our work on Fedora systems into RPMs. I have been trying to cobble a build server to take our work from Subversion, build it, and upload it to our office's Yum repository. Sounds easy.

Fedora provides a lot of packages for automating a build server. Unfortunately, one of the final steps in the process of signing the packages with a GPG secret key cannot be automated. I've tried using an empty passphrase, and using the gpg-agent feature of GnuPG. I had to write a wrapper to fake sending the passphrase, see below.

My understanding of the problem is that RPM uses the getpass function to get the key passphrase and there's no way around this.

According to package maintainer documentation on the the Fedora Project Web site:

A Release Engineer [signs] and pushes out your updates. The signing step is currently a manual process, so your updates will not be instantly released once submitted to bodhi.

Related, Fedora is working on a putting together signing server. Apparently, they've had issues with "separating 'Who can sign' from 'Who knows the gpg passphrase'".

To get around this RPM flaw, I wrote an Expect wrapper to automatically sign RPM packages. I'm not an expert at Expect programming, but fortunately autoexpect helps.

Using the wrapper is as simple as the RPM signing command.

  $ ./rpm-sign.exp PACKAGE-FILE

Here's the script.

  #!/usr/bin/expect -f
  
  ### rpm-sign.exp -- Sign RPMs by sending the passphrase.
   
  spawn rpm --addsign {*}$argv
  expect -exact "Enter pass phrase: "
  send -- "Secret passphrase\r"
  expect eof
  
  ## end of rpm-sign.exp

Thank goodness for Tcl hackers.

Tags: free software, howto, programming
Subscribe

  • User liberation: New video from the FSF

    from fsf.org community blog The last 45 seconds is pretty cool. There's a build of Gstreamer, interspersed with screenshots of Gnome,…

  • Big Emacs reference card updated

    With the release of Emacs 24.3 last month and the big changes at EmacsWiki, I've posted an updated version of the giant Emacs reference card. It…

  • M-x in Emacs 24.3 is now in Lisp

    It didn't make the NEWS file for Emacs 24.3, but Emacs now ships with an ` M-x' (` execute-extended-command') that is written in Lisp. It is no…

  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 16 comments

  • User liberation: New video from the FSF

    from fsf.org community blog The last 45 seconds is pretty cool. There's a build of Gstreamer, interspersed with screenshots of Gnome,…

  • Big Emacs reference card updated

    With the release of Emacs 24.3 last month and the big changes at EmacsWiki, I've posted an updated version of the giant Emacs reference card. It…

  • M-x in Emacs 24.3 is now in Lisp

    It didn't make the NEWS file for Emacs 24.3, but Emacs now ships with an ` M-x' (` execute-extended-command') that is written in Lisp. It is no…