Batch rpm signing

Last Updated on Mercredi, 28 décembre 2011 05:09 Written by Henri Gomez Mercredi, 28 décembre 2011 05:05

I’m using Jenkins to build RPMs with free-style scripts.
Decent RPM packager should sign his RPMs so they could be checked by yum/zypper tools.

Here you could be in trouble since rpm signing require a password to be passed in command line :

rpm --addsign -D "_signature gpg" -D "_gpg_name packagers@myforge.org" RPMS/noarch/myjenkins-1.0.0-1.noarch.rpm<br />
Enter pass phrase:<br />

It’s quite problematic for a RPM build factory.

After digging around Internet, best solution appears to be using expect and I developped a simple script for such purpose with following constraints :

  • packager gpg name should be parametized (to avoid injecting it in ~/.rpmmacros)
  • gpg passphrase should be provided to command line (could be read from a secret file)
#!/usr/bin/expect -f
#
# rpmsign-batch.expect : expect powered rpm signing command
#

proc usage {} {
        send_user "Usage: rpmsign-batch.expect gpgname passphrase rpmfile\n\n"
        exit
}

if {[llength $argv]!=3} usage

set gpgname [lrange $argv 0 0]
set passphrase [lrange $argv 1 1]
set rpmfile [lrange $argv 2 2]

send_user "passphrase=$passphrase gpgname=$gpgname\n"

spawn rpm --addsign -D "_signature gpg" -D "_gpg_name $gpgname" $rpmfile
expect -exact "Enter pass phrase: "
send -- "$passphrase\r"
expect eof

You could then use it to sign rpms from your freestyle jobs like :

# Password provided in clear in job (weird)
rpmsign-batch.expect packagers@myforge.org mypassphrase RPMS/noarch/myjenkins-1.0.0-1.noarch.rpm

# Password grabbed from a secret file (better)
PASSPHRASE=`cat /my/secret-passphrase-file`
rpmsign-batch.expect packagers@myforge.org $PASSPHRASE RPMS/noarch/myjenkins-1.0.0-1.noarch.rpm
This entry was posted on Mercredi, décembre 28th, 2011 at 17 h 05 min and is filed under RPM. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

1 Comment

  1. Rina   |  Jeudi, 02 février 2012 at 10 h 15 min

    Yeah, and the whole “Red Hat of sragote” thing? Umm, no, as a Red Hat employee who has also worked with Gluster, I’d kind of prefer that Red Hat be the Red Hat of sragote. Still, though, this is good fodder for the “it’s user-space so I’ll turn up my nose at it” silliness I get sometimes.

Leave a Reply