Featured image of post Batch Rpm Signing

Batch Rpm Signing

I’m using Jenkins to build RPMs with free-style scripts.

Decent RPM packager should sign his RPMs so they could be checked by yum/zypper tools.

Here you could be in trouble since rpm signing require a password to be passed in command line :

rpm --addsign -D "_signature gpg" -D "_gpg_name [email protected]" RPMS/noarch/myjenkins-1.0.0-1.noarch.rpm<br />
Enter pass phrase:<br />

It’s quite problematic for a RPM build factory.

After digging around Internet, best solution appears to be using expect and I developped a simple script for such purpose with following constraints :

  • packager gpg name should be parametized (to avoid injecting it in ~/.rpmmacros)

  • gpg passphrase should be provided to command line (could be read from a secret file)

#!/usr/bin/expect -f
# rpmsign-batch.expect : expect powered rpm signing command

proc usage {} {
        send_user "Usage: rpmsign-batch.expect gpgname passphrase rpmfile\n\n"

if {[llength $argv]!=3} usage

set gpgname [lrange $argv 0 0]
set passphrase [lrange $argv 1 1]
set rpmfile [lrange $argv 2 2]

send_user "passphrase=$passphrase gpgname=$gpgname\n"

spawn rpm --addsign -D "_signature gpg" -D "_gpg_name $gpgname" $rpmfile
expect -exact "Enter pass phrase: "
send -- "$passphrase\r"
expect eof

You could then use it to sign rpms from your freestyle jobs like :

# Password provided in clear in job (weird)
rpmsign-batch.expect [email protected] mypassphrase RPMS/noarch/myjenkins-1.0.0-1.noarch.rpm

# Password grabbed from a secret file (better)
PASSPHRASE=`cat /my/secret-passphrase-file`
rpmsign-batch.expect [email protected] $PASSPHRASE RPMS/noarch/myjenkins-1.0.0-1.noarch.rpm
comments powered by Disqus
Built with Hugo
Theme Stack designed by Jimmy