Skip to content

Commit

Permalink
Remove use of expect/rpmmacros and configure --pinentry-mode
Browse files Browse the repository at this point in the history
  • Loading branch information
andypitcher committed Oct 25, 2023
1 parent c8c1fd6 commit 5708c9d
Showing 1 changed file with 12 additions and 17 deletions.
29 changes: 12 additions & 17 deletions policy/centos9/scripts/sign
Original file line number Diff line number Diff line change
@@ -1,45 +1,40 @@
#!/bin/bash
set -e -x

yum install -y rpm-sign expect pinentry
yum install -y rpm-sign

pushd $(dirname $0)/..
. ./scripts/version
popd

cat <<\EOF >~/.rpmmacros
%_signature gpg
%_gpg_name [email protected]
EOF

case "$RPM_CHANNEL" in
"testing")
export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE
if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then
echo "TESTING_PRIVATE_KEY not defined, failing rpm sign"
exit 1
fi
gpg --batch --import - <<< "$TESTING_PRIVATE_KEY"
set +x
echo "Importing GPG private key TESTING_PRIVATE_KEY"
gpg --yes --pinentry-mode loopback --batch --passphrase $PRIVATE_KEY_PASS_PHRASE --import - <<< "$TESTING_PRIVATE_KEY"
set -x
;;
"production")
if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then
echo "PRIVATE_KEY not defined, failing rpm sign"
exit 1
fi
gpg --batch --import - <<< "$PRIVATE_KEY"
set +x
echo "Importing GPG private key PRIVATE_KEY"
gpg --yes --batch --pinentry-mode loopback --passphrase $PRIVATE_KEY_PASS_PHRASE --import - <<< "$PRIVATE_KEY"
set -x
;;
*)
echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]"
exit 1
;;
esac

expect <<EOF
set timeout 60
spawn sh -c "rpmsign --addsign dist/centos9/**/rancher-*.rpm"
expect "Passphrase:"
send -- "$PRIVATE_KEY_PASS_PHRASE\r"
expect eof
lassign [wait] _ _ _ code
exit \$code
EOF
set +x
echo "Signing RPMs with [email protected]'s GPG KEY"
rpmsign --addsign dist/centos9/**/rancher-*.rpm --define "_gpg_name [email protected]" --define "_gpgbin /usr/bin/gpg" --define "__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --no-armor --pinentry-mode loopback --passphrase "$PRIVATE_KEY_PASS_PHRASE" -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}"

0 comments on commit 5708c9d

Please sign in to comment.