-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Remove use of expect/rpmmacros and configure --pinentry-mode
- Loading branch information
1 parent
c8c1fd6
commit 5708c9d
Showing
1 changed file
with
12 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,45 +1,40 @@ | ||
#!/bin/bash | ||
set -e -x | ||
|
||
yum install -y rpm-sign expect pinentry | ||
yum install -y rpm-sign | ||
|
||
pushd $(dirname $0)/.. | ||
. ./scripts/version | ||
popd | ||
|
||
cat <<\EOF >~/.rpmmacros | ||
%_signature gpg | ||
%_gpg_name [email protected] | ||
EOF | ||
|
||
case "$RPM_CHANNEL" in | ||
"testing") | ||
export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE | ||
if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then | ||
echo "TESTING_PRIVATE_KEY not defined, failing rpm sign" | ||
exit 1 | ||
fi | ||
gpg --batch --import - <<< "$TESTING_PRIVATE_KEY" | ||
set +x | ||
echo "Importing GPG private key TESTING_PRIVATE_KEY" | ||
gpg --yes --pinentry-mode loopback --batch --passphrase $PRIVATE_KEY_PASS_PHRASE --import - <<< "$TESTING_PRIVATE_KEY" | ||
set -x | ||
;; | ||
"production") | ||
if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then | ||
echo "PRIVATE_KEY not defined, failing rpm sign" | ||
exit 1 | ||
fi | ||
gpg --batch --import - <<< "$PRIVATE_KEY" | ||
set +x | ||
echo "Importing GPG private key PRIVATE_KEY" | ||
gpg --yes --batch --pinentry-mode loopback --passphrase $PRIVATE_KEY_PASS_PHRASE --import - <<< "$PRIVATE_KEY" | ||
set -x | ||
;; | ||
*) | ||
echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" | ||
exit 1 | ||
;; | ||
esac | ||
|
||
expect <<EOF | ||
set timeout 60 | ||
spawn sh -c "rpmsign --addsign dist/centos9/**/rancher-*.rpm" | ||
expect "Passphrase:" | ||
send -- "$PRIVATE_KEY_PASS_PHRASE\r" | ||
expect eof | ||
lassign [wait] _ _ _ code | ||
exit \$code | ||
EOF | ||
set +x | ||
echo "Signing RPMs with [email protected]'s GPG KEY" | ||
rpmsign --addsign dist/centos9/**/rancher-*.rpm --define "_gpg_name [email protected]" --define "_gpgbin /usr/bin/gpg" --define "__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --no-armor --pinentry-mode loopback --passphrase "$PRIVATE_KEY_PASS_PHRASE" -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}" |