Merge pull request #23 from andypitcher/remove-centos9-sign-expect

Remove use of expect/rpmmacros and configure --pinentry-mode
rancher · Oct 25, 2023 · 60a0910 · 60a0910
2 parents cac00f2 + 5708c9d
commit 60a0910
Showing 1 changed file with 12 additions and 17 deletions.
diff --git a/policy/centos9/scripts/sign b/policy/centos9/scripts/sign
@@ -1,45 +1,40 @@
 #!/bin/bash
 set -e -x
 
-yum install -y rpm-sign expect pinentry
+yum install -y rpm-sign
 
 pushd $(dirname $0)/..
 . ./scripts/version
 popd
 
-cat <<\EOF >~/.rpmmacros 
-%_signature gpg
-%_gpg_name [email protected]
-EOF
-
 case "$RPM_CHANNEL" in
   "testing")
     export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE
     if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then
       echo "TESTING_PRIVATE_KEY not defined, failing rpm sign"
       exit 1
     fi
-    gpg --batch --import - <<< "$TESTING_PRIVATE_KEY" 
+    set +x
+    echo "Importing GPG private key TESTING_PRIVATE_KEY"
+    gpg --yes --pinentry-mode loopback --batch --passphrase $PRIVATE_KEY_PASS_PHRASE --import - <<< "$TESTING_PRIVATE_KEY"
+    set -x
     ;;
   "production")
     if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then
       echo "PRIVATE_KEY not defined, failing rpm sign"
       exit 1
     fi
-    gpg --batch --import - <<< "$PRIVATE_KEY" 
+    set +x
+    echo "Importing GPG private key PRIVATE_KEY"
+    gpg --yes --batch --pinentry-mode loopback --passphrase $PRIVATE_KEY_PASS_PHRASE --import - <<< "$PRIVATE_KEY"
+    set -x
     ;;
   *)
     echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]"
     exit 1
     ;;
 esac
 
-expect <<EOF
-set timeout 60
-spawn sh -c "rpmsign --addsign dist/centos9/**/rancher-*.rpm"
-expect "Passphrase:"
-send -- "$PRIVATE_KEY_PASS_PHRASE\r"
-expect eof
-lassign [wait] _ _ _ code
-exit \$code
-EOF
+set +x
+echo "Signing RPMs with [email protected]'s GPG KEY"
+rpmsign --addsign dist/centos9/**/rancher-*.rpm --define "_gpg_name [email protected]" --define "_gpgbin /usr/bin/gpg" --define "__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch  --no-armor --pinentry-mode loopback --passphrase "$PRIVATE_KEY_PASS_PHRASE" -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}"