Hi,
I'm trying to package some software with rpmbuild and signing the packages at the same time. I'm following the guide found here:
http://www.ibm.com/developerworks/library/l-rpm3/
It mostly works - I do get properly signed RPMs at the end - however, despite running gpg-agent, rpmbuild keeps asking for my (lengthy) GPG-passphrase every single time it is finished with a spec-file. This can be particularly annoying when building very large packages, because, instead of asking again, rpmbuild will abort the entire process if I mistype the passphrase even once. If I run rpmbuild again after that, it will build the whole package over again...
I have started gpg-agent (as a normal user) with
gpg-agent --daemon --enable-ssh-support \ --write-env-file "${HOME}/.gpg-agent-info"
I have put the following lines
if [ -f "${HOME}/.gpg-agent-info" ]; then . "${HOME}/.gpg-agent-info" export GPG_AGENT_INFO export SSH_AUTH_SOCK export SSH_AGENT_PID fi
GPG_TTY=$(tty) export GPG_TTY
at the end of my .bashrc, and also manually run them in my current shell. The env command tells me it knows of the variables GPG_AGENT_INFO, SSH_AGENT_PID, SSH_AUTH_SOCK, and GPG_TTY, with plausible looking values in all cases. When I just run gpg-agent in my current shell with no parameters, it tells me "gpg- agent: gpg-agent running and available". I'm running rpmbuild like this:
rpmbuild -ba --sign rpmbuild/SPECS/<specfile>
What am I still missing?
Guido
On Thu, 22 Nov 2012 20:33:08 +0100, Guido Winkelmann wrote:
Hi,
I'm trying to package some software with rpmbuild and signing the packages at the same time. I'm following the guide found here:
http://www.ibm.com/developerworks/library/l-rpm3/
It mostly works - I do get properly signed RPMs at the end - however, despite running gpg-agent, rpmbuild keeps asking for my (lengthy) GPG-passphrase every single time it is finished with a spec-file. This can be particularly annoying when building very large packages, because, instead of asking again, rpmbuild will abort the entire process if I mistype the passphrase even once. If I run rpmbuild again after that, it will build the whole package over again...
I have started gpg-agent (as a normal user) with
gpg-agent --daemon --enable-ssh-support \ --write-env-file "${HOME}/.gpg-agent-info"
I have put the following lines
if [ -f "${HOME}/.gpg-agent-info" ]; then . "${HOME}/.gpg-agent-info" export GPG_AGENT_INFO export SSH_AUTH_SOCK export SSH_AGENT_PID fi
GPG_TTY=$(tty) export GPG_TTY
at the end of my .bashrc, and also manually run them in my current shell. The env command tells me it knows of the variables GPG_AGENT_INFO, SSH_AGENT_PID, SSH_AUTH_SOCK, and GPG_TTY, with plausible looking values in all cases. When I just run gpg-agent in my current shell with no parameters, it tells me "gpg- agent: gpg-agent running and available". I'm running rpmbuild like this:
rpmbuild -ba --sign rpmbuild/SPECS/<specfile>
What am I still missing?
It may be necessary to redefine the RPM macro %__gpg_sign_cmd to add option --use-agent when executing gpg. That's what I've done for the old Fedora Extras pushscripts and when testing possible alternatives to Pexpect/expect.
On 11/22/12, Guido Winkelmann guido-fedora-users@unknownsite.de wrote:
Hi,
I'm trying to package some software with rpmbuild and signing the packages at the same time. I'm following the guide found here:
http://www.ibm.com/developerworks/library/l-rpm3/
It mostly works - I do get properly signed RPMs at the end - however, despite running gpg-agent, rpmbuild keeps asking for my (lengthy) GPG-passphrase every single time it is finished with a spec-file. This can be particularly annoying when building very large packages, because, instead of asking again, rpmbuild will abort the entire process if I mistype the passphrase even once. If I run rpmbuild again after that, it will build the whole package over again...
When I used to maintain Node.js packages for Fedora, I always ran `rpmsign --addsign` after a plain rpmbuild without the --sign. Doing it this way only requires entry of the password once as long you pass a glob to rpmsign, and eliminates the need for a full rebuild if you typo the passphrase.
-T.C.
On Sun, 9 Dec 2012 16:12:11 -0700, T.C. Hollingsworth wrote:
When I used to maintain Node.js packages for Fedora, I always ran `rpmsign --addsign` after a plain rpmbuild without the --sign. Doing it this way only requires entry of the password once as long you pass a glob to rpmsign, and eliminates the need for a full rebuild if you typo the passphrase.
How many files did you sign _at once_? If the glob matches too many files, you would need to enter the passphrase more than once.
-
Guido Winkelmann -
Michael Schwendt -
T.C. Hollingsworth