On Wed, 10 Mar 2004, Hugo van der Kooij wrote: >On Wed, 10 Mar 2004, Aaron Hanson wrote: > >> This may be more about gpg but anyways: I'm trying to sign >> packages in an automated build. When I created my gpg keys, I couldn't >> see a way to make the keys 'unprotected'; i.e. no passphrase. I just >> provided a zero-length phrase. >> >> Even with the zero length phrase, when I invoke 'rpmbuild --sign >> [opts] [spec]', gpg still prompts for a passphrase. Any ideas on how >> to get around this? Thanks.. > > The passphrase is there for a sane rason. If you start signing packages > automatically then the signature is only misleading. How can I trust a > signature from someone who was not even present during the signing process? > There are many ways that I could make others trust a package that I have signed; money, influence, intimidation, have historically been very effective ;-). It is really an issue of trust between me and my customers that I am able to keep my private key private. So thanks for the warning, but I'm hoping this list can address the -technical- issue. -Aaron _______________________________________________ Rpm-list mailing list Rpm-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/rpm-list
