On Wed, Mar 10, 2004 at 02:56:04PM -0800, Aaron Hanson wrote:
> Hi All-
>
> This may be more about gpg but anyways: I'm trying to sign packages
> in an automated build. When I created my gpg keys, I couldn't see a way
> to make the keys 'unprotected'; i.e. no passphrase. I just provided a
> zero-length phrase.
>
> Even with the zero length phrase, when I invoke 'rpmbuild --sign
> [opts] [spec]', gpg still prompts for a passphrase. Any ideas on how to
> get around this? Thanks.
>
Automagic signing of rpm pkgs is doable but excruciatingly complex.
First you need to figger how to automate gpg signing. There's some
contortion to echo a pass phrase down some additional fd, I've forgotten
details, but it shouldn't be hard to find the evil invocation
voo-doo, the issue comes up every 6 months or so on gpg lists.
Then you need to teach rpm the voo-doo. Since the gpg invocation
is just a macro, adding/changing/deleting arguments is quite doable.
Here's the macro that defines the invocation of gpg to sign a package:
%__gpg_sign_cmd %{__gpg} \
gpg --batch --no-verbose --no-armor --passphrase-fd 3 --no-secmem-warning \
-u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}
Add whatever additional glop is needed to teach gpg what file descriptor
you are going to send the pass phrase over.
Finally, you'll need to do the plumbing to attach the file descriptor
to rpm when invoking so that gpg receives the pass phrase.
The trick here will be to invoke /usr/lib/rpm/rpmk rather than
/bin/rpm to avoid Yet Another execve.
AFAIK (and I just checked) rpm will not close the extra fd.
You may still be fighting rpm's invocation of getpass(3), a little
treachery with an expect script and a pseudo-tty might solve that problem.
In fact, a little treachery with expect might solve the whole mess more
efficiently.
Good luck! I'm totally not interested in a patch if you succeed as well,
life is far too short to attempt to support and maintain this degree
of complex hackery for a task that is supposed to be done manually.
However, if you can think of a signature scheme that can can be
automated, like a zero knowledge proof of possesion of secret,
I might consider attempting autosigning packages. Note that this
is a research grade problem, DSA and RSA simply won't do.
73 de Jeff
--
Jeff Johnson ARS N3NPQ
jbj@xxxxxxxxxx (jbj@xxxxxxx)
Chapel Hill, NC
_______________________________________________
Rpm-list mailing list
Rpm-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/rpm-list
