My personal preference is to batch sign them after creation. However, it should also be possible to use 'expect' to pass in the passphrase during the build process. -----Original Message----- From: rpm-list-bounces@xxxxxxxxxx [mailto:rpm-list-bounces@xxxxxxxxxx] On Behalf Of Lev Lvovsky Sent: Thursday, October 09, 2008 11:01 AM To: RPM Package Manager Subject: Re: signing RPMs without a passphrase? thank you *Jeff*! The first response in the link provided just seemed a little off-base to me. There's nothing intrinsically more secure about me typing in some passphrase vs. an automated procedure just skipping the step - AFAIK, GPG is used to provide file signature verification (along with mdt5 and whatever other hash algo. is employed). But it's also used to verify the entity that the RPM came from - an identity which the installer chooses to trust, passphrase notwithstanding. Am I missing something there? I'll check out keyutils - thank you very much for your help Jeff! -lev On Oct 7, 2008, at 5:16 PM, Jeff Johnson wrote: > Well 2004 was a long time ago. Times have changed too ... > > FWIW, rpm-5 uses keyutils to store passphrases. > > Which means that its possible to us keyutils to manage > a persistent session pass phrase, loaded before rpm is invoked, > and the passphrase will be passed to gpg for signinging packages. > > But you can attempt signing without a pass phrase if you want too. > > 73 de Jeff > > On Oct 7, 2008, at 7:26 PM, Aaron Hanson wrote: > >> https://www.redhat.com/archives/rpm-list/2004-March/msg00109.html >> >>> -----Original Message----- >>> From: rpm-list-bounces@xxxxxxxxxx [mailto:rpm-list-bounces@xxxxxxxxxx >>> ] >>> On Behalf Of Lev Lvovsky >>> Sent: Tuesday, October 07, 2008 4:18 PM >>> To: rpm-list@xxxxxxxxxx >>> Subject: signing RPMs without a passphrase? >>> >>> Is it possible to sign an RPM without being asked the passphrase for >>> the signing key? It hampers automated RPM creation to be asked for >>> the passphrase when building them. Otherwise, is the only other >>> option just batch signing the RPMs after they've been created? >>> >>> thanks, >>> -lev >>> >>> _______________________________________________ >>> Rpm-list mailing list >>> Rpm-list@xxxxxxxxxx >>> https://www.redhat.com/mailman/listinfo/rpm-list >> >> _______________________________________________ >> Rpm-list mailing list >> Rpm-list@xxxxxxxxxx >> https://www.redhat.com/mailman/listinfo/rpm-list > > _______________________________________________ > Rpm-list mailing list > Rpm-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/rpm-list _______________________________________________ Rpm-list mailing list Rpm-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/rpm-list _______________________________________________ Rpm-list mailing list Rpm-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/rpm-list
