[opensuse-packaging] A way to provide gpg key?
Is there a way to automatically provide the passkey to gpg and rpmbuild when using the 'build' scripts? Many times I build packages for both i586 and x86_64 and SUSE versions 9.3 -> 10.1 and SLES9 & 10. It would be really nice to automate all the passkey entries so I can run it all in one batch. -- Anders Norrbring Norrbring Consulting
Hi, On Thursday, November 09, 2006 at 19:29:22, Anders Norrbring wrote:
Is there a way to automatically provide the passkey to gpg and rpmbuild when using the 'build' scripts?
How about not signing them during building but use rpm --addsign later. Henne -- Henne Vogelsang, http://hennevogel.de "To die. In the rain. Alone." Ernest Hemingway --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
On Thu, Nov 09, 2006 at 07:29:22PM +0100, Anders Norrbring wrote:
Is there a way to automatically provide the passkey to gpg and rpmbuild when using the 'build' scripts? Many times I build packages for both i586 and x86_64 and SUSE versions 9.3 -> 10.1 and SLES9 & 10. It would be really nice to automate all the passkey entries so I can run it all in one batch.
Just remove the passphrase from your key. It does not make any sense to encrypt your private key with a passphrase and then store this passphrase somewhere on the disk for a batch process. Robert -- Robert Schiele Dipl.-Wirtsch.informatiker mailto:rschiele@gmail.com "Quidquid latine dictum sit, altum sonatur."
Robert Schiele skrev:
On Thu, Nov 09, 2006 at 07:29:22PM +0100, Anders Norrbring wrote:
Is there a way to automatically provide the passkey to gpg and rpmbuild when using the 'build' scripts? Many times I build packages for both i586 and x86_64 and SUSE versions 9.3 -> 10.1 and SLES9 & 10. It would be really nice to automate all the passkey entries so I can run it all in one batch.
Just remove the passphrase from your key. It does not make any sense to encrypt your private key with a passphrase and then store this passphrase somewhere on the disk for a batch process.
Hmm.. That would be a good point.. ;) I didn't realize that gpg / rpmbuild accepted passphrase-free keys. I'll look at it! -- Anders Norrbring Norrbring Consulting
On 2006-11-09 20:50:13 +0100, Anders Norrbring wrote:
Just remove the passphrase from your key. It does not make any sense to encrypt your private key with a passphrase and then store this passphrase somewhere on the disk for a batch process.
Hmm.. That would be a good point.. ;) I didn't realize that gpg / rpmbuild accepted passphrase-free keys. I'll look at it!
better look at henne's suggestion. darix -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
Hi, On Thursday, November 09, 2006 at 21:02:52, Marcus Rueckert wrote:
On 2006-11-09 20:50:13 +0100, Anders Norrbring wrote:
Just remove the passphrase from your key. It does not make any sense to encrypt your private key with a passphrase and then store this passphrase somewhere on the disk for a batch process.
Hmm.. That would be a good point.. ;) I didn't realize that gpg / rpmbuild accepted passphrase-free keys. I'll look at it!
better look at henne's suggestion.
#!/bin/bash UPLOAD_DIR=/local/upload for file in `find $UPLOAD_DIR -type f -name "*.rpm"`; do SIG=`rpm --nosignature -q --qf '%{SIGGPG}\n' -p $file` if [ $SIG == \(none\) ]; then TOSIGN="$file $TOSIGN" fi done if [ -z "$TOSIGN" ]; then echo "no packages without a signature" exit 0 fi echo "packages to sign" echo $TOSIGN echo "adding signature to rpm" rpm --addsign $TOSIGN that will sign all rpm's in /local/upload without a signature with your default key (setup in ~/.rpmmacros). Henne -- Henne Vogelsang, http://hennevogel.de "To die. In the rain. Alone." Ernest Hemingway --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
Marcus Rueckert skrev:
On 2006-11-09 20:50:13 +0100, Anders Norrbring wrote:
Just remove the passphrase from your key. It does not make any sense to encrypt your private key with a passphrase and then store this passphrase somewhere on the disk for a batch process. Hmm.. That would be a good point.. ;) I didn't realize that gpg / rpmbuild accepted passphrase-free keys. I'll look at it!
better look at henne's suggestion.
Hmm.. That would be a way as well, but it kindof defeats the lbuild scripts that copies the built packages to the repositary and runs createrepo on it. Sure, the scripts can be edited... Would gpg's --passphrase-fd option be useful somewhere? I guess it needs to be respected by rpmbuild in some way. I just don't know how... -- Anders Norrbring Norrbring Consulting
Robert Schiele skrev:
On Thu, Nov 09, 2006 at 07:29:22PM +0100, Anders Norrbring wrote:
Is there a way to automatically provide the passkey to gpg and rpmbuild when using the 'build' scripts? Many times I build packages for both i586 and x86_64 and SUSE versions 9.3 -> 10.1 and SLES9 & 10. It would be really nice to automate all the passkey entries so I can run it all in one batch.
Just remove the passphrase from your key. It does not make any sense to encrypt your private key with a passphrase and then store this passphrase somewhere on the disk for a batch process.
Just out of curiousity and laborating, how would I go about to do that? I just generated a new keypair, just pressing <enter> when asked for a pass, then I exported as described in the build script's dists_common file. Still, rpmbuild asks for the passphrase, I have to hit enter to continue. -- Anders Norrbring Norrbring Consulting
On 2006-11-13 19:32:26 +0100, Anders Norrbring wrote:
Still, rpmbuild asks for the passphrase, I have to hit enter to continue.
1. keys without passphrases are stupid. 2. do all the builds you want. and before you upload your rpms rpm --resign|--addsign *.rpm and all your rpms will be signed with typing your passphrase _once_ hope this helps darix -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
On Mon, Nov 13, 2006 at 10:24:23PM +0100, Marcus Rueckert wrote:
On 2006-11-13 19:32:26 +0100, Anders Norrbring wrote:
Still, rpmbuild asks for the passphrase, I have to hit enter to continue.
1. keys without passphrases are stupid.
Such generic statements are extremely stupid! If you really needed to sign something _automatically_ and have a machine that is not accessible by other persons then it makes perfectly sense to use unencrypted keys.
2. do all the builds you want. and before you upload your rpms rpm --resign|--addsign *.rpm
and all your rpms will be signed with typing your passphrase _once_
hope this helps
This is a solution if typing the passphrase once is an option but not if manual interaction is not an option. So if you want to answer such questions in a serious way then first ask what other people really want to do and don't bash other solutions just because you _think_ that what someone else is doing is stupid without actually discussing it. Robert -- Robert Schiele Dipl.-Wirtsch.informatiker mailto:rschiele@gmail.com "Quidquid latine dictum sit, altum sonatur."
On Mon, Nov 13, 2006 at 07:32:26PM +0100, Anders Norrbring wrote:
Just out of curiousity and laborating, how would I go about to do that? I just generated a new keypair, just pressing <enter> when asked for a pass, then I exported as described in the build script's dists_common file.
Still, rpmbuild asks for the passphrase, I have to hit enter to continue.
Yes, unfortunately that is what an out-of-the-box rpm binary does. You either have to use a patched rpm binary or you have to work around this with something like echo -e 'spawn rpm --addsign my.rpm\nexpect "Enter pass phrase:"\nsend "\\r"\nexpect' | expect You can also substitute "rpm --addsign" with the command you are actually using. Robert -- Robert Schiele Dipl.-Wirtsch.informatiker mailto:rschiele@gmail.com "Quidquid latine dictum sit, altum sonatur."
participants (4)
-
Anders Norrbring -
Henne Vogelsang -
Marcus Rueckert -
Robert Schiele