Open geoghegan opened 7 years ago
@geoghegan yes, that will be nice to have. To implement that, the rpmfile module will need to be extended to write file metadata.
And, we need to somehow detect the lack of signature just by looking at the metadata.
In bash, the signature can be checked by doing:
# Check if RPM is signed, bail if it is
SIGNING_CHECK=$(rpm --verbose --checksig $FILENAME)
echo $SIGNING_CHECK | grep -q "key ID $KEYID"
if [ $? -eq 0 ]; then
echo "RPM Signed as $SIGNING_CHECK -- bailing"
exit 1
fi
echo "RPM Not Signed"
What becomes annoying is piping in the GPG key's password to rpm --sign
. The work around I've found, at least in bash, is by using the expect
command in the following snippet of code:
expect <<EOD
spawn bash -c "rpm --addsign $FILENAME"
expect "Enter pass phrase:"
send "${GPG_PASS}\r"
expect eof
EOD
The steps I have in my initial feature request might sound a bit strange, however it allows people to decouple the build and deploy of unsigned RPMs, with mkrepo
responsible for "promoting" the signed packages by pulling down the unsigned RPM, signing, and redeploying to an S3 bucket
@geoghegan It's clear how to check for signature, when the file is present on local machine. But imagine you are running mkrepo
against an s3 bucket. Then you'll have to basically download every package to check if it's signed. We need a way to detect the presence of file signature from central metadata file.
OR, alternatively, we can just assume that every file that exists in the metadata was already handled by us, and should have been signed.
As for signing using gpg, there are a few functions in mkrepo that already handle interactive prompt, as the metadata files are signed using gpg.
It'd be really nice if anyone could help with writing code that injects signature into RPM files. It shouldn't be that hard, as the file format is pretty straightforward.
Yeah, it would be nice to check the metadata of the RPMs without downloading them - that is difficult, though, unless you can guarantee that all RPMs in the repo are already signed - e.g. only "new" RPMs are unsigned.
It looks like
mkrepo
can only sign an RPM repo's metadata, not the actual RPM file itself.It would be a really cool feature if
mkrepo
could:Packages
directory~/. rpmmacros
or the default key in GPG~/.rpmmacros
or the default key in GPG, sign the RPMsPackages
directory in the s3 bucket