[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: GPG signing a package without a password

From: Jeff Johnson <jbj redhat com>
To: rpm-list redhat com
Subject: Re: GPG signing a package without a password
Date: Fri, 9 Aug 2002 09:23:01 -0400

On Fri, Aug 09, 2002 at 08:05:45AM -0500, Albert Chin wrote:
> I'm using RPM 4.0.4 and GPG to sign a package. It seems that RPM is
> handling input of the password and passing this to GPG
> (--passphrase-fd 3). Any way to disable this? We want to use
> gpg-agent, an ssh-agent-like program for GPG, to batch-sign RPM files.
> This appears impossible if RPM wants to control input.

There are macros that describe each and ever invocation of gpg/pgp helpers
that can be reconfigured, see /usr/lib/rpm/macros, watchout for the
explicit argv[0] value needed by pgp IIRC.

You can probably make %__gpg_check_password_cmd a noop and challenge
later while signing.

Be forewarned:
	The rpm signing modes will be handled internally to rpm
	in the future.

#==============================================================================
# ---- GPG/PGP/PGP5 signature macros.
#       Macro(s) to hold the arguments passed to GPG/PGP for package
#       signing and verification.
#
%__gpg_check_password_cmd       %{__gpg} \
        gpg --batch --no-verbose --passphrase-fd 3 -u "%{_gpg_name}" -so -
%__pgp_check_password_cmd       %{__pgp} \
        pgp +batchmode=on +verbose=0 "%{_pgp_name}" -sf
%__pgp5_check_password_cmd      %{__pgp} \
        pgps +batchmode=on +verbose=0 +armor=off "%{_pgp_name}" -f

%__gpg_sign_cmd                 %{__gpg} \
        gpg --batch --no-verbose --no-armor --passphrase-fd 3 \
        -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}
%__pgp_sign_cmd                 %{__pgp} \
        pgp +batchmode=on +verbose=0 +armor=off \
        "+myname=%{_pgp_name}" -sb %{__plaintext_filename} %{__signature_filename}
%__pgp5_sign_cmd                %{__pgp} \
        pgps +batchmode=on +verbose=0 +armor=off \
        "+myname=%{_pgp_name}" -b %{__plaintext_filename} -o %{__signature_filename}

%__gpg_verify_cmd               %{__gpg} \
        gpg --batch --no-verbose --verify \
        %{__signature_filename} %{__plaintext_filename}
%__pgp_verify_cmd               %{__pgp} \
        pgp +batchmode=on +verbose=0 \
        %{__signature_filename} %{__plaintext_filename}
%__pgp5_verify_cmd              %{__pgp} \
        pgpv +batchmode=on +verbose=0 \
        +OutputInformationFD=1 +OutputWarningFD=1 \
        -o %{__signature_filename} %{__plaintext_filename}

73 de Jeff

-- 
Jeff Johnson	ARS N3NPQ
jbj@redhat.com (jbj@jbj.org)
Chapel Hill, NC

Follow-Ups:
- Re: GPG signing a package without a password
  - From: Albert Chin <rpm-list@thewrittenword.com>

References:
- GPG signing a package without a password
  - From: Albert Chin <rpm-list@thewrittenword.com>

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index] []