Re: Automatic signing of RPM packages

[Jeff Johnson <n3npq jbj gmail com>]

On May 2, 2007, at 10:33 AM, Bob Huisman wrote:

> Hello all,
>
> Currently we are working on a continuous integration service, which  
> also
> publishes rpm packages. At this time, these packages are unsigned and
> thus cannot be used in a RHN Satellite environment (as far as I know,
> have not tested 100%). We do have a gpg signature available, but  
> when a
> package is created with the --sign option, a prompt is asking for the
> passphrase. Is it possible to put the password in the commandline?  
> This
> is usefull for testing our packages. The final versions will  
> ofcourse be
> signed with a different key, and the development key will never be
> published.
>
> Any ideas on this will be greatly appreciated!

rpm uses getpass(3).

expect will interpose a pseudo-tty, which is sufficient to automate
signing, with passwords automatically entered.

Or pay the big $$$ for an automatic signer as both SuSE and RH have  
done.

The evntual solution will be to replace getpass(3) using keyutils, which
will fire up a helper to request a password and deliver to rpm securely,
but I haven't yet wired up my proof-of-concept code.

73 de Jeff