Sha256: 056a5fd767443a68463aa5f18686a7bb96e42197cbc44373eeca3aa4c1404175
Contents?: true
Size: 1.78 KB
Versions: 12
Compression:
Stored size: 1.78 KB
Contents
module Pkg::Sign::Rpm
module_function
def sign(rpm, sign_flags = nil)
# To enable support for wrappers around rpm and thus support for gpg-agent
# rpm signing, we have to be able to tell the packaging repo what binary to
# use as the rpm signing tool.
rpm_command = ENV['RPM'] || Pkg::Util::Tool.find_tool('rpm')
# If we're using the gpg agent for rpm signing, we don't want to specify the
# input for the passphrase, which is what '--passphrase-fd 3' does. However,
# if we're not using the gpg agent, this is required, and is part of the
# defaults on modern rpm. The fun part of gpg-agent signing of rpms is
# specifying that the gpg check command always return true
gpg_check_command = ''
input_flag = ''
if Pkg::Util.boolean_value(ENV['RPM_GPG_AGENT'])
gpg_check_command = "--define '%__gpg_check_password_cmd /bin/true'"
else
input_flag = "--passphrase-fd 3"
end
# Try this up to 5 times, to allow for incorrect passwords
Pkg::Util::Execution.retry_on_fail(:times => 5) do
# This definition of %__gpg_sign_cmd is the default on modern rpm. We
# accept extra flags to override certain signing behavior for older
# versions of rpm, e.g. specifying V3 signatures instead of V4.
Pkg::Util::Execution.capture3("#{rpm_command} #{gpg_check_command} --define '%_gpg_name #{Pkg::Util::Gpg.key}' --define '%__gpg_sign_cmd %{__gpg} gpg #{sign_flags} #{input_flag} --batch --no-verbose --no-armor --no-secmem-warning -u %{_gpg_name} -sbo %{__signature_filename} %{__plaintext_filename}' --addsign #{rpm}")
end
end
def legacy_sign(rpm)
sign(rpm, "--force-v3-sigs --digest-algo=sha1")
end
def has_sig?(rpm)
%x(rpm -Kv #{rpm} | grep "#{Pkg::Util::Gpg.key.downcase}" &> /dev/null)
$?.success?
end
end
Version data entries
12 entries across 12 versions & 1 rubygems