To clarify how kernel keyrings could be used to preserve --sign behavior ...

The popt alias for rpmbuild --sign extracts the names of just built *.rpm files 
from stdout and invokes  rpmsign on those packages.

The rpmbuild options like --macros and --define are not copied to rpmsign.

Instead of copying options forward (which is doable) from rpmbuild to rpmsign, 
rpmsign should attempt to retrieve the password that gpg expects from a 
conventionally named kernel keyring entry.

the rpmsign helper use exec2) so that rpmsign becomes a direct child of  
rpmbuild (that already happens with a popt exec alias, but obscurely) with the 
set of packages as arguments.

Kernel keyring access controls are then used to protect the password while 
being passed through the sequence  rpmbuild -> rpmsign -> gpg and either 
rpmbuild or rpmsign reads the password and stores in the keyring for each set 
of packages. 

If the keyring access control is per-session, then the password can be loaded 
outside of rpmbuild invocation for retrieval by rpmsign through other means.



-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/153#issuecomment-404575752
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint

Reply via email to