To clarify how kernel keyrings could be used to preserve --sign behavior ...

The popt alias for rpmbuild --sign extracts the names of just built *.rpm files 
from stdout and invokes  rpmsign on those packages.

The rpmbuild options like --macros and --define are not copied to rpmsign.

Instead of copying options forward (which is doable) from rpmbuild to rpmsign, 
rpmsign should attempt to retrieve the password that gpg expects from a 
conventionally named kernel keyring entry.

the rpmsign helper use exec2) so that rpmsign becomes a direct child of  
rpmbuild (that already happens with a popt exec alias, but obscurely) with the 
set of packages as arguments.

Kernel keyring access controls are then used to protect the password while 
being passed through the sequence  rpmbuild -> rpmsign -> gpg and either 
rpmbuild or rpmsign reads the password and stores in the keyring for each set 
of packages. 

If the keyring access control is per-session, then the password can be loaded 
outside of rpmbuild invocation for retrieval by rpmsign through other means.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
Rpm-maint mailing list

Reply via email to