To clarify how kernel keyrings could be used to preserve --sign behavior ...
The popt alias for rpmbuild --sign extracts the names of just built *.rpm files
from stdout and invokes rpmsign on those packages.
The rpmbuild options like --macros and --define are not copied to rpmsign.
Instead of copying options forward (which is doable) from rpmbuild to rpmsign,
rpmsign should attempt to retrieve the password that gpg expects from a
conventionally named kernel keyring entry.
the rpmsign helper use exec2) so that rpmsign becomes a direct child of
rpmbuild (that already happens with a popt exec alias, but obscurely) with the
set of packages as arguments.
Kernel keyring access controls are then used to protect the password while
being passed through the sequence rpmbuild -> rpmsign -> gpg and either
rpmbuild or rpmsign reads the password and stores in the keyring for each set
If the keyring access control is per-session, then the password can be loaded
outside of rpmbuild invocation for retrieval by rpmsign through other means.
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
Rpm-maint mailing list