Skip to content

Instantly share code, notes, and snippets.

@jflemer-ndp
Created September 24, 2020 18:45
Show Gist options
  • Save jflemer-ndp/bc7fa8fb196ef305558f14ff3a04e7b4 to your computer and use it in GitHub Desktop.
Save jflemer-ndp/bc7fa8fb196ef305558f14ff3a04e7b4 to your computer and use it in GitHub Desktop.
Wrapper for non-interactive signing of RPMs
#!/bin/bash
##############################################################################
# Wrapper for non-interactive signing of RPMs.
#
# _NOTE: This uses environment variables for sensitive information (the GPG
# passphrase), so should not be used on an untrusted or shared host._
#
# Prep
# ----
# * Make a GPG key, for example see "Create a GPG Key Pair" at:
# http://giovannitorres.me/how-to-setup-an-rpm-signing-key.html
#
# Setup
# -----
# * `yum install -y expect rpm-sign`
#
# Running
# -------
# * Strongly advised to not run this as root!
# * Set environment variables and/or container volume mount to default paths
# * Such as:
#
# env REPOS=/export/repo/demo GNUPGHOME=$HOME/.gnupg GPGKEYID=12345678 \
# GPGPASSPHRASE=demo ./rpmgpgsign.sh
#
# License
# -------
# * BSD-2-Clause
#
##############################################################################
##############################################################################
#
# Copyright 2020, NDP LLC
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
##############################################################################
# REPOS: space separated paths to search for RPMs to sign
export REPOS="${REPOS:-/repo}"
# GNUPGHOME: path to location of user GPG key
export GNUPGHOME="${GNUPGHOME:-/gpg/.gnupg}"
# GPGKEYID: which key from $GNUPGHOME to use for signing
export GPGKEYID="${GPGKEYID:-}"
# GPGPASSPHRASE: passphrease for the key $GPGKEYID
export GPGPASSPHRASE="${GPGPASSPHRASE:-}"
# Be Jenkins/CI friendly
WORKSPACE="${WORKSPACE:-$(pwd)}"
##############################################################################
cat - > "${WORKSPACE}/sign_rpms.sh" <<'EOF'
#!/bin/expect -f
set keyid $env(GPGKEYID)
spawn rpmsign --digest-algo=sha256 --key-id=$keyid --addsign {*}$argv
expect {
-re "Enter pass phrase:" {
send "$env(GPGPASSPHRASE)\n"
exp_continue
}
eof {
catch wait result
}
}
exit [ lindex $result 3 ]
EOF
# SIGN RPMS
for i in ${REPOS}; do
repomanage -n -c "$i" | xargs -r -d '\n' expect -f "${WORKSPACE}/sign_rpms.sh"
done
# cleanup (ignore errors)
rm /var/tmp/rpm-tmp.* 2>/dev/null || true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment