Ask Your Question

Can gpg-agent be used when signing RPM packages?

asked 2014-10-28 07:04:28 -0600

jorti gravatar image

I'm trying to sign a package with:

rpm --resign package.rpm

I have my gpg-agent running and the environment correctly configured. Can I make rpm to use my gpg-agent?

edit retag flag offensive close merge delete


You can have gpg-agent cache your gpg passphrase for long time and it won't ask you for passphrase. Is that what you want?

sudhirkhanger gravatar imagesudhirkhanger ( 2014-10-28 09:22:30 -0600 )edit

My passphrase is already cached, but it's not used when resigning with this command. I'd like to know if there is some way to force rpm to use the agent.

Thank you

jorti gravatar imagejorti ( 2014-10-28 10:22:37 -0600 )edit

@jorti Your passphrase will by default expire in 2 hours. It will prompt you once every 10 minutes to enter the passphrase.

sudhirkhanger gravatar imagesudhirkhanger ( 2014-10-28 11:21:26 -0600 )edit
sudhirkhanger gravatar imagesudhirkhanger ( 2014-10-28 11:24:22 -0600 )edit

I refresh the passphrase before signing the packages. The agent works fine and with other applications the pinentry program asks for the passphrase.

I've dug a little more in this topic, and it seems impossible to do what I ask for. :(

jorti gravatar imagejorti ( 2014-10-28 15:25:48 -0600 )edit

3 Answers

Sort by ยป oldest newest most voted

answered 2014-11-07 11:00:58 -0600

till gravatar image

I use the following (actually wrapped in a script for convenience):

rpm \
 --define '_gpg_name GPG Key User ID'  \
 --define '_signature gpg' \
 --define '__gpg_check_password_cmd /bin/true' \
 --define '__gpg_sign_cmd %{__gpg} gpg --batch --no-verbose --no-armor --use-agent --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}' \
 --addsign *.rpm

It will still ask for a password, but you can just press enter. Nevertheless, the agent will be used for the actual signing. It looked this up a long time ago so in theory it might be that the command could be updated, but it still work.

edit flag offensive delete link more

answered 2015-07-19 17:53:51 -0600

Combining @till's excellent answer with , I get an expect script that looks like this....

#!/usr/bin/expect -f
spawn rpm --addsign --define "_gpg_name GPG Key User ID" --define "__gpg_check_password_cmd /bin/true" --define "__gpg_sign_cmd %{__gpg} gpg --batch --no-verbose --no-armor --use-agent -u %{_gpg_name} --no-secmem-warning -sbo %{__signature_filename} %{__plaintext_filename}" {*}$argv
expect -exact "Enter pass phrase: "
send -- "blank\r"
expect eof

And now I have the relative security of gpg-agent and the convenience of scripted behavior

For my purposes, I took out the -u argument so that any GPG id works, but you still must define _gpg_name because it is hard coded in ( line 107)

edit flag offensive delete link more

answered 2015-10-06 10:35:17 -0600

Building on @till and @the1within0, you can suppress the password prompt without using expect, if you both redirect stdin and run the command in a new session:

setsid -w rpm ... < /dev/null
edit flag offensive delete link more

Question Tools

1 follower


Asked: 2014-10-28 07:04:28 -0600

Seen: 2,522 times

Last updated: Nov 07 '14