Monday, June 21, 2010

How to sign rpm files in a batch mode?

Rpm sign command uses getpass() method to read passphrase and hence there is no direct way to send passphrase by redirection in a shell script.

One alternative to that is to use Expect script (You need to have expect installed. RPMs are available in standard linux distros). Here is a snippet of code that explains how it works:

########BEGIN#############################

function expect_script
{
cat << End-of-text #No white space between << and End-of-text
spawn rpm --resign $RPMFILE
expect -exact "Enter pass phrase: "
send -- "${RPMPWD}\r"
expect eof
exit
End-of-text
}

function sign_rpm
{
echo "Signing RPM..."
expect_script | /usr/bin/expect -f -
}

## Main execution

RPMFILE="$*"
sign_rpm

##############END ##############################

RPMPWD is the passphrase. It should be set in the enviroment before sign_rpm is being called.

Of course, before running this script GPG private/public keys must have been imported in GPG keyring and public key must have been imported in RPM database also.

3 comments:

Unknown said...
This comment has been removed by the author.
Unknown said...

I've solved the same problem by overriding the getpass() function call using function interposition via LD_PRELOAD.

I am not suggesting that this is a better solution...I just like playing around with LD_PRELOAD.

slmingol said...

You can sign in bulk using the --resign switch.

rpm --resign *.rpm