On Mon, Aug 27, 2007 at 10:17:17PM +0200, Mark wrote:
> > I don't personally see the problem with manually signing though. I
> > build packages in mock under a build account setup specifically for
> > packaging. Once the packages are built, I sign them from my normal
> > user account (e.g.: rpm --addsign ~build/mock/<package>/*.rpm).
>
> well.. signing a few packages by hand isn't a problem at all.
> but signing about 50 packages is.
I find the following only requires entering the pass phrase once:
find $(rpm --eval "%{_topdir}") -iname 'Linu*rpm' -exec rpm --addsign {} +
If you want to sign them all in one swell foop, that should do it.
You will probably want to modify the argument to -iname.
>
> And removing the password completely seems like a good possibility.
> i wish rpmbuild (or rpm) was allowing something like this:
> rpmbuild -ba --sign="the key" my_rpm.spec
> or
> rpmbuild -ba --sign --passphrase "the key" my_rpm.spec
>
> Just the option for that would be gread.
Unfortunately, that has security implications. The passphrase would be
in the script. Also, when the script ran, the passphrase would be in
memory and another user could see it with a suitable application of ps
and other tools.
--
Charles Curley /"\ ASCII Ribbon Campaign
Looking for fine software \ / Respect for open standards
and/or writing? X No HTML/RTF in email
http://www.charlescurley.com / \ No M$ Word docs in email
Key fingerprint = CE5C 6645 A45A 64E4 94C0 809C FFF6 4C48 4ECD DFDB
Attachment:
pgp2vaQGQP4JV.pgp
Description: PGP signature
