[Rpm-maint] [rpm-software-management/rpm] Can't use `--define "_gpg_name Foo"` any more (#153)

[Jeff Johnson]

To clarify how kernel keyrings could be used to preserve --sign behavior ...

The popt alias for rpmbuild --sign extracts the names of just built *.rpm files from stdout and invokes  rpmsign on those packages.

The rpmbuild options like --macros and --define are not copied to rpmsign.

Instead of copying options forward (which is doable) from rpmbuild to rpmsign, rpmsign should attempt to retrieve the password that gpg expects from a conventionally named kernel keyring entry.

the rpmsign helper use exec2) so that rpmsign becomes a direct child of  rpmbuild (that already happens with a popt exec alias, but obscurely) with the set of packages as arguments.

Kernel keyring access controls are then used to protect the password while being passed through the sequence  rpmbuild -> rpmsign -> gpg and either rpmbuild or rpmsign reads the password and stores in the keyring for each set of packages. 

If the keyring access control is per-session, then the password can be loaded outside of rpmbuild invocation for retrieval by rpmsign through other means.



-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/153#issuecomment-404575752
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20180712/77c04c12/attachment.html>