rhel7 yum repository metadata GPG signatures

Steve Button asked:

I’m trying to sign yum repo metadata using GPG, as part of a Jenkins job. This is proving more difficult than I first imagined, but I’m sure lots of people must have done this already.

I’ve worked out that I can do it on the terminal using :-

gpg --detach-sign --armor --local-user "Our Team" repomd.xml

However this pops up a curses style window which asks for the key, and I’d like to automate this as part of the Jenkins job. I used expect for signing the actual RPMs, and that worked well but I don’t think I can do that with this gpg / curses method. Is there a way to tell gpg to just accept input from the keyboard and not pop up a text entry box? (I’ve been reading the man page, but it’s really massive and I’m getting stuck).

Will keep trying, but hopefully someone has already solved this?

My answer:


The man page gives you several options for passing in the passphrase:

       --passphrase-fd n
              Read  the passphrase from file descriptor n. Only the first line
              will be read from file descriptor n. If you use  0  for  n,  the
              passphrase  will  be  read  from STDIN. This can only be used if
              only one passphrase is supplied.

       --passphrase-file file
              Read the passphrase from file file. Only the first line will  be
              read  from  file  file.  This  can  only  be  used  if  only one
              passphrase is supplied. Obviously, a passphrase stored in a file
              is  of  questionable security if other users can read this file.
              Don't use this option if you can avoid it.

       --passphrase string
              Use string as the passphrase. This can only be used if only  one
              passphrase  is supplied. Obviously, this is of very questionable
              security on a multi-user system. Don't use this  option  if  you
              can avoid it.

I’m not sure why you mention accepting the passphrase from the keyboard when you want to automate signing packages. Nobody will be around, and there won’t be any keyboard. Your best bet is probably to use --passphrase-fd and pass the passphrase in via a file descriptor, as womble mentioned in his comment.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.