You are not logged in.

#1 2023-07-21 13:42:25

D3vil0p3r
Member
Registered: 2022-11-05
Posts: 177

[SOLVED] Script for signing more packages automatically

I would like to test a scenario where I have different packages to distribute and these packages are signed by a signing key protected by a passphrase.

I would like to automate a process where, for all of these packages, automatically they are periodically built and then signed in order to create .pkg.tar.zst and .pkg.tar.zst.sig files.

For doing this automation, I need to script this process. Scripting the building and the signing of these packages when the signing key (private key) is not passphrase-protected is easy, because I don't need to insert any passphrase when prompted.

The problem is that when the signing key is passphrase-protected. In this case, how can I automate all the process and avoiding to insert the passphrase for each package manually?

I was reading the ArchWiki on https://wiki.archlinux.org/title/makepk … ge_signing but still not clear how to give automatically the passphrase because if I run:

gpg --detach-sign --pinentry-mode loopback --passphrase --passphrase-fd 0 --output ians-65.eb15373-1-any.pkg.tar.zst.sig --sign ians-65.eb15373-1-any.pkg.tar.zst

it takes the passphrase when Enter is hit, and it means I should type there manually.

Last edited by D3vil0p3r (2023-07-21 22:27:04)

Offline

#2 2023-07-21 13:57:52

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,502
Website

Re: [SOLVED] Script for signing more packages automatically

It takes the passphrase from stdin.  Whether that's the connected tty/pty (aka the keyboard) or piped in from somewhere else is up to you:

echo "your passphrase" | gpg ...

Last edited by Trilby (2023-07-21 13:58:30)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#3 2023-07-21 14:04:27

D3vil0p3r
Member
Registered: 2022-11-05
Posts: 177

Re: [SOLVED] Script for signing more packages automatically

Trilby wrote:

It takes the passphrase from stdin.  Whether that's the connected tty/pty (aka the keyboard) or piped in from somewhere else is up to you:

echo "your passphrase" | gpg ...

I forgot to add that I don't need to sign new packages with new passphrases.

The scenario is that I have a set of packages in a repository and they are already signed with my GPG private key. When I automate the package building and signing, I need to sign these packages by my existing private key. And then, manage the case where my private key prompts for the related passphrase. Not sure if that gpg command above was correct for my case.

In practice I need to simulate a "makepkg --sign" by gpg command (because makepkg --sign spawns a GUI window for inserting passphrase)

Last edited by D3vil0p3r (2023-07-21 14:08:59)

Offline

#4 2023-07-21 14:23:14

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,502
Website

Re: [SOLVED] Script for signing more packages automatically

D3vil0p3r wrote:

I forgot to add that I don't need to sign new packages with new passphrases.

Yes you do.  You can't rebuild a new version of a package and reuse a signature from a previous version.  Whether or not the previous versions were signed is irrelevant.  You're building new packages, and they need to be signed by your key.  That's it.

D3vil0p3r wrote:

In practice I need to simulate a "makepkg --sign" by gpg command (because makepkg --sign spawns a GUI window for inserting passphrase)

That GUI window is just one option.  But from reading the wiki, it seems the recommended approach is to not use the --sign flag for makepkg.  Just build the packages first with makepkg, then sign them with the above-mentioned gpg command (which can accept the passphrase from stdin).


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#5 2023-07-21 14:28:12

D3vil0p3r
Member
Registered: 2022-11-05
Posts: 177

Re: [SOLVED] Script for signing more packages automatically

Yes, it is true. I was getting wrong because during my test I just submitted one time the correct passphrase, then when I inserted the wrong one, it continued to work, but it occurred because the gpg-agent still stored the correct passphrase, so I needed to kill it. I try to do a broad test.

UP: it is important to add "--noconfirm" in makepkg command and all pacman commands and it works like a charm.

Last edited by D3vil0p3r (2023-07-21 22:26:52)

Offline

Board footer

Powered by FluxBB