From 0147e0fe32a6079a24cb26f146b5f27a9ca954a1 Mon Sep 17 00:00:00 2001 From: rob thijssen Date: Sun, 26 Apr 2026 13:22:33 +0300 Subject: [PATCH] fix(ci): configure gpg for non-interactive RPM signing Add %__gpg_sign_cmd macro to ~/.rpmmacros with --batch, --no-tty, and --pinentry-mode loopback so rpm --addsign works without a TTY in CI. Also add signing progress output and post-sign verification to publish-repo.sh for easier debugging. Co-Authored-By: Claude Opus 4.6 (1M context) --- .gitea/workflows/build-release.yml | 1 + script/publish-repo.sh | 2 ++ 2 files changed, 3 insertions(+) diff --git a/.gitea/workflows/build-release.yml b/.gitea/workflows/build-release.yml index 97700fc..4a2d40f 100644 --- a/.gitea/workflows/build-release.yml +++ b/.gitea/workflows/build-release.yml @@ -129,6 +129,7 @@ jobs: run: | echo "${{ secrets.RPM_SIGNING_KEY }}" | gpg --batch --import echo "%_gpg_name ${{ secrets.RPM_SIGNING_KEY_ID }}" > ~/.rpmmacros + echo "%__gpg_sign_cmd %{__gpg} gpg --batch --no-armor --no-tty --pinentry-mode loopback --passphrase '' %{?_gpg_digest_algo:--digest-algo %{_gpg_digest_algo}} --no-secmem-warning -u \"%{_gpg_name}\" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}" >> ~/.rpmmacros - name: Sign and publish run: ./script/publish-repo.sh rpms/ diff --git a/script/publish-repo.sh b/script/publish-repo.sh index 2b5e304..e1ed1ea 100755 --- a/script/publish-repo.sh +++ b/script/publish-repo.sh @@ -6,7 +6,9 @@ REMOTE_DIR="/var/www/rpm/fedora/43/x86_64" # sign each rpm with the imported gpg key for rpm in "${RPM_DIR}"/*.rpm; do + echo "signing ${rpm}..." rpm --addsign "${rpm}" + rpm --checksig "${rpm}" done install --directory --mode 700 ~/.ssh