From 38e36e45479665367ef636f84bcb1f7ab7c84a8a Mon Sep 17 00:00:00 2001
From: rob thijssen <grenade@rob.tn>
Date: Sun, 26 Apr 2026 15:14:37 +0300
Subject: [PATCH] fix(ci): use gpg-agent loopback instead of custom sign
 command

The custom %__gpg_sign_cmd macro with %{__plaintext_filename} is not
supported on modern rpm. Instead, configure gpg-agent for loopback
pinentry and let rpm use its default sign command.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/build-release.yml | 2 ++
 rpm/rpmmacros                      | 1 -
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/.gitea/workflows/build-release.yml b/.gitea/workflows/build-release.yml
index ba8587d..2629557 100644
--- a/.gitea/workflows/build-release.yml
+++ b/.gitea/workflows/build-release.yml
@@ -137,6 +137,8 @@ jobs:
         run: |
           echo "${{ secrets.RPM_SIGNING_KEY }}" | gpg --batch --import
           sed "s/@GPG_NAME@/${{ secrets.RPM_SIGNING_KEY_ID }}/" rpm/rpmmacros > ~/.rpmmacros
+          echo "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf
+          gpgconf --kill gpg-agent
 
       - name: Sign and publish
         run: ./script/publish-repo.sh rpms/
diff --git a/rpm/rpmmacros b/rpm/rpmmacros
index 6b23b9a..595589d 100644
--- a/rpm/rpmmacros
+++ b/rpm/rpmmacros
@@ -1,2 +1 @@
 %_gpg_name @GPG_NAME@
-%__gpg_sign_cmd %{__gpg} --batch --no-armor --no-tty --pinentry-mode loopback --passphrase '' %{?_gpg_digest_algo:--digest-algo %{_gpg_digest_algo}} --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}