From 9f0116bb2bf18bd937b9a8848876e777933341a1 Mon Sep 17 00:00:00 2001
From: rob thijssen <grenade@rob.tn>
Date: Sun, 26 Apr 2026 19:58:07 +0300
Subject: [PATCH] fix(ci): override rpm sign command to use gpg backend

Fedora 43 defaults to rpm-sequoia for signing which ignores the
imported gpg key. Set %__gpg_sign_cmd explicitly to force gpg-based
signing with loopback pinentry. Remove diagnostics.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 rpm/rpmmacros          |  1 +
 script/publish-repo.sh | 15 +--------------
 2 files changed, 2 insertions(+), 14 deletions(-)

diff --git a/rpm/rpmmacros b/rpm/rpmmacros
index 595589d..8004687 100644
--- a/rpm/rpmmacros
+++ b/rpm/rpmmacros
@@ -1 +1,2 @@
 %_gpg_name @GPG_NAME@
+%__gpg_sign_cmd %{__gpg} --batch --verbose --no-armor --pinentry-mode loopback --passphrase '' --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} -- %{__plaintext_filename}
diff --git a/script/publish-repo.sh b/script/publish-repo.sh
index 77682d4..6352b81 100755
--- a/script/publish-repo.sh
+++ b/script/publish-repo.sh
@@ -7,22 +7,9 @@ RPM_DIR="${1%/}"
 REMOTE_DIR="/var/www/rpm/fedora/${FEDORA_VERSION}/x86_64"
 
 # sign each rpm with the imported gpg key
-echo "rpmmacros:"
-cat ~/.rpmmacros
-echo "gpg keys:"
-gpg --list-secret-keys --keyid-format long
-ls -la "${RPM_DIR}"/*.rpm
-
-echo "testing gpg signing directly..."
-echo test | gpg --batch --pinentry-mode loopback --passphrase '' --sign --armor -u "$(rpm --eval '%{_gpg_name}')" 2>&1 || echo "direct gpg sign failed"
-
-echo "rpm macro expansion:"
-rpm --eval '%{__gpg}' 2>&1
-rpm --eval '%{_gpg_name}' 2>&1
-
 for rpm in "${RPM_DIR}"/*.rpm; do
     echo "signing ${rpm}..."
-    rpmsign --addsign "${rpm}" --verbose 2>&1 || {
+    rpm --addsign "${rpm}" 2>&1 || {
         echo "failed to sign ${rpm}" >&2
         exit 1
     }