Sign multiple rpms with one command

May06

Sign multiple rpms with one command

Posted by Karanbir Singh on 06/May/2011 ~ Posted in: Linux, Sysadmin

Trying to sign a bunch of rpms usually means having to type in your password for the gpg key multiple times, once for each rpm. However, you can avoid doing that with this :

rpm --resign `find . -name *.rpm`

That will only prompt you once for the key passphrase, and sign all the packages it finds under that directory.

- KB

9 comments

Comment from: Michael Stahnke [Visitor]

You can also just sign *.rpm

06/May/2011 @ 21:46

Comment from: Slubek [Visitor]

What about "rpm --resign *.rpm" ?

07/May/2011 @ 05:50

Comment from: Karanbir Singh [Member]

sure, you can do a rpm --resign *.rpm; but obviously that only works if all your rpms are in the same directory. Most repo layouts seperate the packages into subdir's based in arch. Depending on how many packages there are and what processing is being done per arch/dir; you could be there for a while waiting for the next time you need to enter your key pass phrase.

07/May/2011 @ 05:59

Comment from: Mathieu Baudier [Visitor]

I'm using a similar approach (but with the explicit path {stable,testing}/5/{SRPMS,i386,x86_64}/*.rpm) The problem is that already signed packages get "touched" even if rpm --sign says that they were already signed with the same key.
So they get transferred by rsync as well afterwards even if that would not be needed.
I wish I could find a better approach or that rpm would leave already signed packaged untouched.

08/May/2011 @ 04:25

Comment from: Karanbir Singh [Member]

Mathieu,

I tend to not run the --addsign / --resign in the repo itself. As the first step, packages are downloaded from the buildsystem and put into an empty repo ( so there is nothing else except for the newly built packages ). Then run the rpm --addsign and do any tests ( like making sure the multilib stuff is in place ), before moving these packages with an rsync into the production repo. Once there, generate the metadata with createrepo.

- KB

08/May/2011 @ 06:45

Comment from: Mathieu Baudier [Visitor]

Actually the public repo is on a separate server, but it is a sync of a repo on the build server which is in turn used during the build. So update of the public repo happen only for a batch of packages when everything is ok with a given set of builds.

But I think that we somehow need to add the intermediate step that you describe. It doesn't feel right to run --resign on everything each time (and it takes unnecessary time).

Do you have a simple way to check for multilib issues?

Thanks for the tips!

08/May/2011 @ 10:23

Comment from: Pix [Visitor]

What about eval `gpg-agent --daemon` ? :)

09/May/2011 @ 02:45

Comment from: Bucky [Visitor]

As a sort of an almost-off-topic comment, I've fallen in love with the $() syntax to replace the backtick syntax:

rpm --resign $(find . -name *.rpm)

It nests really nicely, too.

13/May/2011 @ 20:39

Comment from: Ljubomir Ljubojevic [Visitor]

For easier tracking, I use subfolders in my repository (for mrepo source) separating subgroups of packages. After mrepo is done with them, subdirectories are gone, everything is one repo directory, but this really helps separating and quickly finding packages.

Files in subfolders where not shown by "find . -name *.rpm", so I used following instead:

rpmsign --resign `find . | grep .rpm`

20/May/2011 @ 14:36

This post has 6 feedbacks awaiting moderation...

Comment feed for this post

Karanbir Singh - Thinkability

Sign multiple rpms with one command

9 comments

Leave a comment

Search

Categories

XML Feeds