rpmbs, rpmpub: add -B option for batch sign mode (without tty)

896602b0 · Vitaly Lipatov · c73d93a5 · 896602b0 · 896602b0
Commit 896602b0 authored Dec 25, 2025 by Vitaly Lipatov
Hide whitespace changes
Inline Side-by-side

Showing with 27 additions and 4 deletions

rpmbs bin/rpmbs +18 -2

rpmpub bin/rpmpub +9 -2

No files found.
--- a/bin/rpmbs
+++ b/bin/rpmbs
@@ -35,6 +35,7 @@ DELETENOW=
 POCKET=
 PREPARETASK=
 TASKNUMBER=
+BATCHSIGN=

 #############################
 Usage="Usage: $name [GIRAR] [-b REPONAME] [-p POCKET] [-s|-t|-u|-a|-A|-c] [-o -z -n -p --nodeps] [-k [TARGETDIR]] [spec or src.rpm]..."
@@ -65,6 +66,7 @@ phelp()
 	echog "   -f           force operation (overwrite tag)"
 	echog "   -F           force operation (overwrite tag) and run task after add"
 	echog "   -s           sign package(s) (and move it to dir ETERDESTSRPM if defined)"
+	echog "   -B           batch sign mode (for scripts without tty)"
 	echog "   -t           set tag with sign"
 	echog "   -T           set tag"
 	echog "   -n           do not check with sisyphus_check before upload"
@@ -74,10 +76,11 @@ phelp()
 #	echog " -d - remove package(s) from SRPMS and Incoming"
 }

-while getopts :hfFstTcudenop:a:Ab:wz opt; do
+while getopts :hfFstTcudenop:a:Ab:wzB opt; do
    case $opt in
    h) phelp; exit 0;;
    s) SIGN=1 ;;
+    B) BATCHSIGN=1 ;;
    t) SIGNTAG=1 ;;
    T) SETTAG=1 ;;
    f) FORCE="-f" ;;
@@ -381,7 +384,20 @@ fi

 echog "Will try to sign follow packages with GPG: \$LISTBUILT"
 # 1. only rpm command has --addsign 2. do 3 retries
-docmd rpm --addsign $LISTBUILT || docmd rpm --addsign $LISTBUILT || docmd rpm --addsign $LISTBUILT
+RPMSIGNARGS=""
+if [ -n "$BATCHSIGN" ] ; then
+	# check if gpg-agent is unlocked
+	if ! echo test | gpg --batch --pinentry-mode loopback -s > /dev/null 2>&1 ; then
+		echo
+		echog "GPG agent is not ready for batch signing."
+		echog "Please unlock it first in a terminal with tty:"
+		echog "  $ echo test | gpg --clearsign > /dev/null"
+		echog "Or use gpg-preset-passphrase to cache the passphrase."
+		exit 1
+	fi
+	RPMSIGNARGS='--define=__gpg_sign_cmd %{__gpg} gpg --batch --pinentry-mode loopback --no-armor -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}'
+fi
+docmd rpm $RPMSIGNARGS --addsign $LISTBUILT || docmd rpm $RPMSIGNARGS --addsign $LISTBUILT || docmd rpm $RPMSIGNARGS --addsign $LISTBUILT
 RET=$?
 if [ ! "$RET" = "0" ] ; then
 	echog "Impossible to sign package. Check your password and try again."

--- a/bin/rpmpub
+++ b/bin/rpmpub
@@ -19,11 +19,12 @@ test -f ~/.config/korinf  && . ~/.config/korinf

 if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
 	echog "rpmpub - Etersoft specific script for publish gear repo to target ftp dir as src.rpm"
-	echog "Usage: rpmpub [-f] [-r PROJECTVERSION ] [SPEC] [TARGETDIR]"
+	echog "Usage: rpmpub [-f] [-B] [-r PROJECTVERSION ] [SPEC] [TARGETDIR]"
 	echo
 	echog "Options:"
 	echog "   -f                 force set tag"
 	echog "   -s                 skip set tag"
+	echog "   -B                 batch sign mode (for scripts without tty)"
 	echog "   -r PROJECTVERSION  set other project version (PROJECTVERSION/sources)"
 	echog "   TARGETDIR          copy signed src.rpm package to TARGETDIR (f.i., /tmp/some_version/sources)"
 	echog "                      By default used path from Source: spec field. "
@@ -37,6 +38,12 @@ if [ "$1" = "-f" ] ; then
 	shift
 fi

+BATCHSIGN=
+if [ "$1" = "-B" ] ; then
+	BATCHSIGN=$1
+	shift
+fi
+
 SETTAG=-s
 if [ "$1" = "-s" ] ; then
 	SETTAG=
@@ -100,7 +107,7 @@ else
 fi

 # just for your information: rpmbs supports ssh-like target
-docmd $ETERBUILDBIN/rpmbs $FORCE $SETTAG $SPECNAME || fatal "Can't build SRPMS"
+docmd $ETERBUILDBIN/rpmbs $FORCE $BATCHSIGN $SETTAG $SPECNAME || fatal "Can't build SRPMS"

 # if known target and last link already exists
 if [ -n "$ALPHA" ] && [ -L "$ETERDESTSRPM/../../last" ] ; then