From fc8ac1bb9d99c44b19b6ecf2c0bbac4a05116ad5 Mon Sep 17 00:00:00 2001 From: pvinh-spike <81987648+pvinh-spike@users.noreply.github.com> Date: Mon, 28 Oct 2024 13:49:53 -0700 Subject: [PATCH 1/3] Add setting GPG trust level. --- action.yaml | 142 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 142 insertions(+) create mode 100644 action.yaml diff --git a/action.yaml b/action.yaml new file mode 100644 index 0000000..b1befb0 --- /dev/null +++ b/action.yaml @@ -0,0 +1,142 @@ +name: 'Setup GPG' +description: 'Configures this action to run gpg with a given key and pass' +inputs: + gpg-private-key: + description: 'GPG private key exported as an ASCII armored version or its base64 encoding' + required: true + gpg-key-pass: + description: 'Passphrase of the GPG private key' + required: true + gpg-public-key: + description: 'GPG public key exported as an ASCII armored version or its base64 encoding' + required: true + gpg-key-name: + description: 'GPG key name' + required: true + default: 'aerospike-inc' + gpg-trust-level: + description: 'Set key trust level' + required: false + default: 5 +runs: + using: "composite" + steps: + - name: "check if private key is empty" + env: + GPG_PRIVATE_KEY: ${{ inputs.gpg-private-key }} + if: ${{ env.GPG_PRIVATE_KEY == '' }} + run: | + echo "The gpg-private-key was empty" + exit 1 + shell: bash + - name: "check if public key is empty" + env: + GPG_PUBLIC_KEY: ${{ inputs.gpg-public-key }} + if: ${{ env.GPG_PUBLIC_KEY == '' }} + run: | + echo "The gpg-public-key was empty" + exit 1 + shell: bash + - name: "check if key name is empty" + env: + GPG_ID: ${{ inputs.gpg-key-name }} + if: ${{ env.GPG_ID == '' }} + run: | + echo "The gpg-key-name was empty" + exit 1 + shell: bash + - name: "check if key pass is empty" + env: + GPG_PASS: ${{ inputs.gpg-key-pass }} + if: ${{ env.GPG_PASS == '' }} + run: | + echo "The secret gpg-key-pass was empty" + exit 1 + shell: bash + - name: install tools + run: | + sudo apt-get update && sudo apt-get install ca-certificates gnupg dpkg-dev rpm dpkg-sig expect -y + shell: bash + - name: Set up GPG + env: + GPG_PRIVATE_KEY: ${{ inputs.gpg-private-key }} + GPG_PASS: ${{ inputs.gpg-key-pass }} + GPG_ID: ${{ inputs.gpg-key-name }} + GPG_PUBLIC_KEY: ${{ inputs.gpg-public-key }} + GPG_TRUST_LEVEL: ${{ inputs.gpg-trust-level }} + RPM_MACROS: | + %_signature gpg + %_gpg_path ~/.gnupg + %_gpg_name Aerospike + %__gpg_check_password_cmd /bin/true + %_gpgbin /usr/bin/gpg + %__gpg /usr/bin/gpg + %__gpg_sign_cmd %{__gpg} \ + gpg \ + --pinentry-mode loopback \ + --batch \ + --verbose \ + --no-armor \ + --no-secmem-warning \ + --passphrase-file /home/runner/.gnupg/.pass \ + --digest-algo sha256 \ + -u "%{_gpg_name}" \ + -sbo %{__signature_filename} %{__plaintext_filename} + SET_TRUST_LEVEL: | + #!/bin/bash + + # Set the key ID and the desired trust level + KEY_ID=$1 # Pass the key ID or fingerprint as an argument + TRUST_LEVEL=$2 # Pass the trust level as an argument (1-5) + + # Check if both arguments are provided + if [ -z "$KEY_ID" ] || [ -z "$TRUST_LEVEL" ]; then + echo "Usage: $0 " + echo "Trust levels: 1 = I don't trust, 2 = I do NOT trust, 3 = I trust marginally, 4 = I trust fully, 5 = I trust ultimately" + exit 1 + fi + + # Check if the provided trust level is valid + if [[ "$TRUST_LEVEL" -lt 1 || "$TRUST_LEVEL" -gt 5 ]]; then + echo "Invalid trust level. Trust levels: 1-5" + exit 1 + fi + + # Use 'expect' to automate gpg trust level interaction + expect << EOF + spawn gpg --edit-key $KEY_ID + expect "gpg>" + send "trust\r" + expect "Your decision?" + send "$TRUST_LEVEL\r" + expect "Do you really want to set this key to ultimate trust? (y/N)" + send "y\r" + expect "gpg>" + send "save\r" + expect eof + EOF + run: | + # Setup gpg + mkdir -p ~/.gnupg + chmod 700 ~/.gnupg + echo "$GPG_PRIVATE_KEY" | gpg --import --batch --yes + echo "$GPG_PASS" + echo -e "$SET_TRUST_LEVEL" > ~/set-gpg-trust.sh + chmod a+x ~/set-gpg-trust.sh + ~/set-gpg-trust.sh "$GPG_ID" "$GPG_TRUST_LEVEL" + + # configure for non-interactive use + export GPG_TTY=no-tty + echo -e "pinentry-mode loopback\nuse-agent" >> ~/.gnupg/gpg.conf + echo -e "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf + + # configure rpm's + echo -e "$GPG_PASS" >> ~/.gnupg/.pass + echo -e "$GPG_PUBLIC_KEY" >> ~/.gnupg/.public_key.asc + echo -e "$RPM_MACROS" > ~/.rpmmacros + #cp setup-gpg/.rpmmacros ~/.rpmmacros + rpm --import ~/.gnupg/.public_key.asc + + # reload agent + gpg-connect-agent reloadagent /bye + shell: bash From 77389639a6b40a010f66ed38148e2d6b2f88b874 Mon Sep 17 00:00:00 2001 From: pvinh-spike <81987648+pvinh-spike@users.noreply.github.com> Date: Mon, 28 Oct 2024 14:00:27 -0700 Subject: [PATCH 2/3] Correcting file path. --- action.yaml | 142 ----------------------------------- devops/setup-gpg/action.yaml | 130 ++++++++++++++++++++++---------- 2 files changed, 91 insertions(+), 181 deletions(-) delete mode 100644 action.yaml diff --git a/action.yaml b/action.yaml deleted file mode 100644 index b1befb0..0000000 --- a/action.yaml +++ /dev/null @@ -1,142 +0,0 @@ -name: 'Setup GPG' -description: 'Configures this action to run gpg with a given key and pass' -inputs: - gpg-private-key: - description: 'GPG private key exported as an ASCII armored version or its base64 encoding' - required: true - gpg-key-pass: - description: 'Passphrase of the GPG private key' - required: true - gpg-public-key: - description: 'GPG public key exported as an ASCII armored version or its base64 encoding' - required: true - gpg-key-name: - description: 'GPG key name' - required: true - default: 'aerospike-inc' - gpg-trust-level: - description: 'Set key trust level' - required: false - default: 5 -runs: - using: "composite" - steps: - - name: "check if private key is empty" - env: - GPG_PRIVATE_KEY: ${{ inputs.gpg-private-key }} - if: ${{ env.GPG_PRIVATE_KEY == '' }} - run: | - echo "The gpg-private-key was empty" - exit 1 - shell: bash - - name: "check if public key is empty" - env: - GPG_PUBLIC_KEY: ${{ inputs.gpg-public-key }} - if: ${{ env.GPG_PUBLIC_KEY == '' }} - run: | - echo "The gpg-public-key was empty" - exit 1 - shell: bash - - name: "check if key name is empty" - env: - GPG_ID: ${{ inputs.gpg-key-name }} - if: ${{ env.GPG_ID == '' }} - run: | - echo "The gpg-key-name was empty" - exit 1 - shell: bash - - name: "check if key pass is empty" - env: - GPG_PASS: ${{ inputs.gpg-key-pass }} - if: ${{ env.GPG_PASS == '' }} - run: | - echo "The secret gpg-key-pass was empty" - exit 1 - shell: bash - - name: install tools - run: | - sudo apt-get update && sudo apt-get install ca-certificates gnupg dpkg-dev rpm dpkg-sig expect -y - shell: bash - - name: Set up GPG - env: - GPG_PRIVATE_KEY: ${{ inputs.gpg-private-key }} - GPG_PASS: ${{ inputs.gpg-key-pass }} - GPG_ID: ${{ inputs.gpg-key-name }} - GPG_PUBLIC_KEY: ${{ inputs.gpg-public-key }} - GPG_TRUST_LEVEL: ${{ inputs.gpg-trust-level }} - RPM_MACROS: | - %_signature gpg - %_gpg_path ~/.gnupg - %_gpg_name Aerospike - %__gpg_check_password_cmd /bin/true - %_gpgbin /usr/bin/gpg - %__gpg /usr/bin/gpg - %__gpg_sign_cmd %{__gpg} \ - gpg \ - --pinentry-mode loopback \ - --batch \ - --verbose \ - --no-armor \ - --no-secmem-warning \ - --passphrase-file /home/runner/.gnupg/.pass \ - --digest-algo sha256 \ - -u "%{_gpg_name}" \ - -sbo %{__signature_filename} %{__plaintext_filename} - SET_TRUST_LEVEL: | - #!/bin/bash - - # Set the key ID and the desired trust level - KEY_ID=$1 # Pass the key ID or fingerprint as an argument - TRUST_LEVEL=$2 # Pass the trust level as an argument (1-5) - - # Check if both arguments are provided - if [ -z "$KEY_ID" ] || [ -z "$TRUST_LEVEL" ]; then - echo "Usage: $0 " - echo "Trust levels: 1 = I don't trust, 2 = I do NOT trust, 3 = I trust marginally, 4 = I trust fully, 5 = I trust ultimately" - exit 1 - fi - - # Check if the provided trust level is valid - if [[ "$TRUST_LEVEL" -lt 1 || "$TRUST_LEVEL" -gt 5 ]]; then - echo "Invalid trust level. Trust levels: 1-5" - exit 1 - fi - - # Use 'expect' to automate gpg trust level interaction - expect << EOF - spawn gpg --edit-key $KEY_ID - expect "gpg>" - send "trust\r" - expect "Your decision?" - send "$TRUST_LEVEL\r" - expect "Do you really want to set this key to ultimate trust? (y/N)" - send "y\r" - expect "gpg>" - send "save\r" - expect eof - EOF - run: | - # Setup gpg - mkdir -p ~/.gnupg - chmod 700 ~/.gnupg - echo "$GPG_PRIVATE_KEY" | gpg --import --batch --yes - echo "$GPG_PASS" - echo -e "$SET_TRUST_LEVEL" > ~/set-gpg-trust.sh - chmod a+x ~/set-gpg-trust.sh - ~/set-gpg-trust.sh "$GPG_ID" "$GPG_TRUST_LEVEL" - - # configure for non-interactive use - export GPG_TTY=no-tty - echo -e "pinentry-mode loopback\nuse-agent" >> ~/.gnupg/gpg.conf - echo -e "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf - - # configure rpm's - echo -e "$GPG_PASS" >> ~/.gnupg/.pass - echo -e "$GPG_PUBLIC_KEY" >> ~/.gnupg/.public_key.asc - echo -e "$RPM_MACROS" > ~/.rpmmacros - #cp setup-gpg/.rpmmacros ~/.rpmmacros - rpm --import ~/.gnupg/.public_key.asc - - # reload agent - gpg-connect-agent reloadagent /bye - shell: bash diff --git a/devops/setup-gpg/action.yaml b/devops/setup-gpg/action.yaml index 0914589..b1befb0 100644 --- a/devops/setup-gpg/action.yaml +++ b/devops/setup-gpg/action.yaml @@ -1,67 +1,129 @@ name: 'Setup GPG' description: 'Configures this action to run gpg with a given key and pass' inputs: - gpg-private-key: # id of input + gpg-private-key: + description: 'GPG private key exported as an ASCII armored version or its base64 encoding' required: true - gpg-key-pass: # id of input + gpg-key-pass: + description: 'Passphrase of the GPG private key' required: true - gpg-key-name: # id of input - required: true - default: "Aerospike" gpg-public-key: description: 'GPG public key exported as an ASCII armored version or its base64 encoding' required: true + gpg-key-name: + description: 'GPG key name' + required: true + default: 'aerospike-inc' + gpg-trust-level: + description: 'Set key trust level' + required: false + default: 5 runs: using: "composite" steps: - - name: "check if private key is not empty" + - name: "check if private key is empty" env: - PRIVATE_KEY: ${{ inputs.gpg-private-key }} - if: ${{ env.PRIVATE_KEY == '' }} + GPG_PRIVATE_KEY: ${{ inputs.gpg-private-key }} + if: ${{ env.GPG_PRIVATE_KEY == '' }} run: | - echo "the gpg-private-key was empty" + echo "The gpg-private-key was empty" exit 1 shell: bash - - name: "check if key name is not empty" - env: - KEY_NAME: ${{ inputs.gpg-key-name }} - if: ${{ env.KEY_NAME == '' }} + - name: "check if public key is empty" + env: + GPG_PUBLIC_KEY: ${{ inputs.gpg-public-key }} + if: ${{ env.GPG_PUBLIC_KEY == '' }} run: | - echo "the gpg-key-name was empty" + echo "The gpg-public-key was empty" exit 1 shell: bash - - name: "check if key pass is not empty" + - name: "check if key name is empty" env: - KEY_PASS: ${{ inputs.gpg-key-pass }} - if: ${{ env.KEY_PASS == '' }} + GPG_ID: ${{ inputs.gpg-key-name }} + if: ${{ env.GPG_ID == '' }} run: | - echo "the secret gpg-key-pass was empty" + echo "The gpg-key-name was empty" exit 1 shell: bash - - name: "check if public key pass is empty" + - name: "check if key pass is empty" env: - PUBLIC_KEY: ${{ inputs.gpg-public-key }} - if: ${{ env.PUBLIC_KEY == '' }} + GPG_PASS: ${{ inputs.gpg-key-pass }} + if: ${{ env.GPG_PASS == '' }} run: | - echo "the secret gpg-public-pass was empty" + echo "The secret gpg-key-pass was empty" exit 1 shell: bash - name: install tools run: | - sudo apt-get update && sudo apt-get install ca-certificates gnupg dpkg-dev dpkg-sig rpm -y + sudo apt-get update && sudo apt-get install ca-certificates gnupg dpkg-dev rpm dpkg-sig expect -y shell: bash - name: Set up GPG env: GPG_PRIVATE_KEY: ${{ inputs.gpg-private-key }} - GPG_KEY_PASS: ${{ inputs.gpg-key-pass }} + GPG_PASS: ${{ inputs.gpg-key-pass }} GPG_ID: ${{ inputs.gpg-key-name }} GPG_PUBLIC_KEY: ${{ inputs.gpg-public-key }} + GPG_TRUST_LEVEL: ${{ inputs.gpg-trust-level }} + RPM_MACROS: | + %_signature gpg + %_gpg_path ~/.gnupg + %_gpg_name Aerospike + %__gpg_check_password_cmd /bin/true + %_gpgbin /usr/bin/gpg + %__gpg /usr/bin/gpg + %__gpg_sign_cmd %{__gpg} \ + gpg \ + --pinentry-mode loopback \ + --batch \ + --verbose \ + --no-armor \ + --no-secmem-warning \ + --passphrase-file /home/runner/.gnupg/.pass \ + --digest-algo sha256 \ + -u "%{_gpg_name}" \ + -sbo %{__signature_filename} %{__plaintext_filename} + SET_TRUST_LEVEL: | + #!/bin/bash + + # Set the key ID and the desired trust level + KEY_ID=$1 # Pass the key ID or fingerprint as an argument + TRUST_LEVEL=$2 # Pass the trust level as an argument (1-5) + + # Check if both arguments are provided + if [ -z "$KEY_ID" ] || [ -z "$TRUST_LEVEL" ]; then + echo "Usage: $0 " + echo "Trust levels: 1 = I don't trust, 2 = I do NOT trust, 3 = I trust marginally, 4 = I trust fully, 5 = I trust ultimately" + exit 1 + fi + + # Check if the provided trust level is valid + if [[ "$TRUST_LEVEL" -lt 1 || "$TRUST_LEVEL" -gt 5 ]]; then + echo "Invalid trust level. Trust levels: 1-5" + exit 1 + fi + + # Use 'expect' to automate gpg trust level interaction + expect << EOF + spawn gpg --edit-key $KEY_ID + expect "gpg>" + send "trust\r" + expect "Your decision?" + send "$TRUST_LEVEL\r" + expect "Do you really want to set this key to ultimate trust? (y/N)" + send "y\r" + expect "gpg>" + send "save\r" + expect eof + EOF run: | # Setup gpg mkdir -p ~/.gnupg chmod 700 ~/.gnupg echo "$GPG_PRIVATE_KEY" | gpg --import --batch --yes - echo "$GPG_KEY_PASS" + echo "$GPG_PASS" + echo -e "$SET_TRUST_LEVEL" > ~/set-gpg-trust.sh + chmod a+x ~/set-gpg-trust.sh + ~/set-gpg-trust.sh "$GPG_ID" "$GPG_TRUST_LEVEL" # configure for non-interactive use export GPG_TTY=no-tty @@ -69,21 +131,11 @@ runs: echo -e "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf # configure rpm's - echo -e "$GPG_KEY_PASS" >> ~/pass - echo -e "%_signature gpg" >> ~/.rpmmacros - echo -e "%_gpg_path ~/.gnupg" >> ~/.rpmmacros - echo -e "%_gpg_name $GPG_ID" >> ~/.rpmmacros - echo -e "%_gpgbin /usr/bin/gpg" >> ~/.rpmmacros - echo -e "%__gpg /usr/bin/gpg" >> ~/.rpmmacros - echo -e "%__gpg_sign_cmd %{__gpg} \\" >> ~/.rpmmacros - echo -e "gpg --no-verbose --batch --no-tty --passphrase-file /home/runner/pass --pinentry-mode loopback \\" >> ~/.rpmmacros - echo -e " %{?_gpg_digest_algo:--digest-algo %{_gpg_digest_algo}} \\" >> ~/.rpmmacros - echo -e " --no-secmem-warning \\" >> ~/.rpmmacros - echo -e " -u '%{_gpg_name}' -sbo %{__signature_filename} %{__plaintext_filename}" >> ~/.rpmmacros - - # public key for verification + echo -e "$GPG_PASS" >> ~/.gnupg/.pass echo -e "$GPG_PUBLIC_KEY" >> ~/.gnupg/.public_key.asc - rpm --import ~/.gnupg/.public_key.asc + echo -e "$RPM_MACROS" > ~/.rpmmacros + #cp setup-gpg/.rpmmacros ~/.rpmmacros + rpm --import ~/.gnupg/.public_key.asc # reload agent gpg-connect-agent reloadagent /bye From 4c8ff56d66610bae19d13ecf61785e0594c872a0 Mon Sep 17 00:00:00 2001 From: pvinh-spike <81987648+pvinh-spike@users.noreply.github.com> Date: Fri, 1 Nov 2024 08:52:53 -0700 Subject: [PATCH 3/3] Add setting key trust level. --- devops/setup-gpg/action.yaml | 89 ++++++++++++++++-------------------- 1 file changed, 39 insertions(+), 50 deletions(-) diff --git a/devops/setup-gpg/action.yaml b/devops/setup-gpg/action.yaml index b1befb0..9bb995e 100644 --- a/devops/setup-gpg/action.yaml +++ b/devops/setup-gpg/action.yaml @@ -1,19 +1,16 @@ name: 'Setup GPG' description: 'Configures this action to run gpg with a given key and pass' inputs: - gpg-private-key: - description: 'GPG private key exported as an ASCII armored version or its base64 encoding' + gpg-private-key: # id of input required: true - gpg-key-pass: - description: 'Passphrase of the GPG private key' + gpg-key-pass: # id of input required: true + gpg-key-name: # id of input + required: true + default: "Aerospike" gpg-public-key: description: 'GPG public key exported as an ASCII armored version or its base64 encoding' required: true - gpg-key-name: - description: 'GPG key name' - required: true - default: 'aerospike-inc' gpg-trust-level: description: 'Set key trust level' required: false @@ -21,67 +18,49 @@ inputs: runs: using: "composite" steps: - - name: "check if private key is empty" + - name: "check if private key is not empty" env: - GPG_PRIVATE_KEY: ${{ inputs.gpg-private-key }} - if: ${{ env.GPG_PRIVATE_KEY == '' }} + PRIVATE_KEY: ${{ inputs.gpg-private-key }} + if: ${{ env.PRIVATE_KEY == '' }} run: | - echo "The gpg-private-key was empty" + echo "the gpg-private-key was empty" exit 1 shell: bash - - name: "check if public key is empty" - env: - GPG_PUBLIC_KEY: ${{ inputs.gpg-public-key }} - if: ${{ env.GPG_PUBLIC_KEY == '' }} + - name: "check if key name is not empty" + env: + KEY_NAME: ${{ inputs.gpg-key-name }} + if: ${{ env.KEY_NAME == '' }} run: | - echo "The gpg-public-key was empty" + echo "the gpg-key-name was empty" exit 1 shell: bash - - name: "check if key name is empty" + - name: "check if key pass is not empty" env: - GPG_ID: ${{ inputs.gpg-key-name }} - if: ${{ env.GPG_ID == '' }} + KEY_PASS: ${{ inputs.gpg-key-pass }} + if: ${{ env.KEY_PASS == '' }} run: | - echo "The gpg-key-name was empty" + echo "the secret gpg-key-pass was empty" exit 1 shell: bash - - name: "check if key pass is empty" + - name: "check if public key pass is empty" env: - GPG_PASS: ${{ inputs.gpg-key-pass }} - if: ${{ env.GPG_PASS == '' }} + PUBLIC_KEY: ${{ inputs.gpg-public-key }} + if: ${{ env.PUBLIC_KEY == '' }} run: | - echo "The secret gpg-key-pass was empty" + echo "the secret gpg-public-pass was empty" exit 1 shell: bash - name: install tools run: | - sudo apt-get update && sudo apt-get install ca-certificates gnupg dpkg-dev rpm dpkg-sig expect -y + sudo apt-get update && sudo apt-get install ca-certificates gnupg dpkg-dev dpkg-sig rpm expect -y shell: bash - name: Set up GPG env: GPG_PRIVATE_KEY: ${{ inputs.gpg-private-key }} - GPG_PASS: ${{ inputs.gpg-key-pass }} + GPG_KEY_PASS: ${{ inputs.gpg-key-pass }} GPG_ID: ${{ inputs.gpg-key-name }} GPG_PUBLIC_KEY: ${{ inputs.gpg-public-key }} GPG_TRUST_LEVEL: ${{ inputs.gpg-trust-level }} - RPM_MACROS: | - %_signature gpg - %_gpg_path ~/.gnupg - %_gpg_name Aerospike - %__gpg_check_password_cmd /bin/true - %_gpgbin /usr/bin/gpg - %__gpg /usr/bin/gpg - %__gpg_sign_cmd %{__gpg} \ - gpg \ - --pinentry-mode loopback \ - --batch \ - --verbose \ - --no-armor \ - --no-secmem-warning \ - --passphrase-file /home/runner/.gnupg/.pass \ - --digest-algo sha256 \ - -u "%{_gpg_name}" \ - -sbo %{__signature_filename} %{__plaintext_filename} SET_TRUST_LEVEL: | #!/bin/bash @@ -120,7 +99,7 @@ runs: mkdir -p ~/.gnupg chmod 700 ~/.gnupg echo "$GPG_PRIVATE_KEY" | gpg --import --batch --yes - echo "$GPG_PASS" + echo "$GPG_KEY_PASS" echo -e "$SET_TRUST_LEVEL" > ~/set-gpg-trust.sh chmod a+x ~/set-gpg-trust.sh ~/set-gpg-trust.sh "$GPG_ID" "$GPG_TRUST_LEVEL" @@ -131,11 +110,21 @@ runs: echo -e "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf # configure rpm's - echo -e "$GPG_PASS" >> ~/.gnupg/.pass + echo -e "$GPG_KEY_PASS" >> ~/pass + echo -e "%_signature gpg" >> ~/.rpmmacros + echo -e "%_gpg_path ~/.gnupg" >> ~/.rpmmacros + echo -e "%_gpg_name $GPG_ID" >> ~/.rpmmacros + echo -e "%_gpgbin /usr/bin/gpg" >> ~/.rpmmacros + echo -e "%__gpg /usr/bin/gpg" >> ~/.rpmmacros + echo -e "%__gpg_sign_cmd %{__gpg} \\" >> ~/.rpmmacros + echo -e "gpg --no-verbose --batch --no-tty --passphrase-file /home/runner/pass --pinentry-mode loopback \\" >> ~/.rpmmacros + echo -e " %{?_gpg_digest_algo:--digest-algo %{_gpg_digest_algo}} \\" >> ~/.rpmmacros + echo -e " --no-secmem-warning \\" >> ~/.rpmmacros + echo -e " -u '%{_gpg_name}' -sbo %{__signature_filename} %{__plaintext_filename}" >> ~/.rpmmacros + + # public key for verification echo -e "$GPG_PUBLIC_KEY" >> ~/.gnupg/.public_key.asc - echo -e "$RPM_MACROS" > ~/.rpmmacros - #cp setup-gpg/.rpmmacros ~/.rpmmacros - rpm --import ~/.gnupg/.public_key.asc + rpm --import ~/.gnupg/.public_key.asc # reload agent gpg-connect-agent reloadagent /bye