Do not rely on GPG key id

- use the key name if possible - instead of downloading repomd.xml.key, create it on the fly
xcat2 · Apr 20, 2024 · f7f3bdb · f7f3bdb
1 parent 5883584
commit f7f3bdb
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 8 deletions.
diff --git a/build-ubunturepo b/build-ubunturepo
@@ -373,7 +373,8 @@ __EOF__
            #echo "GPGSIGN=$GPGSIGN specified, the repo will not be signed"
            echo "" >> conf/distributions
        else
-           echo "SignWith: 5619700D" >> conf/distributions
+           keyid=$(gpg --list-keys --keyid-format long "xCAT Automatic Signing Key" | grep '^pub' | sed -e 's/.*\///' -e 's/ .*//')
+           echo "SignWith: $keyid" >> conf/distributions
            echo "" >> conf/distributions
        fi
     done
@@ -514,7 +515,8 @@ __EOF__
             echo "GPGSIGN=$GPGSIGN specified, the repo will not be signed"
             echo "" >> conf/distributions
         else
-            echo "SignWith: 5619700D" >> conf/distributions
+            keyid=$(gpg --list-keys --keyid-format long "xCAT Automatic Signing Key" | grep '^pub' | sed -e 's/.*\///' -e 's/ .*//')
+            echo "SignWith: $keyid" >> conf/distributions
             echo "" >> conf/distributions
         fi
 

diff --git a/buildcore.sh b/buildcore.sh
@@ -479,13 +479,13 @@ if [ "$OSNAME" != "AIX" ]; then
         rm -f $SRCDIR/repodata/repomd.xml.asc
         rm -f $DESTDIR/repodata/repomd.xml.asc
         # Use the xCAT Automatic Signing Key to do the signing
-        gpg -a --detach-sign --default-key 5619700D $DESTDIR/repodata/repomd.xml
-        gpg -a --detach-sign --default-key 5619700D $SRCDIR/repodata/repomd.xml
+        gpg -a --detach-sign --default-key "xCAT Automatic Signing Key" $DESTDIR/repodata/repomd.xml
+        gpg -a --detach-sign --default-key "xCAT Automatic Signing Key" $SRCDIR/repodata/repomd.xml
         if [ ! -f $DESTDIR/repodata/repomd.xml.key ]; then
-            ${WGET_CMD} --no-check-certificate -q -P $DESTDIR/repodata $GSA/keys/repomd.xml.key
+            gpg -a --export "xCAT Automatic Signing Key" > $DESTDIR/repodata/repomd.xml.key
         fi
         if [ ! -f $SRCDIR/repodata/repomd.xml.key ]; then
-            ${WGET_CMD} --no-check-certificate -P $SRCDIR/repodata $GSA/keys/repomd.xml.key
+            gpg -a --export "xCAT Automatic Signing Key" > $SRCDIR/repodata/repomd.xml.key
         fi
     else
         createrepo $DESTDIR

diff --git a/builddep.sh b/builddep.sh
@@ -265,9 +265,9 @@ for i in `find -mindepth 2 -maxdepth 2 -type d `; do
 		createrepo $i >/dev/null
 	fi
 	rm -f $i/repodata/repomd.xml.asc
-	gpg -a --detach-sign --default-key 5619700D $i/repodata/repomd.xml
+	gpg -a --detach-sign --default-key "xCAT Automatic Signing Key" $i/repodata/repomd.xml
 	if [ ! -f $i/repodata/repomd.xml.key ]; then
-		cp $GSA/../keys/repomd.xml.key $i/repodata
+		gpg -a --export "xCAT Automatic Signing Key" > $i/repodata/repomd.xml.key
 	fi
 done