Using gpg to sign an RPM as part of a continous build - how do I avoid the prompt for the passphrase?

Question

I have a continuous integration build system that generates an RPM via a shell script triggered by cron. I want to sign the RPM with gpg, but gpg insists on the user manually entering the passphrase at the console, which is clearly a non-starter since there is no user console for cron.

I have read about gpg-agent which will let you enter the passphrase once for the current login session, but again cron does not have a login session. What I would like is to be able to configure gpg-agent to accept the passphrase once at boot time and hand that to the cron session when needed. I have no idea if this is possible or not, and the docs for gpg-agent are fairly minimal.

The alternative would be to use expect to enter the passphrase when gpg asks for it, but clearly this is a big security hole since the passphrase will need to be included in the build script.

Answer 1

You should start gpg-agent at start up and save the GPG_AGENT_INFO environment variable. Then you can set it up in your script's environment and should work as expected. Additionally, make sure permissions of the socket in GPG_AGENT_INFO allow your script to read it.

Answer 2

Whatever build tool you use to generate the RPM could have the capability to sign it. For example, gradle has a plugin that does the signing for you. You have to create a properties file with the id, passphrase, and location of the key ring file, and it does the rest.

See: https://docs.gradle.org/current/userguide/signing_plugin.html