From 0f17b6f8647de35e00fe779c129f4ccf1828157a Mon Sep 17 00:00:00 2001 From: enricobuehler Date: Mon, 15 Jun 2026 13:39:00 +0000 Subject: [PATCH] =?UTF-8?q?fix(rpm):=20sign-rpms.sh=20=E2=80=94=20%{=5F=5F?= =?UTF-8?q?gpg}=20is=20already=20the=20gpg=20binary,=20drop=20the=20litera?= =?UTF-8?q?l=20`gpg`?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The first signed CI run failed at the Sign step: `%{__gpg} gpg ...` expands to ` gpg ...`, so gpg got a spurious `gpg` filename arg ("no command supplied", options "not considered"). Dropped the literal `gpg` → `%{__gpg} --batch ...`. Validated locally: the corrected invocation parses as a sign command (fails only with "No secret key", which is present in CI). The checksig gate did its job — nothing published, installs stayed safe. Co-Authored-By: Claude Opus 4.8 (1M context) --- packaging/rpm/sign-rpms.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/packaging/rpm/sign-rpms.sh b/packaging/rpm/sign-rpms.sh index 2d2d5ff..c5de1c4 100755 --- a/packaging/rpm/sign-rpms.sh +++ b/packaging/rpm/sign-rpms.sh @@ -26,9 +26,10 @@ printf '%s' "$RPM_GPG_PRIVATE_KEY" | gpg --batch --import KEYID="$(gpg --list-secret-keys --with-colons | awk -F: '/^sec:/{print $5; exit}')" [ -n "$KEYID" ] || { echo "no secret key imported from RPM_GPG_PRIVATE_KEY" >&2; exit 1; } -# rpm v4 detached-signing macro. Force loopback pinentry (no TTY in CI); feed the passphrase, if -# any, on stdin via --passphrase-fd 0. -SIGN_CMD="%{__gpg} gpg --batch --no-verbose --no-armor --pinentry-mode loopback" +# rpm v4 detached-signing macro. NOTE: %{__gpg} already IS the gpg binary path — do NOT add a +# literal `gpg` after it (that becomes a spurious filename arg -> "no command supplied"). Force +# loopback pinentry (no TTY in CI); feed the passphrase, if any, on stdin via --passphrase-fd 0. +SIGN_CMD="%{__gpg} --batch --no-verbose --no-armor --pinentry-mode loopback" [ -n "${RPM_GPG_PASSPHRASE:-}" ] && SIGN_CMD="$SIGN_CMD --passphrase-fd 0" SIGN_CMD="$SIGN_CMD -u %{_gpg_name} --digest-algo sha256 -sbo %{__signature_filename} %{__plaintext_filename}"