fix(rpm): sign-rpms.sh — %{__gpg} is already the gpg binary, drop the literal gpg
apple / swift (push) Successful in 52s
ci / web (push) Successful in 29s
android / android (push) Failing after 1m51s
ci / docs-site (push) Successful in 33s
ci / bench (push) Successful in 1m49s
decky / build-publish (push) Successful in 11s
ci / rust (push) Failing after 1m12s
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Successful in 5s
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 5s
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 3s
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 4s
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 4s
flatpak / build-publish (push) Failing after 2s
deb / build-publish (push) Failing after 2m52s
rpm / build-publish (bazzite, punktfunk-fedora-rpm) (push) Failing after 5m17s
docker / deploy-docs (push) Successful in 17s
rpm / build-publish (fedora-44, punktfunk-fedora44-rpm) (push) Failing after 5m4s
apple / swift (push) Successful in 52s
ci / web (push) Successful in 29s
android / android (push) Failing after 1m51s
ci / docs-site (push) Successful in 33s
ci / bench (push) Successful in 1m49s
decky / build-publish (push) Successful in 11s
ci / rust (push) Failing after 1m12s
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Successful in 5s
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 5s
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 3s
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 4s
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 4s
flatpak / build-publish (push) Failing after 2s
deb / build-publish (push) Failing after 2m52s
rpm / build-publish (bazzite, punktfunk-fedora-rpm) (push) Failing after 5m17s
docker / deploy-docs (push) Successful in 17s
rpm / build-publish (fedora-44, punktfunk-fedora44-rpm) (push) Failing after 5m4s
The first signed CI run failed at the Sign step: `%{__gpg} gpg ...` expands to `<gpgpath> gpg ...`,
so gpg got a spurious `gpg` filename arg ("no command supplied", options "not considered"). Dropped
the literal `gpg` → `%{__gpg} --batch ...`. Validated locally: the corrected invocation parses as a
sign command (fails only with "No secret key", which is present in CI). The checksig gate did its
job — nothing published, installs stayed safe.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -26,9 +26,10 @@ printf '%s' "$RPM_GPG_PRIVATE_KEY" | gpg --batch --import
|
||||
KEYID="$(gpg --list-secret-keys --with-colons | awk -F: '/^sec:/{print $5; exit}')"
|
||||
[ -n "$KEYID" ] || { echo "no secret key imported from RPM_GPG_PRIVATE_KEY" >&2; exit 1; }
|
||||
|
||||
# rpm v4 detached-signing macro. Force loopback pinentry (no TTY in CI); feed the passphrase, if
|
||||
# any, on stdin via --passphrase-fd 0.
|
||||
SIGN_CMD="%{__gpg} gpg --batch --no-verbose --no-armor --pinentry-mode loopback"
|
||||
# rpm v4 detached-signing macro. NOTE: %{__gpg} already IS the gpg binary path — do NOT add a
|
||||
# literal `gpg` after it (that becomes a spurious filename arg -> "no command supplied"). Force
|
||||
# loopback pinentry (no TTY in CI); feed the passphrase, if any, on stdin via --passphrase-fd 0.
|
||||
SIGN_CMD="%{__gpg} --batch --no-verbose --no-armor --pinentry-mode loopback"
|
||||
[ -n "${RPM_GPG_PASSPHRASE:-}" ] && SIGN_CMD="$SIGN_CMD --passphrase-fd 0"
|
||||
SIGN_CMD="$SIGN_CMD -u %{_gpg_name} --digest-algo sha256 -sbo %{__signature_filename} %{__plaintext_filename}"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user