Signed rps (#804)

StrongestNumber9 · web-flow · commit d5dc7a1aef54 · 2026-02-04T10:18:59.000+02:00
* Sign RPM with gpg key

* Import key after pub, and as a batch

* Should fix RPM SIGNING KEYNAME

* Add pinentry, skip testing for now

* Install pinentry-tty

* Adds gpg sign cmd extra args

* Adds passphrase to cmd extra args

* Sed &lt; and &gt; to &amp;lt; and &amp;gt;

* Remove replace

* Fixes syntax error

* Remove skipped tests

* Process keys from stdin without using filesystem

* Attempt retrieving RPM_SIGNING_PASSPHRASE env instead of writing passphrase to disk
diff --git a/.github/workflows/upload_release_github_attachment.yaml b/.github/workflows/upload_release_github_attachment.yaml
@@ -31,10 +31,20 @@ jobs:
       - name: Install test dependencies
         run: cd / && sudo apt-get update && sudo apt-get install wget rpm2cpio && sudo wget -q https://download.rockylinux.org/pub/rocky/8/AppStream/x86_64/os/Packages/g/geolite2-city-20180605-1.el8.noarch.rpm && sudo wget -q https://download.rockylinux.org/pub/rocky/8/AppStream/x86_64/os/Packages/g/geolite2-country-20180605-1.el8.noarch.rpm && rpm2cpio geolite2-city-20180605-1.el8.noarch.rpm | sudo cpio -i --make-directories && rpm2cpio geolite2-country-20180605-1.el8.noarch.rpm | sudo cpio -i --make-directories
 
+      - name: Prepare RPM GPG signing
+        run: |
+          sudo apt-get install expect pinentry-tty;
+          printf "RPM_SIGNING_KEYNAME=%q\n" "$(echo "${{ secrets.RPM_SIGNING_PUBLIC_KEY }}" | gpg --show-keys --with-colons | awk -F':' '/uid/{print $10}')" >> $GITHUB_ENV;
+          echo "${{ secrets.RPM_SIGNING_PRIVATE_KEY }}" | gpg --batch --import;
+          echo "%_gpg_sign_cmd_extra_args --pinentry-mode loopback --passphrase \"%{getenv:RPM_SIGNING_PASSPHRASE}\"" >> "${HOME}/.rpmmacros";
+
       - name: Build a jar and rpm for release
         run: mvn --batch-mode -Drevision=${{ github.event.release.tag_name }} -Dsha1= -Dchangelist= clean package -Pbuild-shaded-jar && cd rpm/ && mvn --batch-mode -Drevision=${{ github.event.release.tag_name }} -Dsha1= -Dchangelist= -f rpm.pom.xml package
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RPM_SIGNING_KEYNAME: ${{ env.RPM_SIGNING_KEYNAME }}
+          RPM_SIGNING_PASSPHRASE: ${{ secrets.RPM_SIGNING_PASSPHRASE }}
+
 
       - name: Attach rpm to release
         uses: softprops/action-gh-release@v1
@@ -49,3 +59,4 @@ jobs:
           to_repository: teragrep/pkg_01
           deploy_key: ${{ secrets.PKG_01_DEPLOY_KEY }}
           files: rpm/target/rpm/com.teragrep-pth_10/RPMS/noarch/com.teragrep-pth_10-*.noarch.rpm
+        if: ${{ startsWith(github.repository, 'teragrep/') }}
diff --git a/rpm/rpm.pom.xml b/rpm/rpm.pom.xml
@@ -57,6 +57,10 @@
           <defaultGroupname>root</defaultGroupname>
           <defaultFilemode>0644</defaultFilemode>
           <defaultDirmode>0755</defaultDirmode>
+          <keyname>${env.RPM_SIGNING_KEYNAME}</keyname>
+          <keyPassphrase>
+	          <passphrase>${env.RPM_SIGNING_PASSPHRASE}</passphrase>
+          </keyPassphrase>
           <defineStatements>
             <defineStatement>_build_id_links none</defineStatement>
             <defineStatement>__provides_exclude ^osgi\\(.*$</defineStatement>
