On 03/04/2017 21:25, Siddiqui, Shahzeb wrote:
Thanks Ken,
I am not sure either. I have 150+ packages I would like to install on
production via RPMs and it would be nice to automate this rather than
doing this manually. If it could be implemented through some
configuration or environment variable that would be good.
Maybe set EASYBUILD_GPG_KEY=”xxxxxx” that could be used.
That looks like a bad idea, since your GPG key would be leaking in the
(debug) log file, in the test report, etc.
So we'd need a mechanism like we have for the GitHub token, where we
take care to keep it secret.
Possibly use rpmbuild –sign option, not sure if fpm can handle this in
EasyBuild. See https://github.com/jordansissel/fpm/issues/141
If --rpm-sign is supported by FPM, that should be used. This FPM issue
was closed after adding support for --rpm-sign (which probably just
passes it down to rpmbuild --sign)
regards,
Kenneth
*From:*easybuild-requ...@lists.ugent.be
[mailto:easybuild-requ...@lists.ugent.be] *On Behalf Of *Kenneth Hoste
*Sent:* Monday, April 3, 2017 2:35 PM
*To:* easybuild@lists.ugent.be
*Subject:* Re: [easybuild] GPG signing RPM in EasyBuild
On 03/04/2017 18:23, Siddiqui, Shahzeb wrote:
Can we add the –rpm-sign feature to EasyBuild. It would also need a
means to import gpg key. Similar to github token, if there is a flag
–gpg-key you can set the key and rpmsign will take care of the rest.
Yea, --package-tool-option would work fine so long as it has a some
way to address the issue. You can merge the release and few other
options in this option
It could be like
package-tool-options = {gpg-key: ‘xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx’,
release: ‘1’ }
Support for using eb --package-tool-options="--rpm-sign 'xxx' " is
implemented in
https://github.com/hpcugent/easybuild-framework/pull/2187
<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_hpcugent_easybuild-2Dframework_pull_2187&d=DwMD-g&c=UE1eNsedaKncO0Yl_u8bfw&r=RMJdCm7m5fiPWhajwKUnEW5yn4eK2YdUWW-MLVShghg&m=njwkluh-wypuGv2_GT9dQf_isF24y1rirpnL0RkPr1U&s=DH9OvxauQKGVKct3yDLCVFOLRgUC-bhWMMd1Abu6_kg&e=>
.
This doesn't include support for something like --gpg-key though, I'm
not sure if something like that would make sense, i.e. if it's
EasyBuild responsibility to keep a GPG key safe...
K.
*From:*easybuild-requ...@lists.ugent.be
<mailto:easybuild-requ...@lists.ugent.be>
[mailto:easybuild-requ...@lists.ugent.be] *On Behalf Of *Kenneth Hoste
*Sent:* Monday, April 3, 2017 12:10 PM
*To:* easybuild@lists.ugent.be <mailto:easybuild@lists.ugent.be>
*Subject:* Re: [easybuild] GPG signing RPM in EasyBuild
Hi Shahzeb,
On 03/04/2017 17:24, Siddiqui, Shahzeb wrote:
Hello,
I want to find out if its possible to add a GPG signature to RPM
via FPM. If so, I would like to utilize this feature.
Not yet, it would require support for pass --rpm-sign to the fpm
command, cfr. https://github.com/jordansissel/fpm/pull/311
<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_jordansissel_fpm_pull_311&d=DwMD-g&c=UE1eNsedaKncO0Yl_u8bfw&r=RMJdCm7m5fiPWhajwKUnEW5yn4eK2YdUWW-MLVShghg&m=US9RgPiNDPNpBR31rvQcvec4fCJ-TiXMpRgT4PYhYk4&s=zYl-9-X547OnK6I8DGUuE6vd71BULB7VLFvg5c8b3cQ&e=>
.
As a more general solution, it would probably make sense to support a
more general configuration setting like --package-tool-options, or
something like that...
regards,
Kenneth
