Exactly, if there is a way to store GPG key like a GitHub token we could get this to work.
Python should be able to process gpg key<https://pythonhosted.org/python-gnupg/>, if there is a means to input the key into eb. Either if it is interactive or through some configuration or like Github token. One benefit I can see, if we have a hosted solution for central repo for EB RPMs files, we can share RPM from each other and the GPG key would give means to identify the owner. The only mechanism that comes to my mind for deploying software packages to the cloud is either RPM or containers (singularit/docker) , both of which are of keen interest to me because that is the direction we are taking for deploying to the cloud. From: easybuild-requ...@lists.ugent.be [mailto:easybuild-requ...@lists.ugent.be] On Behalf Of Kenneth Hoste Sent: Tuesday, April 4, 2017 8:03 AM To: easybuild@lists.ugent.be Subject: Re: [easybuild] GPG signing RPM in EasyBuild On 03/04/2017 21:25, Siddiqui, Shahzeb wrote: Thanks Ken, I am not sure either. I have 150+ packages I would like to install on production via RPMs and it would be nice to automate this rather than doing this manually. If it could be implemented through some configuration or environment variable that would be good. Maybe set EASYBUILD_GPG_KEY="xxxxxx" that could be used. That looks like a bad idea, since your GPG key would be leaking in the (debug) log file, in the test report, etc. So we'd need a mechanism like we have for the GitHub token, where we take care to keep it secret. Possibly use rpmbuild -sign option, not sure if fpm can handle this in EasyBuild. See https://github.com/jordansissel/fpm/issues/141<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_jordansissel_fpm_issues_141&d=DwMD-g&c=UE1eNsedaKncO0Yl_u8bfw&r=RMJdCm7m5fiPWhajwKUnEW5yn4eK2YdUWW-MLVShghg&m=4oCMMYQl63x6-9nxOefYLpx5NH47fht47Zy8iQBP4iQ&s=139z5wVJ5FFUTEelyYhDjxjzMjwrvfPE4Rjnn9wbkRs&e=> If --rpm-sign is supported by FPM, that should be used. This FPM issue was closed after adding support for --rpm-sign (which probably just passes it down to rpmbuild --sign) regards, Kenneth From: easybuild-requ...@lists.ugent.be<mailto:easybuild-requ...@lists.ugent.be> [mailto:easybuild-requ...@lists.ugent.be] On Behalf Of Kenneth Hoste Sent: Monday, April 3, 2017 2:35 PM To: easybuild@lists.ugent.be<mailto:easybuild@lists.ugent.be> Subject: Re: [easybuild] GPG signing RPM in EasyBuild On 03/04/2017 18:23, Siddiqui, Shahzeb wrote: Can we add the -rpm-sign feature to EasyBuild. It would also need a means to import gpg key. Similar to github token, if there is a flag -gpg-key you can set the key and rpmsign will take care of the rest. Yea, --package-tool-option would work fine so long as it has a some way to address the issue. You can merge the release and few other options in this option It could be like package-tool-options = {gpg-key: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', release: '1' } Support for using eb --package-tool-options="--rpm-sign 'xxx' " is implemented in https://github.com/hpcugent/easybuild-framework/pull/2187<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_hpcugent_easybuild-2Dframework_pull_2187&d=DwMD-g&c=UE1eNsedaKncO0Yl_u8bfw&r=RMJdCm7m5fiPWhajwKUnEW5yn4eK2YdUWW-MLVShghg&m=njwkluh-wypuGv2_GT9dQf_isF24y1rirpnL0RkPr1U&s=DH9OvxauQKGVKct3yDLCVFOLRgUC-bhWMMd1Abu6_kg&e=> . This doesn't include support for something like --gpg-key though, I'm not sure if something like that would make sense, i.e. if it's EasyBuild responsibility to keep a GPG key safe... K. From: easybuild-requ...@lists.ugent.be<mailto:easybuild-requ...@lists.ugent.be> [mailto:easybuild-requ...@lists.ugent.be] On Behalf Of Kenneth Hoste Sent: Monday, April 3, 2017 12:10 PM To: easybuild@lists.ugent.be<mailto:easybuild@lists.ugent.be> Subject: Re: [easybuild] GPG signing RPM in EasyBuild Hi Shahzeb, On 03/04/2017 17:24, Siddiqui, Shahzeb wrote: Hello, I want to find out if its possible to add a GPG signature to RPM via FPM. If so, I would like to utilize this feature. Not yet, it would require support for pass --rpm-sign to the fpm command, cfr. https://github.com/jordansissel/fpm/pull/311<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_jordansissel_fpm_pull_311&d=DwMD-g&c=UE1eNsedaKncO0Yl_u8bfw&r=RMJdCm7m5fiPWhajwKUnEW5yn4eK2YdUWW-MLVShghg&m=US9RgPiNDPNpBR31rvQcvec4fCJ-TiXMpRgT4PYhYk4&s=zYl-9-X547OnK6I8DGUuE6vd71BULB7VLFvg5c8b3cQ&e=> . As a more general solution, it would probably make sense to support a more general configuration setting like --package-tool-options, or something like that... regards, Kenneth
