Re: [Rpm-maint] [rpm-software-management/rpm] Add an easy autosigning setup script (PR #3665)

[Neal H. Walfield]

@nwalfield commented on this pull request.



>  autosign=$(rpm --eval "%{?_openpgp_autosign_id}")
 if [ -n "${autosign}" ]; then
     log "Autosign already configured"
     exit 0
 fi
 
-genkey_sq
+# is there an explicit signing program config?

config*ured*

> +*rpm-setup-autosign* is used to set up automatic signing from *rpmbuild*(1).
+It generates a user- and host-specific, passwordless OpenPGP key,
+configures *rpmbuild*(1) to use that key and exports the public key
+(aka certificake) for importing to the persistent *rpm*(8) keyring.
+
+The purpose of automatic signing is to make testing local builds
+painless. For distributing packages, it's recommended to use a separated
+signing account that cannot be compromised by a build.
+
+# ARGUMENTS
+*rpm-setup-autosign* takes no arguments.
+
+# OPTIONS
+*-p* <*gpg*|*sq*>,
+*--prog* <*gpg*|*sq*>
+       Specify the signing program to use: GnuPG or sequoia-sq.

This is an unusual stylization.  Perhaps: `Sequoia PGP's sq`

> +    echo "%_openpgp_sign ${1}" >> ${rpmhome}/macros
+    echo "%_openpgp_autosign_id ${2}" >> ${rpmhome}/macros
+}
+
+function genkey_sq()
+{
+    log "Generating key ${email}"
+    local keyid=$(sq key generate \
+                     --batch \
+                     --quiet \
+                     --own-key \
+                     --without-password \
+                     --can-sign \
+                     --cannot-authenticate \
+                     --cannot-encrypt \
+                     --email ${email} \

To be on the safe side, you should probably quote `${email}`

> +function genkey_sq()
+{
+    log "Generating key ${email}"
+    local keyid=$(sq key generate \
+                     --batch \
+                     --quiet \
+                     --own-key \
+                     --without-password \
+                     --can-sign \
+                     --cannot-authenticate \
+                     --cannot-encrypt \
+                     --email ${email} \
+                   2>&1 | awk '/Fingerprint/{print $2}')
+
+    log "Exporting key to ${keypath}"
+    sq cert export --cert-email "${email}" > ${keypath}

Since you extract the key id above, it is safer (less ambiguous) to use that 
instead of the email address.

> +function genkey_sq()
+{
+    log "Generating key ${email}"
+    local keyid=$(sq key generate \
+                     --batch \
+                     --quiet \
+                     --own-key \
+                     --without-password \
+                     --can-sign \
+                     --cannot-authenticate \
+                     --cannot-encrypt \
+                     --email ${email} \
+                   2>&1 | awk '/Fingerprint/{print $2}')
+
+    log "Exporting key to ${keypath}"
+    sq cert export --cert-email "${email}" > ${keypath}

Since you extract the key id above, it is safer (less ambiguous) to use that 
instead of the email address.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/3665#pullrequestreview-2694538686
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/pull/3665/review/2694538...@github.com>
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
https://lists.rpm.org/mailman/listinfo/rpm-maint