使用 gpg 对 RPM 进行签名作为持续构建的一部分 - 如何避免提示输入密码?

发布于 2024-09-27 03:47:35 字数 327 浏览 9 评论 0原文

我有一个持续集成构建系统,它通过 cron 触发的 shell 脚本生成 RPM。我想用 gpg 对 RPM 进行签名,但 gpg 坚持要求用户在控制台手动输入密码,这显然是行不通的,因为 cron 没有用户控制台。

我读过有关 gpg-agent 的内容,它可以让您为当前登录会话输入一次密码,但 cron 再次没有登录会话。我希望能够将 gpg-agent 配置为在启动时接受一次密码,并在需要时将其交给 cron 会话。我不知道这是否可能,并且 gpg-agent 的文档相当少。

另一种方法是在 gpg 要求时使用 Expect 输入密码,但显然这是一个很大的安全漏洞,因为密码需要包含在构建脚本中。

I have a continuous integration build system that generates an RPM via a shell script triggered by cron. I want to sign the RPM with gpg, but gpg insists on the user manually entering the passphrase at the console, which is clearly a non-starter since there is no user console for cron.

I have read about gpg-agent which will let you enter the passphrase once for the current login session, but again cron does not have a login session. What I would like is to be able to configure gpg-agent to accept the passphrase once at boot time and hand that to the cron session when needed. I have no idea if this is possible or not, and the docs for gpg-agent are fairly minimal.

The alternative would be to use expect to enter the passphrase when gpg asks for it, but clearly this is a big security hole since the passphrase will need to be included in the build script.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

揽清风入怀 2024-10-04 03:47:35

您应该在启动时启动 gpg-agent 并保存 GPG_AGENT_INFO 环境变量。然后您可以在脚本环境中设置它并且应该按预期工作。此外,请确保 GPG_AGENT_INFO 中套接字的权限允许您的脚本读取它。

You should start gpg-agent at start up and save the GPG_AGENT_INFO environment variable. Then you can set it up in your script's environment and should work as expected. Additionally, make sure permissions of the socket in GPG_AGENT_INFO allow your script to read it.

所谓喜欢 2024-10-04 03:47:35

无论您使用什么构建工具来生成 RPM,都可以对其进行签名。例如,gradle 有一个插件可以为您进行签名。您必须使用密钥环文件的 ID、密码和位置创建一个属性文件,它会完成其余的工作。

请参阅:https://docs.gradle.org/current/userguide/signing_plugin.html

Whatever build tool you use to generate the RPM could have the capability to sign it. For example, gradle has a plugin that does the signing for you. You have to create a properties file with the id, passphrase, and location of the key ring file, and it does the rest.

See: https://docs.gradle.org/current/userguide/signing_plugin.html

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文