From 7f006525029c48fbba8c6c7a06eff6ac67a95e88 Mon Sep 17 00:00:00 2001
From: Roman Shevchenko <rrrooommmaaa@mail.ru>
Date: Sat, 22 Feb 2020 18:25:16 +0300
Subject: [PATCH] Sign script (yet unwired) #7

---
 sign.sh | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 sign.sh

diff --git a/sign.sh b/sign.sh
new file mode 100644
index 0000000..ae088e7
--- /dev/null
+++ b/sign.sh
@@ -0,0 +1,43 @@
+#!/bin/sh
+set -ex
+
+pushd $RPM_DIR
+yum -y install rpmdevtools rpm-sign expect
+
+# install rnp for signing
+rpm --import https://github.com/riboseinc/yum/raw/master/ribose-packages.pub
+curl -L https://github.com/riboseinc/yum/raw/master/ribose.repo > /etc/yum.repos.d/ribose.repo
+yum -y install rnp
+# set some macros
+cat <<EOF >~/.rpmmacros
+%_gpg_name $PACKAGER
+%__gpg_check_password_cmd %{_bindir}/rnp \
+    rnp --pass-fd 3 --userid "%{_gpg_name}" --sign --output=-
+%__gpg_sign_cmd %{_bindir}/rnp \
+    rnp --pass-fd 3 --userid "%{_gpg_name}" --sign --detach --output=%{__signature_filename} %{__plaintext_filename}
+EOF
+# remove gpg, just to make sure we're signing with rnp like we are expecting
+rm $(rpm --eval '%{__gpg}')
+rm -f /usr/bin/gpg /usr/bin/gpg2
+# import the key and sign
+rnpkeys --import "$SIGNING_KEY_PATH"
+for pkg in RPMS/**/*.rpm SRPMS/*.src.rpm; do
+    expect <<EOF
+    spawn rpm --addsign "$pkg"
+    expect -ex        "Enter pass phrase: "
+    send -- "\r"
+    expect eof
+EOF
+    # verification should fail since we haven't imported the public key
+    ! rpmdev-checksig "$pkg"
+    ! rpm --checksig "$pkg"
+    # export + import to the rpm db
+    public_key_path="$(mktemp --tmpdir signing-key-pub.gpg.XXXX)"
+    rnpkeys --export-key "$PACKAGER" > "$public_key_path"
+    rpm --import "$public_key_path"
+    # verification should succeed at this point
+    # rpmdev-checksig will fail if no signature is present (so it's a good additional check)
+    rpmdev-checksig "$pkg"
+    rpm --checksig "$pkg"
+done
+popd