Use gpg to sign an RPM as part of a continuous build - how to avoid the prompt for the passphrase?


I have a continuous integration build system that generates an RPM via a shell script triggered by cron. I want to sign the RPM with gpg, but gpg insists on the user manually entering the passphrase at the console, which is clearly a non-starter since there is no user console for cron.

I have read about gpg-agent which will let you enter the passphrase once for the current login session, but again cron does not have a login session. What I would like is to be able to configure gpg-agent to accept the passphrase once at boot time and hand that to the cron session when needed. I have no idea if this is possible or not, and the docs for gpg-agent are fairly minimal.

The alternative would be to use expect to enter the passphrase when gpg asks for it, but clearly this is a big security hole since the passphrase will need to be included in the build script.

You should start gpg-agent at start up and save the GPG_AGENT_INFO environment variable. Then you can set it up in your script's environment and should work as expected. Additionally, make sure permissions of the socket in GPG_AGENT_INFO allow your script to read it.