Do not rely on GPG key id

- use the key name if possible - instead of downloading repomd.xml.key, create it on the fly
2025-08-21 18:50:28 +00:00 · 2024-04-19 23:30:20 +02:00
parent 5883584fde
commit f7f3bdb5c7
3 changed files with 10 additions and 8 deletions
--- a/6
+++ b/6
@@ -373,7 +373,8 @@ __EOF__
           #echo "GPGSIGN=$GPGSIGN specified, the repo will not be signed"
           echo "" >> conf/distributions
       else
-           echo "SignWith: 5619700D" >> conf/distributions
+           keyid=$(gpg --list-keys --keyid-format long "xCAT Automatic Signing Key" | grep '^pub' | sed -e 's/.*\///' -e 's/ .*//')
+           echo "SignWith: $keyid" >> conf/distributions
           echo "" >> conf/distributions
       fi
    done
@@ -514,7 +515,8 @@ __EOF__
            echo "GPGSIGN=$GPGSIGN specified, the repo will not be signed"
            echo "" >> conf/distributions
        else
-            echo "SignWith: 5619700D" >> conf/distributions
+            keyid=$(gpg --list-keys --keyid-format long "xCAT Automatic Signing Key" | grep '^pub' | sed -e 's/.*\///' -e 's/ .*//')
+            echo "SignWith: $keyid" >> conf/distributions
            echo "" >> conf/distributions
        fi

--- a/buildcore.sh
+++ b/buildcore.sh
@@ -479,13 +479,13 @@ if [ "$OSNAME" != "AIX" ]; then
        rm -f $SRCDIR/repodata/repomd.xml.asc
        rm -f $DESTDIR/repodata/repomd.xml.asc
        # Use the xCAT Automatic Signing Key to do the signing
-        gpg -a --detach-sign --default-key 5619700D $DESTDIR/repodata/repomd.xml
-        gpg -a --detach-sign --default-key 5619700D $SRCDIR/repodata/repomd.xml
+        gpg -a --detach-sign --default-key "xCAT Automatic Signing Key" $DESTDIR/repodata/repomd.xml
+        gpg -a --detach-sign --default-key "xCAT Automatic Signing Key" $SRCDIR/repodata/repomd.xml
        if [ ! -f $DESTDIR/repodata/repomd.xml.key ]; then
-            ${WGET_CMD} --no-check-certificate -q -P $DESTDIR/repodata $GSA/keys/repomd.xml.key
+            gpg -a --export "xCAT Automatic Signing Key" > $DESTDIR/repodata/repomd.xml.key
        fi
        if [ ! -f $SRCDIR/repodata/repomd.xml.key ]; then
-            ${WGET_CMD} --no-check-certificate -P $SRCDIR/repodata $GSA/keys/repomd.xml.key
+            gpg -a --export "xCAT Automatic Signing Key" > $SRCDIR/repodata/repomd.xml.key
        fi
    else
        createrepo $DESTDIR
--- a/builddep.sh
+++ b/builddep.sh
@@ -265,9 +265,9 @@ for i in `find -mindepth 2 -maxdepth 2 -type d `; do
 		createrepo $i >/dev/null
 	fi
 	rm -f $i/repodata/repomd.xml.asc
-	gpg -a --detach-sign --default-key 5619700D $i/repodata/repomd.xml
+	gpg -a --detach-sign --default-key "xCAT Automatic Signing Key" $i/repodata/repomd.xml
 	if [ ! -f $i/repodata/repomd.xml.key ]; then
-		cp $GSA/../keys/repomd.xml.key $i/repodata
+		gpg -a --export "xCAT Automatic Signing Key" > $i/repodata/repomd.xml.key
 	fi
 done