From 0eebaf8fc0cefafc74f0364eddf794c448149c97 Mon Sep 17 00:00:00 2001
From: bryan <bryanroessler@gmail.com>
Date: Mon, 13 Apr 2026 22:58:08 -0400
Subject: [PATCH] Sign repomd_xml.asc to a temp file and move to webroot

---
 installJRMC | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/installJRMC b/installJRMC
index 3c3ecc8..eb161bf 100755
--- a/installJRMC
+++ b/installJRMC
@@ -1210,31 +1210,43 @@ run_createrepo() {
     repomd_asc="$repomd_xml.asc"
     [[ -f $repomd_xml ]] || { err "repomd.xml missing after createrepo"; return 1; }
 
-    gpg_cmd=(gpg --batch --yes --armor --detach-sign --output "$repomd_asc")
-    [[ -n $SIGN_KEY ]] && gpg_cmd+=(--local-user "$SIGN_KEY")
-    gpg_cmd+=("$repomd_xml")
-
     if [[ $(id -un) == "$SIGN_USER" ]]; then
       sign_prefix=()
     else
       sign_prefix=(sudo -u "$SIGN_USER")
     fi
 
+    # Sign repo.md to a temp file first and then move to webroot
+    local repomd_asc_tmp
+    repomd_asc_tmp=$(mktemp) || { err "Failed to create temp file for signature"; return 1; }
+
+    gpg_cmd=(gpg --batch --yes --armor --detach-sign --output "$repomd_asc_tmp")
+    [[ -n $SIGN_KEY ]] && gpg_cmd+=(--local-user "$SIGN_KEY")
+    gpg_cmd+=("$repomd_xml")
+
     echo "Signing repodata: $repomd_xml"
     if ! execute "${sign_prefix[@]}" "${gpg_cmd[@]}"; then
+      rm -f "$repomd_asc_tmp"
       err "Repodata signing failed"
       return 1
     fi
+    execute sudo install -m 0644 "$repomd_asc_tmp" "$repomd_asc"
     execute sudo chown "$WEBROOT_USER:$WEBROOT_USER" "$repomd_asc"
+    rm -f "$repomd_asc_tmp"
 
     # Export public key so clients can import it via repo gpgkey URL
     if [[ -n $SIGN_KEY ]]; then
       pubkey_file="$CREATEREPO_WEBROOT/RPM-GPG-KEY-jriver.asc"
-      if ! execute "${sign_prefix[@]}" gpg --batch --yes --armor --output "$pubkey_file" --export "$SIGN_KEY"; then
+      local pubkey_tmp
+      pubkey_tmp=$(mktemp) || { err "Failed to create temp file for public key"; return 1; }
+      if ! execute "${sign_prefix[@]}" gpg --batch --yes --armor --output "$pubkey_tmp" --export "$SIGN_KEY"; then
+        rm -f "$pubkey_tmp"
         err "Public key export failed for SIGN_KEY=$SIGN_KEY"
         return 1
       fi
+      execute sudo install -m 0644 "$pubkey_tmp" "$pubkey_file"
       execute sudo chown "$WEBROOT_USER:$WEBROOT_USER" "$pubkey_file"
+      rm -f "$pubkey_tmp"
     else
       err "SIGN_SWITCH enabled without --sign-key; skipping public key export"
     fi