Sign repomd_xml.asc to a temp file and move to webroot

2026-04-13 22:58:08 -04:00
parent 3c43f546d0
commit 0eebaf8fc0
1 changed files with 17 additions and 5 deletions
--- a/22
+++ b/22
@@ -1210,31 +1210,43 @@ run_createrepo() {
    repomd_asc="$repomd_xml.asc"
    [[ -f $repomd_xml ]] || { err "repomd.xml missing after createrepo"; return 1; }
    gpg_cmd=(gpg --batch --yes --armor --detach-sign --output "$repomd_asc")
    [[ -n $SIGN_KEY ]] && gpg_cmd+=(--local-user "$SIGN_KEY")
    gpg_cmd+=("$repomd_xml")
    if [[ $(id -un) == "$SIGN_USER" ]]; then
      sign_prefix=()
    else
      sign_prefix=(sudo -u "$SIGN_USER")
    fi
    # Sign repo.md to a temp file first and then move to webroot
    local repomd_asc_tmp
    repomd_asc_tmp=$(mktemp) || { err "Failed to create temp file for signature"; return 1; }
    gpg_cmd=(gpg --batch --yes --armor --detach-sign --output "$repomd_asc_tmp")
    [[ -n $SIGN_KEY ]] && gpg_cmd+=(--local-user "$SIGN_KEY")
    gpg_cmd+=("$repomd_xml")
    echo "Signing repodata: $repomd_xml"
    if ! execute "${sign_prefix[@]}" "${gpg_cmd[@]}"; then
      rm -f "$repomd_asc_tmp"
      err "Repodata signing failed"
      return 1
    fi
    execute sudo install -m 0644 "$repomd_asc_tmp" "$repomd_asc"
    execute sudo chown "$WEBROOT_USER:$WEBROOT_USER" "$repomd_asc"
    rm -f "$repomd_asc_tmp"
    # Export public key so clients can import it via repo gpgkey URL
    if [[ -n $SIGN_KEY ]]; then
      pubkey_file="$CREATEREPO_WEBROOT/RPM-GPG-KEY-jriver.asc"
-      if ! execute "${sign_prefix[@]}" gpg --batch --yes --armor --output "$pubkey_file" --export "$SIGN_KEY"; then
+      local pubkey_tmp
      pubkey_tmp=$(mktemp) || { err "Failed to create temp file for public key"; return 1; }
      if ! execute "${sign_prefix[@]}" gpg --batch --yes --armor --output "$pubkey_tmp" --export "$SIGN_KEY"; then
        rm -f "$pubkey_tmp"
        err "Public key export failed for SIGN_KEY=$SIGN_KEY"
        return 1
      fi
      execute sudo install -m 0644 "$pubkey_tmp" "$pubkey_file"
      execute sudo chown "$WEBROOT_USER:$WEBROOT_USER" "$pubkey_file"
      rm -f "$pubkey_tmp"
    else
      err "SIGN_SWITCH enabled without --sign-key; skipping public key export"
    fi