Merge pull request #1031 from chef/mimaslanka/rhel-rpm-sign

Add rpmsign instead of using rpmbuild for rpms
chef · Jul 29, 2021 · 787fdcb · 787fdcb
2 parents 6d109b6 + 37c8fbe
commit 787fdcb
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 9 deletions.
diff --git a/lib/omnibus/packagers/rpm.rb b/lib/omnibus/packagers/rpm.rb
@@ -417,6 +417,10 @@ def create_rpm_file
       command << %{ -bb}
       command << %{ --buildroot #{staging_dir}/BUILD}
       command << %{ --define '_topdir #{staging_dir}'}
+      command << " #{spec_file}"
+
+      log.info(log_key) { "Creating .rpm file" }
+      shellout!("#{command}")
 
       if signing_passphrase
         log.info(log_key) { "Signing enabled for .rpm file" }
@@ -438,17 +442,18 @@ def create_rpm_file
             })
         end
 
-        command << " --sign"
-        command << " #{spec_file}"
-
+        sign_cmd = "rpmsign --addsign #{rpm_file}"
         with_rpm_signing do |signing_script|
-          log.info(log_key) { "Creating .rpm file" }
-          shellout!("#{signing_script} \"#{command}\"", environment: { "HOME" => home })
+          log.info(log_key) { "Signing the built rpm file" }
+
+          # RHEL 8 has gpg-agent running so we can skip the expect script since the agent
+          # takes care of the passphrase entering on the signing
+          if dist_tag != ".el8"
+            sign_cmd.prepend("#{signing_script} \"").concat("\"")
+          end
+
+          shellout!("#{sign_cmd}", environment: { "HOME" => home })
         end
-      else
-        log.info(log_key) { "Creating .rpm file" }
-        command << " #{spec_file}"
-        shellout!("#{command}")
       end
 
       FileSyncer.glob("#{staging_dir}/RPMS/**/*.rpm").each do |rpm|
@@ -483,6 +488,15 @@ def spec_file
       "#{staging_dir}/SPECS/#{package_name}.spec"
     end
 
+    #
+    # The full path to the rpm file.
+    #
+    # @return [String]
+    #
+    def rpm_file
+      "#{staging_dir}/RPMS/#{safe_architecture}/#{package_name}"
+    end
+
     #
     # Render the rpm signing script with secure permissions, call the given
     # block with the path to the script, and ensure deletion of the script from

diff --git a/spec/unit/packagers/rpm_spec.rb b/spec/unit/packagers/rpm_spec.rb
@@ -404,6 +404,16 @@ module Omnibus
       end
     end
 
+    describe "#rpm_file" do
+      before do
+        allow(subject).to receive(:package_name).and_return("package_name.rpm")
+      end
+
+      it "includes the package_name rpm" do
+        expect(subject.rpm_file).to eq("#{staging_dir}/RPMS/#{architecture}/package_name.rpm")
+      end
+    end
+
     describe "#rpm_safe" do
       it "adds quotes when required" do
         expect(subject.rpm_safe("file path")).to eq('"file path"')