views:

19

answers:

1

I have a continuous integration build system that generates an RPM via a shell script triggered by cron. I want to sign the RPM with gpg, but gpg insists on the user manually entering the passphrase at the console, which is clearly a non-starter since there is no user console for cron.

I have read about gpg-agent which will let you enter the passphrase once for the current login session, but again cron does not have a login session. What I would like is to be able to configure gpg-agent to accept the passphrase once at boot time and hand that to the cron session when needed. I have no idea if this is possible or not, and the docs for gpg-agent are fairly minimal.

The alternative would be to use expect to enter the passphrase when gpg asks for it, but clearly this is a big security hole since the passphrase will need to be included in the build script.

+1  A: 

You should start gpg-agent at start up and save the GPG_AGENT_INFO environment variable. Then you can set it up in your script's environment and should work as expected. Additionally, make sure permissions of the socket in GPG_AGENT_INFO allow your script to read it.

smmv
Thanks, that is exactly what I am looking for. But how do you query or set the permissions on a socket?
Dave Kirby
You set the permission as usual (chown on the path in GPG_AGENT_INFO). Then, if the environment variable is set, gpg should use it with no more action on your side. Note that I haven't tried this case, so let's see if it works ;)
smmv