scripts/stage-runtime.sh provisions the transient runtime/ tree used by the build/sign/publish workflow. It creates the on-disk directories, refreshes runtime/rpmmacros from templates/rpmmacros, and performs safety checks so mock, rpmsign, and other helpers see a consistent layout before the Docker-based builds run.
Running the helper ensures the following structure exists (all paths are relative to the repository root):
runtime/
├── artifacts/ # mock results (binary RPMs, SRPMs, logs)
├── repo/ # createrepo_c output + staged repository metadata
├── SOURCES/ # spectool cache shared across builds
├── gnupg/ # drop exported signing keys/ownertrust here
├── logs/ # maintainer workflow logs
└── rpmmacros # rendered from templates/rpmmacros
runtime/gnupg is created with 0700 permissions so that imported keys remain private. runtime/rpmmacros is written with 0600 permissions so only the current user can read it.
Stage the runtime tree before running any build or signing scripts:
./scripts/stage-runtime.sh --key-id ABCDEF1234567890 \
--packager "Your Name <you@example.com>"--key-idupdates%_gpg_nameinruntime/rpmmacrosso rpmsign knows which key to use.--packagersets the%packagerheader for subsequent spec bumps/builds.- Re-run the command with
--forcewhenever you need to regenerate the macros file (for example, after editingtemplates/rpmmacros).
--runtime <dir> Target runtime directory (default: runtime)
--templates <dir> Source template directory (default: templates)
--results <dir> Results directory to create (default: runtime/artifacts)
--repo <dir> Repository directory to create (default: runtime/repo)
--sources <dir> Source directory for --check-sources (default: sources)
--check-sources Only validate source basenames, do not stage runtime files
--key-id <id> Override %_gpg_name in runtime/rpmmacros
--packager <str> Override %packager in runtime/rpmmacros
--force Overwrite runtime/rpmmacros even if it already exists
Most setups can rely on the defaults; the --runtime/--results/--repo flags are primarily for CI systems that need to redirect paths.
The script refuses to run if two different packages ship files with the same basename (for example, both sources/foo/service.service and sources/bar/service.service). Use --check-sources to audit the tree:
./scripts/stage-runtime.sh --check-sourcesResolve any conflicts before staging the runtime directories so spec builds never pick up the wrong file.
stage-runtime.sh prepares runtime/gnupg/ but does not copy your keys. Export them manually:
gpg --export-secret-keys ABCDEF1234567890 > runtime/gnupg/private.asc
gpg --armor --export ABCDEF1234567890 > runtime/gnupg/RPM-GPG-KEY-thesystem-dev # ASCII-armoured for verification
# Optional: only if you've assigned explicit ownertrust values you want to reuse
gpg --export-ownertrust > runtime/gnupg/ownertrust.txtThe signing script (scripts/sign-rpms.sh) imports these files into an ephemeral GNUPGHOME
when signing RPMs. The verification mode (--verify) also auto-imports the ASCII-armoured public key into a
temporary RPM database for signature validation. Never copy your entire ~/.gnupg directory into the repo.
Security: Add runtime/gnupg/*.asc to .gitignore and treat runtime/ as disposable state.