add automated RPM signing by sachintu47 · Pull Request #1186 · zopencommunity/meta

sachintu47 · 2026-05-19T06:43:11Z

Separate local install from packaging logic in zopen-build.
Add specialized functions for pax and RPM creation.
Enable headless RPM signing using zopen GPG environment variables.

What type of PR is this? (check all applicable)

Description

Related Issues

Related Issue #
Closes #

[optional] Are there any post-deployment tasks or follow-up actions required?

sachintu47 · 2026-05-19T06:43:24Z

augment review

augmentcode · 2026-05-19T06:46:54Z

🤖 Augment PR Summary

Summary: Refactors zopen-build to split packaging (pax/RPM artifact creation) into a dedicated post-install phase, and introduces an optional RPM signing step driven by zopen GPG environment variables.

Changes:

Moves pax and RPM generation logic out of install() into new helpers: create_pax(), create_rpm(), and pax_finalize().
Adds a new package() phase that installs packaging-time deps (e.g., coreutils/jq, plus gpg/rpm when needed) and then produces artifacts.
Invokes package() after install() when --generate-pax or --generate-rpm is requested.
Extends zopen-pax2rpm with a --sign flag and a new sign_rpm() function to sign built RPMs using imported secret key material in a temporary GPG home.
Updates zopen-build to pass --sign to zopen-pax2rpm when pax signing is enabled.

Technical Notes: The RPM signing flow uses GNUPGHOME pointing at a temp keyring, imports the secret key non-interactively, derives a key id, and runs rpmsign --addsign with gpg-related macro overrides.

_{🤖 Was this summary useful? React with 👍 or 👎}

augmentcode

Review completed. 4 suggestions posted.

Comment augment review to trigger a new review at any time.

sachintu47 · 2026-05-19T07:00:07Z

augment review

augmentcode

Review completed. 5 suggestions posted.

Comment augment review to trigger a new review at any time.

sachintu47 · 2026-05-19T07:13:34Z

augment review

augmentcode

Review completed. 2 suggestions posted.

Comment augment review to trigger a new review at any time.

sachintu47 · 2026-05-19T07:20:35Z

augment review

augmentcode

Review completed. 3 suggestions posted.

Comment augment review to trigger a new review at any time.

sachintu47 · 2026-05-19T09:28:40Z

augment review

augmentcode

Review completed. 1 suggestion posted.

Comment augment review to trigger a new review at any time.

sachintu47 · 2026-05-19T10:39:43Z

augment review

augmentcode

Review completed. 1 suggestion posted.

Comment augment review to trigger a new review at any time.

augmentcode · 2026-05-19T10:42:56Z

                BUILD_RPM=true
                shift
                ;;
+            --sign)


bin/zopen-pax2rpm:912 --sign can be provided without --build, but signing is only triggered after a successful RPM build (sign_rpm is called in the build-success path). This can lead to a confusing no-op where --sign is accepted but nothing is signed (and no warning/error is emitted).

Severity: low

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

- Enable headless RPM signing using zopen GPG environment variables.

Removed unnecessary checks and cleanup commands for GPG directory and RPM list. Signed-off-by: Sachin <32639496+sachintu47@users.noreply.github.com>

Add debugging output to the sign_rpm function. Signed-off-by: Sachin <32639496+sachintu47@users.noreply.github.com>