From 071ab2c0add58542b7619430ef11762d68377bf4 Mon Sep 17 00:00:00 2001
From: sachintu47 <sachintu47@gmail.com>
Date: Tue, 19 May 2026 02:42:20 -0400
Subject: [PATCH 1/3] Add automated RPM signing

- Enable headless RPM signing using zopen GPG environment variables.
---
 bin/zopen-build   |  3 ++
 bin/zopen-pax2rpm | 93 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 96 insertions(+)

diff --git a/bin/zopen-build b/bin/zopen-build
index 3af489b38..ddb0f52a2 100755
--- a/bin/zopen-build
+++ b/bin/zopen-build
@@ -2507,6 +2507,9 @@ create_rpm()
     if [ -n "${rpm_deps}" ]; then
       cmd="${cmd} --requires \"${rpm_deps}\""
     fi
+    if [ "${signPax}" = "true" ]; then
+      cmd="${cmd} --sign"
+    fi
     if ! runAndLog "${cmd}"; then
       printError "Could not generate RPM from \"${paxFileName}\""
     fi
diff --git a/bin/zopen-pax2rpm b/bin/zopen-pax2rpm
index 823037b11..f36cef16c 100755
--- a/bin/zopen-pax2rpm
+++ b/bin/zopen-pax2rpm
@@ -40,6 +40,7 @@ PACKAGER_EMAIL="${CURRENT_USER}@$(hostname 2>/dev/null || echo "localhost")"
 # Build flag
 BUILD_RPM=false
 BUILD_BINARY_ONLY=false
+SIGN_RPM=false
 BUILDROOT="${HOME}/rpmbuild"
 VALIDATE_SPEC=false
 DRY_RUN=false
@@ -386,6 +387,89 @@ EOF
     return 0
 }
 
+# Function to sign generated RPMs
+sign_rpm() {
+    buildroot="$1"
+    
+    # Check for required environment variables
+    if [ -z "${ZOPEN_GPG_SECRET_KEY_FILE}" ] || [ -z "${ZOPEN_GPG_SECRET_KEY_PASSPHRASE_FILE}" ]; then
+        printError "Signing requested but ZOPEN_GPG_SECRET_KEY_FILE or ZOPEN_GPG_SECRET_KEY_PASSPHRASE_FILE not set"
+        return 1
+    fi
+
+    echo ""
+    echo "=========================================="
+    echo "Signing RPM packages..."
+    echo "=========================================="
+    echo ""
+
+    # Create a temporary directory for GPG keyring
+    TMP_GPG_DIR=$(mktempdir "rpm_gpg")
+    if [ -z "${TMP_GPG_DIR}" ] || [ ! -d "${TMP_GPG_DIR}" ]; then
+        printError "Failed to create temporary directory for GPG signing"
+    fi
+    chmod 700 "${TMP_GPG_DIR}"
+    
+    OLD_GNUPGHOME="$GNUPGHOME"
+    export GNUPGHOME="$TMP_GPG_DIR"
+    RPM_LIST=""
+
+    # Use the framework's helper to ensure files are cleaned up on exit/interrupt
+    # without overwriting the global traps set in common.sh
+    addCleanupTrapCmd "rm -rf ${TMP_GPG_DIR}"
+
+    # Import the private key
+    echo "Importing private key..."
+    if ! gpg --batch --yes --import "${ZOPEN_GPG_SECRET_KEY_FILE}" >/dev/null 2>&1; then
+        printError "Failed to import GPG secret key"
+    fi
+
+    # Identify the GPG key ID (long ID)
+    GPG_KEY_ID=$(gpg --list-secret-keys --with-colons | grep '^sec' | cut -d: -f5 | head -n 1)
+    if [ -z "${GPG_KEY_ID}" ]; then
+        printError "Could not identify GPG key ID from imported key"
+    fi
+
+    # Create a wrapper script for gpg to handle the passphrase file
+    GPG_WRAPPER="${TMP_GPG_DIR}/gpg_wrapper.sh"
+    cat << EOF > "${GPG_WRAPPER}"
+#!/bin/sh
+gpg --batch --pinentry-mode loopback --passphrase-file "${ZOPEN_GPG_SECRET_KEY_PASSPHRASE_FILE}" "\$@"
+EOF
+    chmod +x "${GPG_WRAPPER}"
+
+    # Sign the RPMs using the wrapper and key ID
+    # We use --define to override the GPG command and key details
+    SIGN_CMD="rpmsign --addsign --key-id ${GPG_KEY_ID} \
+        --define '_gpg_name ${GPG_KEY_ID}' \
+        --define '__gpg ${GPG_WRAPPER}' \
+        --define '_gpg_path ${TMP_GPG_DIR}'"
+
+    # Use a temporary file to avoid subshell return issues
+    RPM_LIST=$(mktempfile "rpmlist")
+    addCleanupTrapCmd "rm -f ${RPM_LIST}"
+    find "$buildroot/RPMS" -name "*.rpm" -type f > "$RPM_LIST"
+    
+    if [ ! -s "$RPM_LIST" ]; then
+        printError "No RPM packages found to sign in $buildroot/RPMS"
+    fi
+
+    while read rpm; do
+        [ -z "$rpm" ] && continue
+        echo "Signing $rpm..."
+        if ! eval "${SIGN_CMD} \"${rpm}\""; then
+            printError "Failed to sign RPM: $rpm"
+        fi
+    done < "$RPM_LIST"
+
+    rm -f "$RPM_LIST"
+    rm -rf "$TMP_GPG_DIR"
+    [ -n "$OLD_GNUPGHOME" ] && export GNUPGHOME="$OLD_GNUPGHOME" || unset GNUPGHOME
+
+    echo "✓ All RPMs signed successfully"
+    return 0
+}
+
 # Function to setup rpmbuild directories
 setup_rpmbuild() {
 buildroot="$1"
@@ -718,6 +802,11 @@ source_name=$(basename "$pax_file")
             done
         fi
         echo ""
+
+        if [ "$SIGN_RPM" = true ]; then
+            sign_rpm "$buildroot"
+        fi
+
         return 0
     else
         echo ""
@@ -840,6 +929,10 @@ main() {
                 BUILD_BINARY_ONLY=true
                 shift
                 ;;
+	    --sign)
+                SIGN_RPM=true
+                shift
+                ;;
             --buildroot)
                 [ -n "$2" ] || { echo "Error: --buildroot requires a value" >&2; usage; }
                 BUILDROOT="$2"

From 402202e0e0b4ffc6bbcc1b25f46a08cc2bd82604 Mon Sep 17 00:00:00 2001
From: Sachin <32639496+sachintu47@users.noreply.github.com>
Date: Wed, 27 May 2026 19:50:17 +0530
Subject: [PATCH 2/3] Simplify GPG signing process in zopen-pax2rpm

Removed unnecessary checks and cleanup commands for GPG directory and RPM list.

Signed-off-by: Sachin <32639496+sachintu47@users.noreply.github.com>
---
 bin/zopen-pax2rpm | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/bin/zopen-pax2rpm b/bin/zopen-pax2rpm
index f36cef16c..630694cdd 100755
--- a/bin/zopen-pax2rpm
+++ b/bin/zopen-pax2rpm
@@ -405,19 +405,12 @@ sign_rpm() {
 
     # Create a temporary directory for GPG keyring
     TMP_GPG_DIR=$(mktempdir "rpm_gpg")
-    if [ -z "${TMP_GPG_DIR}" ] || [ ! -d "${TMP_GPG_DIR}" ]; then
-        printError "Failed to create temporary directory for GPG signing"
-    fi
     chmod 700 "${TMP_GPG_DIR}"
     
     OLD_GNUPGHOME="$GNUPGHOME"
     export GNUPGHOME="$TMP_GPG_DIR"
     RPM_LIST=""
 
-    # Use the framework's helper to ensure files are cleaned up on exit/interrupt
-    # without overwriting the global traps set in common.sh
-    addCleanupTrapCmd "rm -rf ${TMP_GPG_DIR}"
-
     # Import the private key
     echo "Importing private key..."
     if ! gpg --batch --yes --import "${ZOPEN_GPG_SECRET_KEY_FILE}" >/dev/null 2>&1; then
@@ -447,7 +440,6 @@ EOF
 
     # Use a temporary file to avoid subshell return issues
     RPM_LIST=$(mktempfile "rpmlist")
-    addCleanupTrapCmd "rm -f ${RPM_LIST}"
     find "$buildroot/RPMS" -name "*.rpm" -type f > "$RPM_LIST"
     
     if [ ! -s "$RPM_LIST" ]; then

From 6c150c6d8e0669ef891d80dabbcf627542b3bfda Mon Sep 17 00:00:00 2001
From: Sachin <32639496+sachintu47@users.noreply.github.com>
Date: Wed, 27 May 2026 19:57:40 +0530
Subject: [PATCH 3/3] Enhance sign_rpm with debug information

Add debugging output to the sign_rpm function.

Signed-off-by: Sachin <32639496+sachintu47@users.noreply.github.com>
---
 bin/zopen-pax2rpm | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/bin/zopen-pax2rpm b/bin/zopen-pax2rpm
index 630694cdd..207d36d8d 100755
--- a/bin/zopen-pax2rpm
+++ b/bin/zopen-pax2rpm
@@ -389,6 +389,9 @@ EOF
 
 # Function to sign generated RPMs
 sign_rpm() {
+    set -x
+    echo "In sign_rpm"
+    pwd
     buildroot="$1"
     
     # Check for required environment variables
@@ -459,6 +462,7 @@ EOF
     [ -n "$OLD_GNUPGHOME" ] && export GNUPGHOME="$OLD_GNUPGHOME" || unset GNUPGHOME
 
     echo "✓ All RPMs signed successfully"
+	set +x
     return 0
 }