[PATCH] Make use of gpg more flexible

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Oct 28 17:51:30 UTC 2016

This set of commands should work with modern versions of gpg (2.1.x)
as well, and should be independent of potentially variable output.

Additionally, we want the key to be signing-capable, but nothing else.

We also have no need to generate an encryption-capable subkey, so just
drop that part.
 bin/reproducible_build.sh | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/bin/reproducible_build.sh b/bin/reproducible_build.sh
index dda7bba..d4d2e58 100755
--- a/bin/reproducible_build.sh
+++ b/bin/reproducible_build.sh
@@ -775,19 +775,19 @@ check_buildinfo() {
 sign_buildinfo() {
 	# Greate GPG key if it does not already exist
-	if ! gpg --list-secret-keys | grep -qs '^sec' >/dev/null 2>&1
+	if ! gpg --with-colons --fixed-list-mode --list-secret-keys | cut -d: -f1 | grep -qsFx 'sec' >/dev/null 2>&1
 		log_info "Generating GPG key"
-		gpg --batch --gen-key <<EOF
+		gpg --no-tty --batch --gen-key <<EOF
 Key-Type: RSA
 Key-Length: 4096
-Subkey-Type: ELG-E
-Subkey-Length: 1024
+Key-Usage: sign
 Name-Real: $(hostname -f)
-Name-Comment: Automatically generated key
+Name-Comment: Automatically generated key for signing .buildinfo files
 Expire-Date: 0

More information about the Reproducible-builds mailing list