From 7f673e3b5a36f78c3ba7959cc48498f558b4dacc Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 16 Nov 2025 06:58:52 -0600
Subject: [PATCH] ci: Sign RPMs

---
 ci/Jenkinsfile | 30 ++++++++++++++++++++++++++++++
 ci/sign.sh     | 21 +++++++++++++++++++++
 2 files changed, 51 insertions(+)
 create mode 100644 ci/sign.sh

diff --git a/ci/Jenkinsfile b/ci/Jenkinsfile
index 40daa1f..858bb95 100644
--- a/ci/Jenkinsfile
+++ b/ci/Jenkinsfile
@@ -40,6 +40,36 @@ pipeline {
                             }
                         }
                     }
+
+                    stage('Sign') {
+                        when {
+                            branch 'main'
+                        }
+                        environment {
+                            GNUPGHOME = "${env.WORKSPACE_TMP}/gnupg"
+                        }
+                        steps {
+                            withCredentials([
+                                file(
+                                    credentialsId: 'rpm-gpg-key',
+                                    variable: 'RPM_GPG_PRIVATE_KEY',
+                                ),
+                                file(
+                                    credentialsId: 'rpm-gpg-key-passphrase',
+                                    variable: 'RPM_GPG_KEY_PASSPHRASE',
+                                ),
+                            ]) {
+                                sh '. ci/sign.sh'
+                            }
+                        }
+                    }
+
+                    stage('Archive') {
+                        steps {
+                            archiveArtifacts '*.rpm'
+                        }
+                    }
+
                 }
             }
         }
diff --git a/ci/sign.sh b/ci/sign.sh
new file mode 100644
index 0000000..3ec28ab
--- /dev/null
+++ b/ci/sign.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+if [ $(id -u) -eq 0 ]; then
+    exec setpriv --clear-groups --reuid 1000 --regid 1000 --inh-caps=-all \
+        sh -ex ci/sign.sh
+fi
+
+install -m u=rwx,go= -d "${GNUPGHOME}"
+cat > "${GNUPGHOME}"/gpg-agent.conf <<EOF
+allow-loopback-pinentry
+EOF
+
+gpg2 --pinentry-mode loopback --passphrase-fd 0 \
+    --import "${RPM_GPG_PRIVATE_KEY}" \
+    < "${RPM_GPG_KEY_PASSPHRASE}"
+
+rpmsign --addsign \
+    -D '_gpg_name jenkins@pyrocufflink.net' \
+    -D '_gpg_sign_cmd_extra_args --pinentry-mode loopback --passphrase-fd 3' \
+    *.rpm \
+    3< "${RPM_GPG_KEY_PASSPHRASE}"