1

I have to create 3 RPMs like this:

  1. key.rpm : Does an rpm import of the RPM GPG public key(/etc/sw-key/gpg.key) in it's post-install script.
  2. software1.rpm : Requires key.rpm and signed by /etc/sw-key/gpg.key's private key.
  3. software2.rpm : Requires key.rpm and signed by /etc/sw-key/gpg.key's private key.

The intention behind the above is, I want to install all the 3 RPMs at once using the DNF with gpgcheck enabled. The dependancy created above, would allow the key.rpm to get installed first and then followed by the installation of the remaining 2 RPMs. But, the installation of the key.rpm itself fails because I am doing an "rpm --import" in it's post-install script. The rpm import is failing to acquire a transaction lock. I understand that the post-install script is called within the context of the main RPM command and hence the rpm import is failing while acquiring the lock.

Is there any other way to achieve what I am trying to do above? I want to install all the signed RPMs in a single DNF command, with one among those RPMs carrying and installing the RPM GPG key needed by others.

Santhosh N
  • 157
  • 10

2 Answers2

1

The proper solution is just distributing your RPM packages properly, by creating an RPM repository.

That would make your RPM installable in 2 commands (as opposed to one), but you open a lot of possibilities for distributing further updates to your users.

key.rpm that you have now should be turned into a release package. It should hold /etc/yum.repos.d/foo.repo repository configuration file, with all the directives pointing to your repository on the web, as well as path to GPG key locally (if it also installs it) or URL to it. It should be signed by your GPG key.

software1.rpm and software2.rpm will be just signed by the same GPG key and do not need to depend on key.rpm at all.

How it works for end-user:

sudo dnf install https://example.com/your-release.rpm

Then:

sudo dnf install software1 software2

The user is prompted for trusting the GPG key which is installed/downloaded during package installation. Simple and straightforward.

Danila Vershinin
  • 8,725
  • 2
  • 29
  • 35
-1

Three points:

1) RPM is not re-entrant. You shall not call rpm from rpm. Otherwise you may break db and system.

2) It is not possible. Nowadays, the standard is to provide Ansible playbook or role to. See below for example.

3) RPM is not re-entrant. You shall not call rpm from rpm. Otherwise you may break db and system. Now with exclamations!!!

Ansible snippet to do this:

- name: install the gpg key
  yum:
    name: /usr/local/src/key.rpm
    state: present

- rpm_key:
    state: present
    key: /path/to/key1.gpg.key

- name: install sw1 and sw2
  yum:
    name:
      - /usr/local/src/software1.rpm
      - /usr/local/src/software2.rpm
    state: present
msuchy
  • 5,162
  • 1
  • 14
  • 26
  • Even with the first yum call above, the key.rpm would not get installed because of the locking reasons. Looks like, there isn't a way to achieve what I need. The rpm gpg key must be imported separately. – Santhosh N Dec 04 '19 at 12:31
  • I did not mean to call this Ansible snippet from rpm. You must call it from plain system. – msuchy Dec 06 '19 at 08:20
  • Ansible is a standard for everybody? Are you sure? In you arnswer ansible doesn't solve the problem. Separately there are more simple way to import keys. – zdm Sep 11 '21 at 13:11