From: Dan Mick <dmick@redhat.com>
Date: Fri, 7 Apr 2023 10:20:50 +0000 (-0700)
Subject: scripts/sign-rpms: signing repomd.xml has to come after all updates
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=refs%2Fpull%2F2125%2Fhead;p=ceph-build.git

scripts/sign-rpms: signing repomd.xml has to come after all updates

We had been signing, and then running createrepo, which changed repomd
and thus invalidated the signature.

Signed-off-by: Dan Mick <dmick@redhat.com>
---

diff --git a/scripts/sign-rpms b/scripts/sign-rpms
index 3296a82c..d8a782b5 100644
--- a/scripts/sign-rpms
+++ b/scripts/sign-rpms
@@ -70,15 +70,7 @@ for release in "${releases[@]}"; do
             fi
           done
 
-          # now sign the repomd.xml files
-          if [[ $update_repo -eq 1 ]]; then
-            for repomd in `find -name repomd.xml`; do
-              echo "signing repomd: $repomd"
-              gpg --batch --yes --passphrase "$GPG_PASSPHRASE" --detach-sign --armor -u $keyid $repomd
-            done
-          fi
-
-          # finally, update the repo metadata
+          # now, update the repo metadata
           if [[ $update_repo -eq 1 ]]; then
             for directory in $(ls $path/$distro/$distro_version); do
               cd $directory
@@ -96,6 +88,14 @@ for release in "${releases[@]}"; do
             done
           fi
 
+          # finally, sign the repomd.xml files
+          if [[ $update_repo -eq 1 ]]; then
+            for repomd in `find -name repomd.xml`; do
+              echo "signing repomd: $repomd"
+              gpg --batch --yes --passphrase "$GPG_PASSPHRASE" --detach-sign --armor -u $keyid $repomd
+            done
+          fi
+
         fi
       done
     done