From 7a13ad211623eb75cbeab4451cb54c75baa753bb Mon Sep 17 00:00:00 2001
From: Dan Mick <dmick@redhat.com>
Date: Fri, 7 Apr 2023 03:20:50 -0700
Subject: [PATCH] scripts/sign-rpms: signing repomd.xml has to come after all
 updates

We had been signing, and then running createrepo, which changed repomd
and thus invalidated the signature.

Signed-off-by: Dan Mick <dmick@redhat.com>
---
 scripts/sign-rpms | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/scripts/sign-rpms b/scripts/sign-rpms
index 3296a82c..d8a782b5 100644
--- a/scripts/sign-rpms
+++ b/scripts/sign-rpms
@@ -70,15 +70,7 @@ for release in "${releases[@]}"; do
             fi
           done
 
-          # now sign the repomd.xml files
-          if [[ $update_repo -eq 1 ]]; then
-            for repomd in `find -name repomd.xml`; do
-              echo "signing repomd: $repomd"
-              gpg --batch --yes --passphrase "$GPG_PASSPHRASE" --detach-sign --armor -u $keyid $repomd
-            done
-          fi
-
-          # finally, update the repo metadata
+          # now, update the repo metadata
           if [[ $update_repo -eq 1 ]]; then
             for directory in $(ls $path/$distro/$distro_version); do
               cd $directory
@@ -96,6 +88,14 @@ for release in "${releases[@]}"; do
             done
           fi
 
+          # finally, sign the repomd.xml files
+          if [[ $update_repo -eq 1 ]]; then
+            for repomd in `find -name repomd.xml`; do
+              echo "signing repomd: $repomd"
+              gpg --batch --yes --passphrase "$GPG_PASSPHRASE" --detach-sign --armor -u $keyid $repomd
+            done
+          fi
+
         fi
       done
     done
-- 
2.47.3