Bug 735481

Summary: rpmbuild --sign has wrong exit code when pass phrase wrong
Product: [Fedora] Fedora Reporter: John Florian <john>
Component: rpmAssignee: Panu Matilainen <pmatilai>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 15CC: ffesti, jnovy, pmatilai
Target Milestone: ---Keywords: Upstream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-31 13:15:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description John Florian 2011-09-02 18:49:17 UTC 
Description of problem:
Running "rpmbuild ... --sign" is no longer returning a non-zero exit code if the entered pass phrase is wrong.

Version-Release number of selected component (if applicable):
rpm-build-4.9.1.1-1.fc15.x86_64

How reproducible:
always

Steps to Reproduce:
1. Grab and install any SRPM.
2. Attempt to build it normally, be sure to include the '--sign' option.
3. Enter an incorrect pass phrase.
  
Actual results:
rpm-build aborts (as it should) complaining about the wrong pass phrase, but the exit code is 0, incorrectly indicating success.

Expected results:
If the pass phrase is bad, the exit code should not be zero.

Additional info:
This bug was filed under the rpm package instead of rpm-build as would be correct because BZ didn't offer rpm-build as a component.

rpm-build-4.8.1-5.fc14.x86_64 works as expected.  Regression must have occurred since then.
Comment 1 Panu Matilainen 2011-09-05 05:51:00 UTC 
Yup... --sign with rpmbuild is deprecated in rpm >= 4.9.0 and implemented with a --pipe hack instead of being built-in as it used to be for minimal backwards compatibility. You're better off using rpmsign directly on the produced packages.

That said, upstream now reflects --pipe command failures in the main exit code(s), taking care of a whole class of similar potential issues, including this particular case. Thanks for the report.
Comment 2 John Florian 2011-09-06 12:07:20 UTC 
Panu,

Thanks for the feedback and doing what you can.  I was aware of rpmsign, but not aware that --sign was deprecated.  I've preferred to stick with --sign as it only requires me to enter my key's passphrase once and both RPM and SRPM get signed whereas rpmsign would have me enter the passphrase once per package.
Comment 3 Panu Matilainen 2011-09-06 12:24:09 UTC 
Oh, you can any number of rpms to rpmsign at once (that's what rpmbuild --sign does behind the scenes now). But of course it does require *some* extra work to figure a suitable glob or such.
Comment 4 John Florian 2012-01-31 13:15:17 UTC 
rpmsign is working much better for me now that I have it integrated into my build scripts appropriately.  I also get the bonus of not having to enter the passphrase for failed builds this way.  Better all around.  I see no reason to keep this report open.