735481 – rpmbuild --sign has wrong exit code when pass phrase wrong

Bug 735481 - rpmbuild --sign has wrong exit code when pass phrase wrong

Summary: rpmbuild --sign has wrong exit code when pass phrase wrong

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	rpm
Sub Component:
Version:	15
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Panu Matilainen
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-09-02 18:49 UTC by John Florian
Modified:	2012-01-31 13:15 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2012-01-31 13:15:17 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description John Florian 2011-09-02 18:49:17 UTC

Description of problem:
Running "rpmbuild ... --sign" is no longer returning a non-zero exit code if the entered pass phrase is wrong.

Version-Release number of selected component (if applicable):
rpm-build-4.9.1.1-1.fc15.x86_64

How reproducible:
always

Steps to Reproduce:
1. Grab and install any SRPM.
2. Attempt to build it normally, be sure to include the '--sign' option.
3. Enter an incorrect pass phrase.
  
Actual results:
rpm-build aborts (as it should) complaining about the wrong pass phrase, but the exit code is 0, incorrectly indicating success.

Expected results:
If the pass phrase is bad, the exit code should not be zero.

Additional info:
This bug was filed under the rpm package instead of rpm-build as would be correct because BZ didn't offer rpm-build as a component.

rpm-build-4.8.1-5.fc14.x86_64 works as expected.  Regression must have occurred since then.

Comment 1 Panu Matilainen 2011-09-05 05:51:00 UTC

Yup... --sign with rpmbuild is deprecated in rpm >= 4.9.0 and implemented with a --pipe hack instead of being built-in as it used to be for minimal backwards compatibility. You're better off using rpmsign directly on the produced packages.

That said, upstream now reflects --pipe command failures in the main exit code(s), taking care of a whole class of similar potential issues, including this particular case. Thanks for the report.

Comment 2 John Florian 2011-09-06 12:07:20 UTC

Panu,

Thanks for the feedback and doing what you can.  I was aware of rpmsign, but not aware that --sign was deprecated.  I've preferred to stick with --sign as it only requires me to enter my key's passphrase once and both RPM and SRPM get signed whereas rpmsign would have me enter the passphrase once per package.

Comment 3 Panu Matilainen 2011-09-06 12:24:09 UTC

Oh, you can any number of rpms to rpmsign at once (that's what rpmbuild --sign does behind the scenes now). But of course it does require *some* extra work to figure a suitable glob or such.

Comment 4 John Florian 2012-01-31 13:15:17 UTC

rpmsign is working much better for me now that I have it integrated into my build scripts appropriately.  I also get the bonus of not having to enter the passphrase for failed builds this way.  Better all around.  I see no reason to keep this report open.

Note You need to log in before you can comment on or make changes to this bug.