From d7866ad74d460bfd106720ed4b5b87bc08ab12e6 Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Fri, 28 Oct 2016 13:51:30 -0400
Subject: Make use of gpg more flexible

This set of commands should work with modern versions of gpg (2.1.x)
as well, and should be independent of potentially variable output.

Additionally, we want the key to be signing-capable, but nothing else.

We also have no need to generate an encryption-capable subkey, so just
drop that part.

Signed-off-by: Holger Levsen <holger@layer-acht.org>
---
 bin/reproducible_build.sh | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'bin/reproducible_build.sh')

diff --git a/bin/reproducible_build.sh b/bin/reproducible_build.sh
index dda7bbad..d4d2e584 100755
--- a/bin/reproducible_build.sh
+++ b/bin/reproducible_build.sh
@@ -775,19 +775,19 @@ check_buildinfo() {
 
 sign_buildinfo() {
 	# Greate GPG key if it does not already exist
-	if ! gpg --list-secret-keys | grep -qs '^sec' >/dev/null 2>&1
+	if ! gpg --with-colons --fixed-list-mode --list-secret-keys | cut -d: -f1 | grep -qsFx 'sec' >/dev/null 2>&1
 	then
 		log_info "Generating GPG key"
 
-		gpg --batch --gen-key <<EOF
+		gpg --no-tty --batch --gen-key <<EOF
 Key-Type: RSA
 Key-Length: 4096
-Subkey-Type: ELG-E
-Subkey-Length: 1024
+Key-Usage: sign
 Name-Real: $(hostname -f)
-Name-Comment: Automatically generated key
+Name-Comment: Automatically generated key for signing .buildinfo files
 Expire-Date: 0
 %no-ask-passphrase
+%no-protection
 %commit
 EOF
 	fi
-- 
cgit v1.2.3-54-g00ecf