Sign the RPM package before moving it (#850)

Because the hack/rpm/build_package.sh script can get called more than once to build first a `tanzu-cli` package and then a `tanzu-cli-centos9` package, we ended up on the second call with a `${PKG_DIR}/` directory containing multiple packages. Then, when signing everything in that directory using a `*`, we ended up only signing the first package that was passed as an argument to the signer. This caused the `tanzu-cli-centos9` package not to get signed because it comes alphabetically after `tanzu-cli` when the `*` is expanded. To solve this and still benefit from using the `*` which allows to avoid explicitly dealing with the `-unstable` and/or `-centos` suffixes we sign the package before we move it to the common `${PKG_DIR}/` directory. Signed-off-by: Marc Khouzam <marc.khouzam@broadcom.com>
vmware-tanzu · Jan 29, 2025 · b4a8578 · b4a8578
1 parent 63a1eb4
commit b4a8578
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/hack/rpm/build_package.sh b/hack/rpm/build_package.sh
@@ -98,11 +98,15 @@ for arch in x86_64 aarch64; do
             --define "cli_version v${VERSION}" \
             -bb ${BASE_DIR}/tanzu-cli.spec \
             --target ${arch}
-   mv ${HOME}/rpmbuild/RPMS/${arch}/* ${PKG_DIR}/
 
+   # Sign the package before moving it to the common output directory
    if [[ ! -z "${RPM_SIGNER}" ]]; then
-     ${RPM_SIGNER} ${PKG_DIR}/tanzu-cli*${arch}.rpm
+     ${RPM_SIGNER} ${HOME}/rpmbuild/RPMS/${arch}/tanzu-cli*${arch}.rpm
    else
      echo skip rpmsigning packages for ${arch}
    fi
+
+   # Move the signed package to the output directory where the other packages
+   # also reside, so that we can build the repository at the very end 
+   mv ${HOME}/rpmbuild/RPMS/${arch}/* ${PKG_DIR}/
 done