fix(ci): Fix RPM signing loops and ensure failures are caught

Replace while-read loops with for loops to avoid subshell variable scoping
issues. Export GPG_TTY=/dev/null to suppress terminal warnings. Provide
empty passphrase via stdin for batch signing without interaction.

Both signing and verification now properly track failures and exit with
non-zero status if any RPMs fail to sign or verify, preventing misleading
successful pipeline runs.

.forgejo/workflows/build-fedora.yml

@@ -187,42 +187,70 @@ jobs:
             exit 0
           fi
 
-          # Sign all binary RPMs
-          find "$HOME/rpmbuild/RPMS" -name "*.rpm" -type f | while read rpm; do
+          # Track signing failures
+          FAILED_COUNT=0
+          TOTAL_COUNT=0
+
+          # Export GPG_TTY to avoid terminal warnings
+          export GPG_TTY=/dev/null
+
+          # Sign all RPMs (binary and source)
+          for rpm in $(find "$HOME/rpmbuild" -name "*.rpm" -type f); do
             echo "Signing: $(basename $rpm)"
-            rpmsign --addsign "$rpm" || echo "Warning: Failed to sign $rpm"
+            TOTAL_COUNT=$((TOTAL_COUNT + 1))
+
+            # Use expect or provide empty passphrase via stdin for batch signing
+            if ! echo "" | rpmsign --addsign "$rpm" 2>&1; then
+              echo "ERROR: Failed to sign $rpm"
+              FAILED_COUNT=$((FAILED_COUNT + 1))
+            fi
           done
 
-          # Sign the SRPM
-          find "$HOME/rpmbuild/SRPMS" -name "*.src.rpm" -type f | while read srpm; do
-            echo "Signing: $(basename $srpm)"
-            rpmsign --addsign "$srpm" || echo "Warning: Failed to sign $srpm"
-          done
+          # Fail if any RPMs failed to sign
+          if [ "$FAILED_COUNT" -gt 0 ]; then
+            echo "ERROR: Failed to sign $FAILED_COUNT out of $TOTAL_COUNT RPMs"
+            exit 1
+          fi
+
+          echo "Successfully signed all $TOTAL_COUNT RPMs"
 
       - name: Verify RPM signatures
         run: |
-          # Skip if no signing key is configured or no RPMs were signed
+          # Skip if no signing key is configured
           if [ -z "${{ secrets.RPM_SIGNING_KEY }}" ]; then
             echo "No RPM signing key configured - skipping signature verification"
             exit 0
           fi
 
-          # Check if rpmsign was successful (at least one signed RPM exists)
-          SIGNED_COUNT=$(find "$HOME/rpmbuild" -name "*.rpm" -type f -exec rpm -K {} \; 2>/dev/null | grep -c "signatures OK" || true)
-          if [ "$SIGNED_COUNT" -eq 0 ]; then
-            echo "No successfully signed RPMs found - skipping signature verification"
-            exit 0
-          fi
-
           # Import our public key for verification
+          echo "Importing GPG public key for verification..."
           curl -s https://forgejo.ellis.link/continuwuation/continuwuity/raw/branch/main/fedora/RPM-GPG-KEY-continuwuity.asc | rpm --import
 
+          # Track verification failures
+          FAILED_COUNT=0
+          TOTAL_COUNT=0
+
           # Verify all RPMs
-          find "$HOME/rpmbuild" -name "*.rpm" -type f | while read rpm; do
+          for rpm in $(find "$HOME/rpmbuild" -name "*.rpm" -type f); do
             echo -n "Verifying $(basename $rpm): "
-            rpm --checksig "$rpm"
+            TOTAL_COUNT=$((TOTAL_COUNT + 1))
+
+            if rpm --checksig "$rpm"; then
+              echo " ✓"
+            else
+              echo " ✗ FAILED"
+              FAILED_COUNT=$((FAILED_COUNT + 1))
+            fi
           done
 
+          # Fail if any RPMs failed verification
+          if [ "$FAILED_COUNT" -gt 0 ]; then
+            echo "ERROR: $FAILED_COUNT out of $TOTAL_COUNT RPMs failed signature verification"
+            exit 1
+          fi
+
+          echo "Successfully verified all $TOTAL_COUNT RPM signatures"
+
       - name: Test RPM installation
         run: |
           # Find the main binary RPM (exclude debug and source RPMs)