diff --git a/SOURCES/rpm-4.14.3-GPG-Switch-back-to-pipe-7-for-signing.patch b/SOURCES/rpm-4.14.3-GPG-Switch-back-to-pipe-7-for-signing.patch
new file mode 100644
index 0000000..8e4e835
--- /dev/null
+++ b/SOURCES/rpm-4.14.3-GPG-Switch-back-to-pipe-7-for-signing.patch
@@ -0,0 +1,186 @@
+diff -up rpm-4.14.3/sign/rpmgensig.c.orig rpm-4.14.3/sign/rpmgensig.c
+--- rpm-4.14.3/sign/rpmgensig.c.orig 2020-06-26 15:57:43.781333983 +0200
++++ rpm-4.14.3/sign/rpmgensig.c 2020-06-26 15:58:29.819229616 +0200
+@@ -8,7 +8,6 @@
+ #include <errno.h>
+ #include <sys/wait.h>
+ #include <popt.h>
+-#include <libgen.h>
+
+ #include <rpm/rpmlib.h> /* RPMSIGTAG & related */
+ #include <rpm/rpmmacro.h>
+@@ -33,68 +32,6 @@ typedef struct sigTarget_s {
+ rpm_loff_t size;
+ } *sigTarget;
+
+-/*
+- * There is no function for creating unique temporary fifos so create
+- * unique temporary directory and then create fifo in it.
+- */
+-static char *mkTempFifo(void)
+-{
+- char *tmppath = NULL, *tmpdir = NULL, *fifofn = NULL;
+- mode_t mode;
+-
+- tmppath = rpmExpand("%{_tmppath}", NULL);
+- if (rpmioMkpath(tmppath, 0755, (uid_t) -1, (gid_t) -1))
+- goto exit;
+-
+-
+- tmpdir = rpmGetPath(tmppath, "/rpm-tmp.XXXXXX", NULL);
+- mode = umask(0077);
+- tmpdir = mkdtemp(tmpdir);
+- umask(mode);
+- if (tmpdir == NULL) {
+- rpmlog(RPMLOG_ERR, _("error creating temp directory %s: %m\n"),
+- tmpdir);
+- tmpdir = _free(tmpdir);
+- goto exit;
+- }
+-
+- fifofn = rpmGetPath(tmpdir, "/fifo", NULL);
+- if (mkfifo(fifofn, 0600) == -1) {
+- rpmlog(RPMLOG_ERR, _("error creating fifo %s: %m\n"), fifofn);
+- fifofn = _free(fifofn);
+- }
+-
+-exit:
+- if (fifofn == NULL && tmpdir != NULL)
+- unlink(tmpdir);
+-
+- free(tmppath);
+- free(tmpdir);
+-
+- return fifofn;
+-}
+-
+-/* Delete fifo and then temporary directory in which it was located */
+-static int rpmRmTempFifo(const char *fn)
+-{
+- int rc = 0;
+- char *dfn = NULL, *dir = NULL;
+-
+- if ((rc = unlink(fn)) != 0) {
+- rpmlog(RPMLOG_ERR, _("error delete fifo %s: %m\n"), fn);
+- return rc;
+- }
+-
+- dfn = xstrdup(fn);
+- dir = dirname(dfn);
+-
+- if ((rc = rmdir(dir)) != 0)
+- rpmlog(RPMLOG_ERR, _("error delete directory %s: %m\n"), dir);
+- free(dfn);
+-
+- return rc;
+-}
+-
+ static int closeFile(FD_t *fdp)
+ {
+ if (fdp == NULL || *fdp == NULL)
+@@ -241,27 +178,38 @@ exit:
+ static int runGPG(sigTarget sigt, const char *sigfile)
+ {
+ int pid = 0, status;
+- FD_t fnamedPipe = NULL;
+- char *namedPipeName = NULL;
++ int pipefd[2];
++ FILE *fpipe = NULL;
+ unsigned char buf[BUFSIZ];
+ ssize_t count;
+ ssize_t wantCount;
+ rpm_loff_t size;
+ int rc = 1; /* assume failure */
+
+- namedPipeName = mkTempFifo();
++ if (pipe(pipefd) < 0) {
++ rpmlog(RPMLOG_ERR, _("Could not create pipe for signing: %m\n"));
++ goto exit;
++ }
+
+- rpmPushMacro(NULL, "__plaintext_filename", NULL, namedPipeName, -1);
++ rpmPushMacro(NULL, "__plaintext_filename", NULL, "-", -1);
+ rpmPushMacro(NULL, "__signature_filename", NULL, sigfile, -1);
+
+ if (!(pid = fork())) {
+ char *const *av;
+ char *cmd = NULL;
+- const char *gpg_path = rpmExpand("%{?_gpg_path}", NULL);
++ const char *tty = ttyname(STDIN_FILENO);
++ const char *gpg_path = NULL;
++
++ if (!getenv("GPG_TTY") && (!tty || setenv("GPG_TTY", tty, 0)))
++ rpmlog(RPMLOG_WARNING, _("Could not set GPG_TTY to stdin: %m\n"));
+
++ gpg_path = rpmExpand("%{?_gpg_path}", NULL);
+ if (gpg_path && *gpg_path != '\0')
+ (void) setenv("GNUPGHOME", gpg_path, 1);
+
++ dup2(pipefd[0], STDIN_FILENO);
++ close(pipefd[1]);
++
+ unsetenv("MALLOC_CHECK_");
+ cmd = rpmExpand("%{?__gpg_sign_cmd}", NULL);
+ rc = poptParseArgvString(cmd, NULL, (const char ***)&av);
+@@ -276,9 +224,10 @@ static int runGPG(sigTarget sigt, const
+ rpmPopMacro(NULL, "__plaintext_filename");
+ rpmPopMacro(NULL, "__signature_filename");
+
+- fnamedPipe = Fopen(namedPipeName, "w");
+- if (!fnamedPipe) {
+- rpmlog(RPMLOG_ERR, _("Fopen failed\n"));
++ close(pipefd[0]);
++ fpipe = fdopen(pipefd[1], "w");
++ if (!fpipe) {
++ rpmlog(RPMLOG_ERR, _("Could not open pipe for writing: %m\n"));
+ goto exit;
+ }
+
+@@ -291,8 +240,8 @@ static int runGPG(sigTarget sigt, const
+ size = sigt->size;
+ wantCount = size < sizeof(buf) ? size : sizeof(buf);
+ while ((count = Fread(buf, sizeof(buf[0]), wantCount, sigt->fd)) > 0) {
+- Fwrite(buf, sizeof(buf[0]), count, fnamedPipe);
+- if (Ferror(fnamedPipe)) {
++ fwrite(buf, sizeof(buf[0]), count, fpipe);
++ if (ferror(fpipe)) {
+ rpmlog(RPMLOG_ERR, _("Could not write to pipe\n"));
+ goto exit;
+ }
+@@ -304,8 +253,13 @@ static int runGPG(sigTarget sigt, const
+ sigt->fileName, Fstrerror(sigt->fd));
+ goto exit;
+ }
+- Fclose(fnamedPipe);
+- fnamedPipe = NULL;
++
++exit:
++
++ if (fpipe)
++ fclose(fpipe);
++ if (pipefd[1])
++ close(pipefd[1]);
+
+ (void) waitpid(pid, &status, 0);
+ pid = 0;
+@@ -314,20 +268,6 @@ static int runGPG(sigTarget sigt, const
+ } else {
+ rc = 0;
+ }
+-
+-exit:
+-
+- if (fnamedPipe)
+- Fclose(fnamedPipe);
+-
+- if (pid)
+- waitpid(pid, &status, 0);
+-
+- if (namedPipeName) {
+- rpmRmTempFifo(namedPipeName);
+- free(namedPipeName);
+- }
+-
+ return rc;
+ }
+
diff --git a/SPECS/rpm.spec b/SPECS/rpm.spec
index 3677afc..1cef8f9 100644
--- a/SPECS/rpm.spec
+++ b/SPECS/rpm.spec
@@ -30,7 +30,7 @@
%global rpmver 4.14.3
#global snapver rc2
-%global rel 3
+%global rel 4
%global srcver %{version}%{?snapver:-%{snapver}}
%global srcdir %{?snapver:testing}%{!?snapver:%{name}-%(echo %{version} | cut -d'.' -f1-2).x}
@@ -91,6 +91,7 @@ Patch139: 0001-Make-check-buildroot-check-the-build-files-in-parall.patch
Patch140: 0001-Fix-resource-leaks-on-zstd-open-error-paths.patch
# XXX should be before 0001-Pass-RPM_BUILD_NCPUS-to-build-scripts.patch
Patch141: 0001-Isolate-_smp_build_ncpus-and-use-it-for-_smp_mflags.patch
+Patch142: rpm-4.14.3-GPG-Switch-back-to-pipe-7-for-signing.patch
# Python 3 string API sanity
Patch500: 0001-In-Python-3-return-all-our-string-data-as-surrogate-.patch
@@ -652,6 +653,9 @@ make check || cat tests/rpmtests.log
%doc doc/librpm/html/*
%changelog
+* Fri Jun 26 2020 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-4
+- Fix hang when signing with expired key (#1746353)
+
* Wed May 13 2020 Panu Matilainen <pmatilai@redhat.com> - 4.14.3-3
- Fix configure option for --with ndb (#1817010, Matthew Almond)