sign_rpm_ext: make sure all target recipes are signed

Placing the key import logic under signing-keys cannot ensure all target recipes are always signed. Instead, place it before do_package_write_rpm. Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
author: Jia Zhang <lans.zhang2008@gmail.com> 2017-08-24 08:18:01 +0800
committer: Jia Zhang <lans.zhang2008@gmail.com> 2017-08-24 08:18:01 +0800
commit: c2962bba6dcc039775a78248b21e558c824d986d (patch)
tree: d1d62128603089de990fd4ebaa353c27bb6874fc
parent: 6fd5d7be55c341d29f1199434a7386028e38dbd7 (diff)
download: meta-secure-core-c2962bba6dcc039775a78248b21e558c824d986d.tar.gz
2 files changed, 26 insertions, 24 deletions
diff --git a/meta-integrity/classes/sign_rpm_ext.bbclass b/meta-integrity/classes/sign_rpm_ext.bbclass
index 865b606..2a8dedc 100644
--- a/meta-integrity/classes/sign_rpm_ext.bbclass
+++ b/meta-integrity/classes/sign_rpm_ext.bbclass
@@ -10,6 +10,32 @@ RPM_FSK_PASSWORD ?= "password"
 inherit sign_rpm user-key-store
+python check_rpm_public_key () {
+    gpg_path = d.getVar('GPG_PATH', True)
+    gpg_bin = d.getVar('GPG_BIN', True) or \
+              bb.utils.which(os.getenv('PATH'), 'gpg')
+    gpg_keyid = d.getVar('RPM_GPG_NAME', True)
+    # Check RPM_GPG_NAME and RPM_GPG_PASSPHRASE
+    cmd = "%s --homedir %s --list-keys %s" % \
+            (gpg_bin, gpg_path, gpg_keyid)
+    status, output = oe.utils.getstatusoutput(cmd)
+    if not status:
+        return
+    # Import RPM_GPG_NAME if not found
+    gpg_key = uks_rpm_keys_dir(d) + 'RPM-GPG-PRIVKEY-' + gpg_keyid
+    cmd = '%s --batch --homedir %s --passphrase %s --import %s' % \
+            (gpg_bin, gpg_path, d.getVar('RPM_GPG_PASSPHRASE', True), gpg_key)
+    status, output = oe.utils.getstatusoutput(cmd)
+    if status:
+        raise bb.build.FuncFailed('Failed to import gpg key (%s): %s' %
+                                  (gpg_key, output))
+}
+check_rpm_public_key[lockfiles] = "${TMPDIR}/check_rpm_public_key.lock"
+do_package_write_rpm[prefuncs] += "check_rpm_public_key"
+check_rpm_public_key[prefuncs] += "check_deploy_keys"
 python () {
    gpg_path = d.getVar('GPG_PATH', True)
    if not gpg_path:
diff --git a/meta-integrity/recipes-core/meta/signing-keys.bbappend b/meta-integrity/recipes-core/meta/signing-keys.bbappend
deleted file mode 100644
index 058d050..0000000
--- a/meta-integrity/recipes-core/meta/signing-keys.bbappend
+++ /dev/null
@@ -1,24 +0,0 @@
-python check_public_keys () {
-    gpg_path = d.getVar('GPG_PATH', True)
-    gpg_bin = d.getVar('GPG_BIN', True) or \
-              bb.utils.which(os.getenv('PATH'), 'gpg')
-    gpg_keyid = d.getVar('RPM_GPG_NAME', True)
-    # Check RPM_GPG_NAME and RPM_GPG_PASSPHRASE
-    cmd = "%s --homedir %s --list-keys %s" % \
-            (gpg_bin, gpg_path, gpg_keyid)
-    status, output = oe.utils.getstatusoutput(cmd)
-    if not status:
-        return
-    # Import RPM_GPG_NAME if not found
-    gpg_key = uks_rpm_keys_dir(d) + 'RPM-GPG-PRIVKEY-' + gpg_keyid
-    cmd = '%s --batch --homedir %s --passphrase %s --import %s' % \
-            (gpg_bin, gpg_path, d.getVar('RPM_GPG_PASSPHRASE', True), gpg_key)
-    status, output = oe.utils.getstatusoutput(cmd)
-    if status:
-        raise bb.build.FuncFailed('Failed to import gpg key (%s): %s' %
-                                  (gpg_key, output))
-}
-check_public_keys[lockfiles] = "${TMPDIR}/check_public_keys.lock"
-do_get_public_keys[prefuncs] += "check_public_keys"
author	Jia Zhang <lans.zhang2008@gmail.com>	2017-08-24 08:18:01 +0800
committer	Jia Zhang <lans.zhang2008@gmail.com>	2017-08-24 08:18:01 +0800
commit	c2962bba6dcc039775a78248b21e558c824d986d (patch)
tree	d1d62128603089de990fd4ebaa353c27bb6874fc
parent	6fd5d7be55c341d29f1199434a7386028e38dbd7 (diff)
download	meta-secure-core-c2962bba6dcc039775a78248b21e558c824d986d.tar.gz