diff options
author | Jia Zhang <lans.zhang2008@gmail.com> | 2017-08-24 08:18:01 +0800 |
---|---|---|
committer | Jia Zhang <lans.zhang2008@gmail.com> | 2017-08-24 08:18:01 +0800 |
commit | c2962bba6dcc039775a78248b21e558c824d986d (patch) | |
tree | d1d62128603089de990fd4ebaa353c27bb6874fc | |
parent | 6fd5d7be55c341d29f1199434a7386028e38dbd7 (diff) | |
download | meta-secure-core-c2962bba6dcc039775a78248b21e558c824d986d.tar.gz |
sign_rpm_ext: make sure all target recipes are signed
Placing the key import logic under signing-keys cannot ensure all
target recipes are always signed. Instead, place it before
do_package_write_rpm.
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
-rw-r--r-- | meta-integrity/classes/sign_rpm_ext.bbclass | 26 | ||||
-rw-r--r-- | meta-integrity/recipes-core/meta/signing-keys.bbappend | 24 |
2 files changed, 26 insertions, 24 deletions
diff --git a/meta-integrity/classes/sign_rpm_ext.bbclass b/meta-integrity/classes/sign_rpm_ext.bbclass index 865b606..2a8dedc 100644 --- a/meta-integrity/classes/sign_rpm_ext.bbclass +++ b/meta-integrity/classes/sign_rpm_ext.bbclass | |||
@@ -10,6 +10,32 @@ RPM_FSK_PASSWORD ?= "password" | |||
10 | 10 | ||
11 | inherit sign_rpm user-key-store | 11 | inherit sign_rpm user-key-store |
12 | 12 | ||
13 | python check_rpm_public_key () { | ||
14 | gpg_path = d.getVar('GPG_PATH', True) | ||
15 | gpg_bin = d.getVar('GPG_BIN', True) or \ | ||
16 | bb.utils.which(os.getenv('PATH'), 'gpg') | ||
17 | gpg_keyid = d.getVar('RPM_GPG_NAME', True) | ||
18 | |||
19 | # Check RPM_GPG_NAME and RPM_GPG_PASSPHRASE | ||
20 | cmd = "%s --homedir %s --list-keys %s" % \ | ||
21 | (gpg_bin, gpg_path, gpg_keyid) | ||
22 | status, output = oe.utils.getstatusoutput(cmd) | ||
23 | if not status: | ||
24 | return | ||
25 | |||
26 | # Import RPM_GPG_NAME if not found | ||
27 | gpg_key = uks_rpm_keys_dir(d) + 'RPM-GPG-PRIVKEY-' + gpg_keyid | ||
28 | cmd = '%s --batch --homedir %s --passphrase %s --import %s' % \ | ||
29 | (gpg_bin, gpg_path, d.getVar('RPM_GPG_PASSPHRASE', True), gpg_key) | ||
30 | status, output = oe.utils.getstatusoutput(cmd) | ||
31 | if status: | ||
32 | raise bb.build.FuncFailed('Failed to import gpg key (%s): %s' % | ||
33 | (gpg_key, output)) | ||
34 | } | ||
35 | check_rpm_public_key[lockfiles] = "${TMPDIR}/check_rpm_public_key.lock" | ||
36 | do_package_write_rpm[prefuncs] += "check_rpm_public_key" | ||
37 | check_rpm_public_key[prefuncs] += "check_deploy_keys" | ||
38 | |||
13 | python () { | 39 | python () { |
14 | gpg_path = d.getVar('GPG_PATH', True) | 40 | gpg_path = d.getVar('GPG_PATH', True) |
15 | if not gpg_path: | 41 | if not gpg_path: |
diff --git a/meta-integrity/recipes-core/meta/signing-keys.bbappend b/meta-integrity/recipes-core/meta/signing-keys.bbappend deleted file mode 100644 index 058d050..0000000 --- a/meta-integrity/recipes-core/meta/signing-keys.bbappend +++ /dev/null | |||
@@ -1,24 +0,0 @@ | |||
1 | python check_public_keys () { | ||
2 | gpg_path = d.getVar('GPG_PATH', True) | ||
3 | gpg_bin = d.getVar('GPG_BIN', True) or \ | ||
4 | bb.utils.which(os.getenv('PATH'), 'gpg') | ||
5 | gpg_keyid = d.getVar('RPM_GPG_NAME', True) | ||
6 | |||
7 | # Check RPM_GPG_NAME and RPM_GPG_PASSPHRASE | ||
8 | cmd = "%s --homedir %s --list-keys %s" % \ | ||
9 | (gpg_bin, gpg_path, gpg_keyid) | ||
10 | status, output = oe.utils.getstatusoutput(cmd) | ||
11 | if not status: | ||
12 | return | ||
13 | |||
14 | # Import RPM_GPG_NAME if not found | ||
15 | gpg_key = uks_rpm_keys_dir(d) + 'RPM-GPG-PRIVKEY-' + gpg_keyid | ||
16 | cmd = '%s --batch --homedir %s --passphrase %s --import %s' % \ | ||
17 | (gpg_bin, gpg_path, d.getVar('RPM_GPG_PASSPHRASE', True), gpg_key) | ||
18 | status, output = oe.utils.getstatusoutput(cmd) | ||
19 | if status: | ||
20 | raise bb.build.FuncFailed('Failed to import gpg key (%s): %s' % | ||
21 | (gpg_key, output)) | ||
22 | } | ||
23 | check_public_keys[lockfiles] = "${TMPDIR}/check_public_keys.lock" | ||
24 | do_get_public_keys[prefuncs] += "check_public_keys" | ||