summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLans Zhang <jia.zhang@windriver.com>2017-07-11 12:43:03 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-07-17 14:01:37 +0100
commit30ba8b6894fc332651eba1f2451eb5aba23a7251 (patch)
treef4d911b60d6b29f17975c1494f8d1754697c58ee
parent946a3dae158ed4709915645ba06dc9bab159be34 (diff)
downloadpoky-30ba8b6894fc332651eba1f2451eb5aba23a7251.tar.gz
sign_rpm: support signing files in RPM payload
Currently, RPM4 supports to sign the files in RPM payload with plugin mechanism. We introduce more definitions to make the file signing available for the users: - RPM_FILE_CHECKSUM_DIGEST Global switch to enable file signing. - RPM_FSK_PATH The file signing key. - RPM_FSK_PASSWORD The password of file signing key. - RPM_FILE_CHECKSUM_DIGEST The file checksum digest. (From OE-Core rev: 95b9ee33d5595078e90c633f6155ec9ba3d184f0) Signed-off-by: Lans Zhang <jia.zhang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/classes/sign_rpm.bbclass20
-rw-r--r--meta/lib/oe/gpg_sign.py7
2 files changed, 25 insertions, 2 deletions
diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass
index bc2e947107..c49406c74d 100644
--- a/meta/classes/sign_rpm.bbclass
+++ b/meta/classes/sign_rpm.bbclass
@@ -9,6 +9,13 @@
9# Optional variable for specifying the backend to use for signing. 9# Optional variable for specifying the backend to use for signing.
10# Currently the only available option is 'local', i.e. local signing 10# Currently the only available option is 'local', i.e. local signing
11# on the build host. 11# on the build host.
12# RPM_FILE_CHECKSUM_DIGEST
13# Optional variable for specifying the algorithm for generating file
14# checksum digest.
15# RPM_FSK_PATH
16# Optional variable for the file signing key.
17# RPM_FSK_PASSWORD
18# Optional variable for the file signing key password.
12# GPG_BIN 19# GPG_BIN
13# Optional variable for specifying the gpg binary/wrapper to use for 20# Optional variable for specifying the gpg binary/wrapper to use for
14# signing. 21# signing.
@@ -18,7 +25,10 @@
18inherit sanity 25inherit sanity
19 26
20RPM_SIGN_PACKAGES='1' 27RPM_SIGN_PACKAGES='1'
28RPM_SIGN_FILES ?= '0'
21RPM_GPG_BACKEND ?= 'local' 29RPM_GPG_BACKEND ?= 'local'
30# SHA-256 is used by default
31RPM_FILE_CHECKSUM_DIGEST ?= '8'
22 32
23 33
24python () { 34python () {
@@ -28,6 +38,11 @@ python () {
28 for var in ('RPM_GPG_NAME', 'RPM_GPG_PASSPHRASE'): 38 for var in ('RPM_GPG_NAME', 'RPM_GPG_PASSPHRASE'):
29 if not d.getVar(var): 39 if not d.getVar(var):
30 raise_sanity_error("You need to define %s in the config" % var, d) 40 raise_sanity_error("You need to define %s in the config" % var, d)
41
42 if d.getVar('RPM_SIGN_FILES') == '1':
43 for var in ('RPM_FSK_PATH', 'RPM_FSK_PASSWORD'):
44 if not d.getVar(var):
45 raise_sanity_error("You need to define %s in the config" % var, d)
31} 46}
32 47
33python sign_rpm () { 48python sign_rpm () {
@@ -39,7 +54,10 @@ python sign_rpm () {
39 54
40 signer.sign_rpms(rpms, 55 signer.sign_rpms(rpms,
41 d.getVar('RPM_GPG_NAME'), 56 d.getVar('RPM_GPG_NAME'),
42 d.getVar('RPM_GPG_PASSPHRASE')) 57 d.getVar('RPM_GPG_PASSPHRASE'),
58 d.getVar('RPM_FILE_CHECKSUM_DIGEST'),
59 d.getVar('RPM_FSK_PATH'),
60 d.getVar('RPM_FSK_PASSWORD'))
43} 61}
44 62
45do_package_index[depends] += "signing-keys:do_deploy" 63do_package_index[depends] += "signing-keys:do_deploy"
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index c53df54a5b..f4d8b10e4b 100644
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -27,7 +27,7 @@ class LocalSigner(object):
27 raise bb.build.FuncFailed('Failed to export gpg public key (%s): %s' % 27 raise bb.build.FuncFailed('Failed to export gpg public key (%s): %s' %
28 (keyid, output)) 28 (keyid, output))
29 29
30 def sign_rpms(self, files, keyid, passphrase): 30 def sign_rpms(self, files, keyid, passphrase, digest, fsk=None, fsk_password=None):
31 """Sign RPM files""" 31 """Sign RPM files"""
32 32
33 cmd = self.rpm_bin + " --addsign --define '_gpg_name %s' " % keyid 33 cmd = self.rpm_bin + " --addsign --define '_gpg_name %s' " % keyid
@@ -35,10 +35,15 @@ class LocalSigner(object):
35 if self.gpg_version > (2,1,): 35 if self.gpg_version > (2,1,):
36 gpg_args += ' --pinentry-mode=loopback' 36 gpg_args += ' --pinentry-mode=loopback'
37 cmd += "--define '_gpg_sign_cmd_extra_args %s' " % gpg_args 37 cmd += "--define '_gpg_sign_cmd_extra_args %s' " % gpg_args
38 cmd += "--define '_binary_filedigest_algorithm %s' " % digest
38 if self.gpg_bin: 39 if self.gpg_bin:
39 cmd += "--define '__gpg %s' " % self.gpg_bin 40 cmd += "--define '__gpg %s' " % self.gpg_bin
40 if self.gpg_path: 41 if self.gpg_path:
41 cmd += "--define '_gpg_path %s' " % self.gpg_path 42 cmd += "--define '_gpg_path %s' " % self.gpg_path
43 if fsk:
44 cmd += "--signfiles --fskpath %s " % fsk
45 if fsk_password:
46 cmd += "--define '_file_signing_key_password %s' " % fsk_password
42 47
43 # Sign in chunks of 100 packages 48 # Sign in chunks of 100 packages
44 for i in range(0, len(files), 100): 49 for i in range(0, len(files), 100):