package signing: automatically export public keys

Automatically export public key(s) of the signing key(s) from the gpg keyring. Adds a new simple recipe that does the actual task of exporting the keys. This patch makes the RPM_GPG_PUBKEY and PACKAGE_FEED_GPG PUBKEY settings obsolete. (From OE-Core rev: 23b30c34581948e1ea02c25cbf7b9194d7e49fb8) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Markus Lehtonen <markus.lehtonen@linux.intel.com> 2015-10-16 13:37:32 +0300
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-10-27 07:24:25 +0000
commit: 787253fd4efcd18d46b3bcf794e3d54a93ef9f19 (patch)
tree: 6df91b6462ed8abd0eef94ad0f6f896eecc6e695
parent: 579e2547b857e2973c5fff3b14066ea4d79b1268 (diff)
download: poky-787253fd4efcd18d46b3bcf794e3d54a93ef9f19.tar.gz
4 files changed, 59 insertions, 3 deletions
diff --git a/meta/classes/sign_package_feed.bbclass b/meta/classes/sign_package_feed.bbclass
index 8877d905f7..4263810028 100644
--- a/meta/classes/sign_package_feed.bbclass
+++ b/meta/classes/sign_package_feed.bbclass
@@ -21,4 +21,11 @@ python () {
    for var in ('PACKAGE_FEED_GPG_NAME', 'PACKAGE_FEED_GPG_PASSPHRASE_FILE'):
        if not d.getVar(var, True):
            raise_sanity_error("You need to define %s in the config" % var, d)
+    # Set expected location of the public key
+    d.setVar('PACKAGE_FEED_GPG_PUBKEY',
+             os.path.join(d.getVar('STAGING_ETCDIR_NATIVE'),
+                                   'PACKAGE-FEED-GPG-PUBKEY'))
 }
+do_package_index[depends] += "signing-keys:do_export_public_keys"
diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass
index 4da17633a7..f0c3dc9be3 100644
--- a/meta/classes/sign_rpm.bbclass
+++ b/meta/classes/sign_rpm.bbclass
@@ -5,9 +5,6 @@
 #           Path to a file containing the passphrase of the signing key.
 # RPM_GPG_NAME
 #           Name of the key to sign with. May be key id or key name.
-# RPM_GPG_PUBKEY
-#           Path to a file containing the public key (in "armor" format)
-#           corresponding the signing key.
 # GPG_BIN
 #           Optional variable for specifying the gpg binary/wrapper to use for
 #           signing.
@@ -24,6 +21,10 @@ python () {
    for var in ('RPM_GPG_NAME', 'RPM_GPG_PASSPHRASE_FILE'):
        if not d.getVar(var, True):
            raise_sanity_error("You need to define %s in the config" % var, d)
+    # Set the expected location of the public key
+    d.setVar('RPM_GPG_PUBKEY', os.path.join(d.getVar('STAGING_ETCDIR_NATIVE'),
+                                            'RPM-GPG-PUBKEY'))
 }
@@ -68,3 +69,5 @@ python sign_rpm () {
    if rpmsign_wrapper(d, rpms, rpm_gpg_passphrase, rpm_gpg_name) != 0:
        raise bb.build.FuncFailed("RPM signing failed")
 }
+do_package_index[depends] += "signing-keys:do_export_public_keys"
diff --git a/meta/recipes-core/meta/signing-keys.bb b/meta/recipes-core/meta/signing-keys.bb
new file mode 100644
index 0000000000..cc401f3b6c
--- /dev/null
+++ b/meta/recipes-core/meta/signing-keys.bb
@@ -0,0 +1,45 @@
+# Copyright (C) 2015 Intel Corporation
+# Released under the MIT license (see COPYING.MIT for the terms)
+DESCRIPTION = "Make public keys of the signing keys available"
+LICENSE = "MIT"
+PACKAGES = ""
+do_fetch[noexec] = "1"
+do_unpack[noexec] = "1"
+do_patch[noexec] = "1"
+do_configure[noexec] = "1"
+do_compile[noexec] = "1"
+do_install[noexec] = "1"
+do_package[noexec] = "1"
+do_packagedata[noexec] = "1"
+do_package_write_ipk[noexec] = "1"
+do_package_write_rpm[noexec] = "1"
+do_package_write_deb[noexec] = "1"
+do_populate_sysroot[noexec] = "1"
+EXCLUDE_FROM_WORLD = "1"
+def export_gpg_pubkey(d, keyid, path):
+    import bb
+    gpg_bin = d.getVar('GPG_BIN', True) or \
+              bb.utils.which(os.getenv('PATH'), "gpg")
+    cmd = '%s --batch --yes --export --armor -o %s %s' % \
+          (gpg_bin, path, keyid)
+    status, output = oe.utils.getstatusoutput(cmd)
+    if status:
+        raise bb.build.FuncFailed('Failed to export gpg public key (%s): %s' %
+                                  (keyid, output))
+python do_export_public_keys () {
+    if d.getVar("RPM_SIGN_PACKAGES", True):
+        # Export public key of the rpm signing key
+        export_gpg_pubkey(d, d.getVar("RPM_GPG_NAME", True),
+                          d.getVar('RPM_GPG_PUBKEY', True))
+    if d.getVar('PACKAGE_FEED_SIGN', True) == '1':
+        # Export public key of the feed signing key
+        export_gpg_pubkey(d, d.getVar("PACKAGE_FEED_GPG_NAME", True),
+                          d.getVar('PACKAGE_FEED_GPG_PUBKEY', True))
+}
+addtask do_export_public_keys before do_build
diff --git a/meta/recipes-core/os-release/os-release.bb b/meta/recipes-core/os-release/os-release.bb
index db827602f3..c690b82b2e 100644
--- a/meta/recipes-core/os-release/os-release.bb
+++ b/meta/recipes-core/os-release/os-release.bb
@@ -37,6 +37,7 @@ python do_compile () {
        shutil.copy2(rpm_gpg_pubkey, d.expand('${B}/rpm-gpg/RPM-GPG-KEY-%s' % distro_version))
 }
 do_compile[vardeps] += "${OS_RELEASE_FIELDS}"
+do_compile[depends] += "signing-keys:do_export_public_keys"
 do_install () {
    install -d ${D}${sysconfdir}
author	Markus Lehtonen <markus.lehtonen@linux.intel.com>	2015-10-16 13:37:32 +0300
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-10-27 07:24:25 +0000
commit	787253fd4efcd18d46b3bcf794e3d54a93ef9f19 (patch)
tree	6df91b6462ed8abd0eef94ad0f6f896eecc6e695
parent	579e2547b857e2973c5fff3b14066ea4d79b1268 (diff)
download	poky-787253fd4efcd18d46b3bcf794e3d54a93ef9f19.tar.gz

diff --git a/meta/classes/sign_package_feed.bbclass b/meta/classes/sign_package_feed.bbclass index 8877d905f7..4263810028 100644 --- a/meta/classes/sign_package_feed.bbclass +++ b/meta/classes/sign_package_feed.bbclass
@@ -21,4 +21,11 @@ python () {
21	for var in ('PACKAGE_FEED_GPG_NAME', 'PACKAGE_FEED_GPG_PASSPHRASE_FILE'):	21	for var in ('PACKAGE_FEED_GPG_NAME', 'PACKAGE_FEED_GPG_PASSPHRASE_FILE'):
22	if not d.getVar(var, True):	22	if not d.getVar(var, True):
23	raise_sanity_error("You need to define %s in the config" % var, d)	23	raise_sanity_error("You need to define %s in the config" % var, d)
		24
		25	# Set expected location of the public key
		26	d.setVar('PACKAGE_FEED_GPG_PUBKEY',
		27	os.path.join(d.getVar('STAGING_ETCDIR_NATIVE'),
		28	'PACKAGE-FEED-GPG-PUBKEY'))
24	}	29	}
		30
		31	do_package_index[depends] += "signing-keys:do_export_public_keys"


diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass index 4da17633a7..f0c3dc9be3 100644 --- a/meta/classes/sign_rpm.bbclass +++ b/meta/classes/sign_rpm.bbclass
@@ -5,9 +5,6 @@
5	# Path to a file containing the passphrase of the signing key.	5	# Path to a file containing the passphrase of the signing key.
6	# RPM_GPG_NAME	6	# RPM_GPG_NAME
7	# Name of the key to sign with. May be key id or key name.	7	# Name of the key to sign with. May be key id or key name.
8	# RPM_GPG_PUBKEY
9	# Path to a file containing the public key (in "armor" format)
10	# corresponding the signing key.
11	# GPG_BIN	8	# GPG_BIN
12	# Optional variable for specifying the gpg binary/wrapper to use for	9	# Optional variable for specifying the gpg binary/wrapper to use for
13	# signing.	10	# signing.
@@ -24,6 +21,10 @@ python () {
24	for var in ('RPM_GPG_NAME', 'RPM_GPG_PASSPHRASE_FILE'):	21	for var in ('RPM_GPG_NAME', 'RPM_GPG_PASSPHRASE_FILE'):
25	if not d.getVar(var, True):	22	if not d.getVar(var, True):
26	raise_sanity_error("You need to define %s in the config" % var, d)	23	raise_sanity_error("You need to define %s in the config" % var, d)
		24
		25	# Set the expected location of the public key
		26	d.setVar('RPM_GPG_PUBKEY', os.path.join(d.getVar('STAGING_ETCDIR_NATIVE'),
		27	'RPM-GPG-PUBKEY'))
27	}	28	}
28		29
29		30
@@ -68,3 +69,5 @@ python sign_rpm () {
68	if rpmsign_wrapper(d, rpms, rpm_gpg_passphrase, rpm_gpg_name) != 0:	69	if rpmsign_wrapper(d, rpms, rpm_gpg_passphrase, rpm_gpg_name) != 0:
69	raise bb.build.FuncFailed("RPM signing failed")	70	raise bb.build.FuncFailed("RPM signing failed")
70	}	71	}
		72
		73	do_package_index[depends] += "signing-keys:do_export_public_keys"


diff --git a/meta/recipes-core/meta/signing-keys.bb b/meta/recipes-core/meta/signing-keys.bb new file mode 100644 index 0000000000..cc401f3b6c --- /dev/null +++ b/meta/recipes-core/meta/signing-keys.bb
@@ -0,0 +1,45 @@
		1	# Copyright (C) 2015 Intel Corporation
		2	# Released under the MIT license (see COPYING.MIT for the terms)
		3
		4	DESCRIPTION = "Make public keys of the signing keys available"
		5	LICENSE = "MIT"
		6	PACKAGES = ""
		7
		8	do_fetch[noexec] = "1"
		9	do_unpack[noexec] = "1"
		10	do_patch[noexec] = "1"
		11	do_configure[noexec] = "1"
		12	do_compile[noexec] = "1"
		13	do_install[noexec] = "1"
		14	do_package[noexec] = "1"
		15	do_packagedata[noexec] = "1"
		16	do_package_write_ipk[noexec] = "1"
		17	do_package_write_rpm[noexec] = "1"
		18	do_package_write_deb[noexec] = "1"
		19	do_populate_sysroot[noexec] = "1"
		20
		21	EXCLUDE_FROM_WORLD = "1"
		22
		23	def export_gpg_pubkey(d, keyid, path):
		24	import bb
		25	gpg_bin = d.getVar('GPG_BIN', True) or \
		26	bb.utils.which(os.getenv('PATH'), "gpg")
		27	cmd = '%s --batch --yes --export --armor -o %s %s' % \
		28	(gpg_bin, path, keyid)
		29	status, output = oe.utils.getstatusoutput(cmd)
		30	if status:
		31	raise bb.build.FuncFailed('Failed to export gpg public key (%s): %s' %
		32	(keyid, output))
		33
		34	python do_export_public_keys () {
		35	if d.getVar("RPM_SIGN_PACKAGES", True):
		36	# Export public key of the rpm signing key
		37	export_gpg_pubkey(d, d.getVar("RPM_GPG_NAME", True),
		38	d.getVar('RPM_GPG_PUBKEY', True))
		39
		40	if d.getVar('PACKAGE_FEED_SIGN', True) == '1':
		41	# Export public key of the feed signing key
		42	export_gpg_pubkey(d, d.getVar("PACKAGE_FEED_GPG_NAME", True),
		43	d.getVar('PACKAGE_FEED_GPG_PUBKEY', True))
		44	}
		45	addtask do_export_public_keys before do_build


diff --git a/meta/recipes-core/os-release/os-release.bb b/meta/recipes-core/os-release/os-release.bb index db827602f3..c690b82b2e 100644 --- a/meta/recipes-core/os-release/os-release.bb +++ b/meta/recipes-core/os-release/os-release.bb
@@ -37,6 +37,7 @@ python do_compile () {
37	shutil.copy2(rpm_gpg_pubkey, d.expand('${B}/rpm-gpg/RPM-GPG-KEY-%s' % distro_version))	37	shutil.copy2(rpm_gpg_pubkey, d.expand('${B}/rpm-gpg/RPM-GPG-KEY-%s' % distro_version))
38	}	38	}
39	do_compile[vardeps] += "${OS_RELEASE_FIELDS}"	39	do_compile[vardeps] += "${OS_RELEASE_FIELDS}"
		40	do_compile[depends] += "signing-keys:do_export_public_keys"
40		41
41	do_install () {	42	do_install () {
42	install -d ${D}${sysconfdir}	43	install -d ${D}${sysconfdir}