summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlexander Kanavin <alexander.kanavin@linux.intel.com>2018-01-10 14:27:42 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-12-06 16:26:52 +0000
commita36d8c437c1e6ba32a14651f8d55092d831dffb8 (patch)
treec48b8dddab3cd81ea7248dfd990bd3bc2cd1273e
parent9d8a46799d46764ed8978d192a1dc2630dd7c4c9 (diff)
downloadpoky-a36d8c437c1e6ba32a14651f8d55092d831dffb8.tar.gz
gnupg: use native version for signing, rather than one provided by host
Using host gpg has been problematic, and particularly this removes the need to serialize package creation, as long as --auto-expand-secmem is passed to gpg-agent, and gnupg >= 2.2.4 is in use (https://dev.gnupg.org/T3530). Sadly, gpg-agent itself is single-threaded, so in the longer run we might want to seek alternatives: https://lwn.net/Articles/742542/ (a smaller issue is that rpm itself runs the gpg fronted in a serial fashion, which slows down the build in cases of recipes with very large amount of packages, e.g. glibc-locale) Note that sstate signing and verification continues to use host gpg, as depending on native gpg would create circular dependencies. [YOCTO #12022] (From OE-Core rev: 08fef6198122fe79d4c1213f9a64b862162ed6cd) (From OE-Core rev: d449179eaf3cc25fdf6757342e9f95562a84696f) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/classes/sign_package_feed.bbclass2
-rw-r--r--meta/classes/sign_rpm.bbclass6
-rw-r--r--meta/lib/oe/gpg_sign.py8
-rw-r--r--meta/recipes-core/meta/signing-keys.bb1
4 files changed, 9 insertions, 8 deletions
diff --git a/meta/classes/sign_package_feed.bbclass b/meta/classes/sign_package_feed.bbclass
index f03c4802d0..7ff3a35a2f 100644
--- a/meta/classes/sign_package_feed.bbclass
+++ b/meta/classes/sign_package_feed.bbclass
@@ -43,4 +43,4 @@ python () {
43} 43}
44 44
45do_package_index[depends] += "signing-keys:do_deploy" 45do_package_index[depends] += "signing-keys:do_deploy"
46do_rootfs[depends] += "signing-keys:do_populate_sysroot" 46do_rootfs[depends] += "signing-keys:do_populate_sysroot gnupg-native:do_populate_sysroot"
diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass
index 4961b03618..64ae7ce30e 100644
--- a/meta/classes/sign_rpm.bbclass
+++ b/meta/classes/sign_rpm.bbclass
@@ -68,8 +68,4 @@ python sign_rpm () {
68do_package_index[depends] += "signing-keys:do_deploy" 68do_package_index[depends] += "signing-keys:do_deploy"
69do_rootfs[depends] += "signing-keys:do_populate_sysroot" 69do_rootfs[depends] += "signing-keys:do_populate_sysroot"
70 70
71# Newer versions of gpg (at least 2.1.5 and 2.2.1) have issues when signing occurs in parallel 71PACKAGE_WRITE_DEPS += "gnupg-native"
72# so unfortunately the signing must be done serially. Once the upstream problem is fixed,
73# the following line must be removed otherwise we loose all the intrinsic parallelism from
74# bitbake. For more information, check https://bugzilla.yoctoproject.org/show_bug.cgi?id=12022.
75do_package_write_rpm[lockfiles] += "${TMPDIR}/gpg.lock"
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index 9cc88f020c..b17272928f 100644
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -12,6 +12,7 @@ class LocalSigner(object):
12 self.gpg_path = d.getVar('GPG_PATH') 12 self.gpg_path = d.getVar('GPG_PATH')
13 self.gpg_version = self.get_gpg_version() 13 self.gpg_version = self.get_gpg_version()
14 self.rpm_bin = bb.utils.which(os.getenv('PATH'), "rpmsign") 14 self.rpm_bin = bb.utils.which(os.getenv('PATH'), "rpmsign")
15 self.gpg_agent_bin = bb.utils.which(os.getenv('PATH'), "gpg-agent")
15 16
16 def export_pubkey(self, output_file, keyid, armor=True): 17 def export_pubkey(self, output_file, keyid, armor=True):
17 """Export GPG public key to a file""" 18 """Export GPG public key to a file"""
@@ -31,7 +32,7 @@ class LocalSigner(object):
31 """Sign RPM files""" 32 """Sign RPM files"""
32 33
33 cmd = self.rpm_bin + " --addsign --define '_gpg_name %s' " % keyid 34 cmd = self.rpm_bin + " --addsign --define '_gpg_name %s' " % keyid
34 gpg_args = '--no-permission-warning --batch --passphrase=%s' % passphrase 35 gpg_args = '--no-permission-warning --batch --passphrase=%s --agent-program=%s|--auto-expand-secmem' % (passphrase, self.gpg_agent_bin)
35 if self.gpg_version > (2,1,): 36 if self.gpg_version > (2,1,):
36 gpg_args += ' --pinentry-mode=loopback' 37 gpg_args += ' --pinentry-mode=loopback'
37 cmd += "--define '_gpg_sign_cmd_extra_args %s' " % gpg_args 38 cmd += "--define '_gpg_sign_cmd_extra_args %s' " % gpg_args
@@ -71,6 +72,9 @@ class LocalSigner(object):
71 if self.gpg_version > (2,1,): 72 if self.gpg_version > (2,1,):
72 cmd += ['--pinentry-mode', 'loopback'] 73 cmd += ['--pinentry-mode', 'loopback']
73 74
75 if self.gpg_agent_bin:
76 cmd += ["--agent-program=%s|--auto-expand-secmem" % (self.gpg_agent_bin)]
77
74 cmd += [input_file] 78 cmd += [input_file]
75 79
76 try: 80 try:
@@ -99,7 +103,7 @@ class LocalSigner(object):
99 import subprocess 103 import subprocess
100 try: 104 try:
101 ver_str = subprocess.check_output((self.gpg_bin, "--version", "--no-permission-warning")).split()[2].decode("utf-8") 105 ver_str = subprocess.check_output((self.gpg_bin, "--version", "--no-permission-warning")).split()[2].decode("utf-8")
102 return tuple([int(i) for i in ver_str.split('.')]) 106 return tuple([int(i) for i in ver_str.split("-")[0].split('.')])
103 except subprocess.CalledProcessError as e: 107 except subprocess.CalledProcessError as e:
104 raise bb.build.FuncFailed("Could not get gpg version: %s" % e) 108 raise bb.build.FuncFailed("Could not get gpg version: %s" % e)
105 109
diff --git a/meta/recipes-core/meta/signing-keys.bb b/meta/recipes-core/meta/signing-keys.bb
index 2c1cc3845e..6387d90d47 100644
--- a/meta/recipes-core/meta/signing-keys.bb
+++ b/meta/recipes-core/meta/signing-keys.bb
@@ -41,6 +41,7 @@ python do_get_public_keys () {
41} 41}
42do_get_public_keys[cleandirs] = "${B}" 42do_get_public_keys[cleandirs] = "${B}"
43addtask get_public_keys before do_install 43addtask get_public_keys before do_install
44do_get_public_keys[depends] += "gnupg-native:do_populate_sysroot"
44 45
45do_install () { 46do_install () {
46 if [ -f "${B}/rpm-key" ]; then 47 if [ -f "${B}/rpm-key" ]; then