diff options
author | Markus Lehtonen <markus.lehtonen@linux.intel.com> | 2015-08-21 17:21:57 +0300 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-09-03 12:43:19 +0100 |
commit | 752736ae9f9c8842018e45cff2f5b1d770557d86 (patch) | |
tree | 0a95ef3491ff7c85747405ad9b831100dc2a9443 | |
parent | 103f0e5828d352b44681abe7fe47b606e6ad134b (diff) | |
download | poky-752736ae9f9c8842018e45cff2f5b1d770557d86.tar.gz |
package_rpm: support signing of rpm packages
This patch adds a new bbclass for generating rpm packages that are
signed with a user defined key. The packages are signed as part of the
"package_write_rpm" task.
In order to enable the feature you need to
1. 'INHERIT += " sign_rpm"' in bitbake config (e.g. local or
distro)
2. Create a file that contains the passphrase to your gpg secret key
3. 'RPM_GPG_PASSPHRASE_FILE = "<path_to_file>" in bitbake config,
pointing to the passphrase file created in 2.
4. Define GPG key name to use by either defining
'RPM_GPG_NAME = "<key_id>" in bitbake config OR by defining
%_gpg_name <key_id> in your ~/.oerpmmacros file
5. 'RPM_GPG_PUBKEY = "<path_to_pubkey>" in bitbake config pointing to
the public key (in "armor" format)
The user may optionally define "GPG_BIN" variable in the bitbake
configuration in order to specify a specific gpg binary/wrapper to use.
The sign_rpm.bbclass implements a simple scenario of locally signing the
packages. It could be replaced by a more advanced class that would
utilize a separate signing server for signing the packages, for example.
[YOCTO #8134]
(From OE-Core rev: 75f5f11b19ba1bf8743caf9ee7c99a3c67f4b266)
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/classes/package_rpm.bbclass | 5 | ||||
-rw-r--r-- | meta/classes/sign_rpm.bbclass | 75 | ||||
-rw-r--r-- | meta/lib/oe/package_manager.py | 17 |
3 files changed, 97 insertions, 0 deletions
diff --git a/meta/classes/package_rpm.bbclass b/meta/classes/package_rpm.bbclass index 264438b442..1fa1634d29 100644 --- a/meta/classes/package_rpm.bbclass +++ b/meta/classes/package_rpm.bbclass | |||
@@ -697,6 +697,8 @@ python do_package_rpm () { | |||
697 | else: | 697 | else: |
698 | d.setVar('PACKAGE_ARCH_EXTEND', package_arch) | 698 | d.setVar('PACKAGE_ARCH_EXTEND', package_arch) |
699 | pkgwritedir = d.expand('${PKGWRITEDIRRPM}/${PACKAGE_ARCH_EXTEND}') | 699 | pkgwritedir = d.expand('${PKGWRITEDIRRPM}/${PACKAGE_ARCH_EXTEND}') |
700 | d.setVar('RPM_PKGWRITEDIR', pkgwritedir) | ||
701 | bb.debug(1, 'PKGWRITEDIR: %s' % d.getVar('RPM_PKGWRITEDIR', True)) | ||
700 | pkgarch = d.expand('${PACKAGE_ARCH_EXTEND}${HOST_VENDOR}-${HOST_OS}') | 702 | pkgarch = d.expand('${PACKAGE_ARCH_EXTEND}${HOST_VENDOR}-${HOST_OS}') |
701 | magicfile = d.expand('${STAGING_DIR_NATIVE}${datadir_native}/misc/magic.mgc') | 703 | magicfile = d.expand('${STAGING_DIR_NATIVE}${datadir_native}/misc/magic.mgc') |
702 | bb.utils.mkdirhier(pkgwritedir) | 704 | bb.utils.mkdirhier(pkgwritedir) |
@@ -732,6 +734,9 @@ python do_package_rpm () { | |||
732 | d.setVar('BUILDSPEC', cmd + "\n") | 734 | d.setVar('BUILDSPEC', cmd + "\n") |
733 | d.setVarFlag('BUILDSPEC', 'func', '1') | 735 | d.setVarFlag('BUILDSPEC', 'func', '1') |
734 | bb.build.exec_func('BUILDSPEC', d) | 736 | bb.build.exec_func('BUILDSPEC', d) |
737 | |||
738 | if d.getVar('RPM_SIGN_PACKAGES', True) == '1': | ||
739 | bb.build.exec_func("sign_rpm", d) | ||
735 | } | 740 | } |
736 | 741 | ||
737 | python () { | 742 | python () { |
diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass new file mode 100644 index 0000000000..0aa4cd841c --- /dev/null +++ b/meta/classes/sign_rpm.bbclass | |||
@@ -0,0 +1,75 @@ | |||
1 | # Class for generating signed RPM packages. | ||
2 | # | ||
3 | # Configuration variables used by this class: | ||
4 | # RPM_GPG_PASSPHRASE_FILE | ||
5 | # Path to a file containing the passphrase of the signing key. | ||
6 | # RPM_GPG_NAME | ||
7 | # Name of the key to sign with. Alternatively you can define | ||
8 | # %_gpg_name macro in your ~/.oerpmmacros file. | ||
9 | # RPM_GPG_PUBKEY | ||
10 | # Path to a file containing the public key (in "armor" format) | ||
11 | # corresponding the signing key. | ||
12 | # GPG_BIN | ||
13 | # Optional variable for specifying the gpg binary/wrapper to use for | ||
14 | # signing. | ||
15 | # | ||
16 | inherit sanity | ||
17 | |||
18 | RPM_SIGN_PACKAGES='1' | ||
19 | |||
20 | |||
21 | _check_gpg_name () { | ||
22 | macrodef=`rpm -E '%_gpg_name'` | ||
23 | [ "$macrodef" == "%_gpg_name" ] && return 1 || return 0 | ||
24 | } | ||
25 | |||
26 | |||
27 | def rpmsign_wrapper(d, files, passphrase, gpg_name=None): | ||
28 | import pexpect | ||
29 | |||
30 | # Find the correct rpm binary | ||
31 | rpm_bin_path = d.getVar('STAGING_BINDIR_NATIVE', True) + '/rpm' | ||
32 | cmd = rpm_bin_path + " --addsign " | ||
33 | if gpg_name: | ||
34 | cmd += "--define '%%_gpg_name %s' " % gpg_name | ||
35 | else: | ||
36 | try: | ||
37 | bb.build.exec_func('_check_gpg_name', d) | ||
38 | except bb.build.FuncFailed: | ||
39 | raise_sanity_error("You need to define RPM_GPG_NAME in bitbake " | ||
40 | "config or the %_gpg_name RPM macro defined " | ||
41 | "(e.g. in ~/.oerpmmacros", d) | ||
42 | if d.getVar('GPG_BIN', True): | ||
43 | cmd += "--define '%%__gpg %s' " % d.getVar('GPG_BIN', True) | ||
44 | cmd += ' '.join(files) | ||
45 | |||
46 | # Need to use pexpect for feeding the passphrase | ||
47 | proc = pexpect.spawn(cmd) | ||
48 | try: | ||
49 | proc.expect_exact('Enter pass phrase:', timeout=15) | ||
50 | proc.sendline(passphrase) | ||
51 | proc.expect(pexpect.EOF, timeout=900) | ||
52 | proc.close() | ||
53 | except pexpect.TIMEOUT as err: | ||
54 | bb.debug('rpmsign timeout: %s' % err) | ||
55 | proc.terminate() | ||
56 | return proc.exitstatus | ||
57 | |||
58 | |||
59 | python sign_rpm () { | ||
60 | import glob | ||
61 | |||
62 | rpm_gpg_pass_file = (d.getVar("RPM_GPG_PASSPHRASE_FILE", True) or "") | ||
63 | if rpm_gpg_pass_file: | ||
64 | with open(rpm_gpg_pass_file) as fobj: | ||
65 | rpm_gpg_passphrase = fobj.readlines()[0].rstrip('\n') | ||
66 | else: | ||
67 | raise_sanity_error("You need to define RPM_GPG_PASSPHRASE_FILE in the config", d) | ||
68 | |||
69 | rpm_gpg_name = (d.getVar("RPM_GPG_NAME", True) or "") | ||
70 | |||
71 | rpms = glob.glob(d.getVar('RPM_PKGWRITEDIR', True) + '/*') | ||
72 | |||
73 | if rpmsign_wrapper(d, rpms, rpm_gpg_passphrase, rpm_gpg_name) != 0: | ||
74 | raise bb.build.FuncFailed("RPM signing failed") | ||
75 | } | ||
diff --git a/meta/lib/oe/package_manager.py b/meta/lib/oe/package_manager.py index f5a22abca7..3632a7af94 100644 --- a/meta/lib/oe/package_manager.py +++ b/meta/lib/oe/package_manager.py | |||
@@ -108,6 +108,7 @@ class RpmIndexer(Indexer): | |||
108 | archs = archs.union(set(sdk_pkg_archs)) | 108 | archs = archs.union(set(sdk_pkg_archs)) |
109 | 109 | ||
110 | rpm_createrepo = bb.utils.which(os.getenv('PATH'), "createrepo") | 110 | rpm_createrepo = bb.utils.which(os.getenv('PATH'), "createrepo") |
111 | |||
111 | index_cmds = [] | 112 | index_cmds = [] |
112 | rpm_dirs_found = False | 113 | rpm_dirs_found = False |
113 | for arch in archs: | 114 | for arch in archs: |
@@ -127,9 +128,16 @@ class RpmIndexer(Indexer): | |||
127 | bb.note("There are no packages in %s" % self.deploy_dir) | 128 | bb.note("There are no packages in %s" % self.deploy_dir) |
128 | return | 129 | return |
129 | 130 | ||
131 | # Create repodata | ||
130 | result = oe.utils.multiprocess_exec(index_cmds, create_index) | 132 | result = oe.utils.multiprocess_exec(index_cmds, create_index) |
131 | if result: | 133 | if result: |
132 | bb.fatal('%s' % ('\n'.join(result))) | 134 | bb.fatal('%s' % ('\n'.join(result))) |
135 | # Copy pubkey to repo | ||
136 | distro_version = self.d.getVar('DISTRO_VERSION', True) or "oe.0" | ||
137 | if self.d.getVar('RPM_SIGN_PACKAGES', True) == '1': | ||
138 | shutil.copy2(self.d.getVar('RPM_GPG_PUBKEY', True), | ||
139 | os.path.join(self.deploy_dir, | ||
140 | 'RPM-GPG-KEY-%s' % distro_version)) | ||
133 | 141 | ||
134 | 142 | ||
135 | class OpkgIndexer(Indexer): | 143 | class OpkgIndexer(Indexer): |
@@ -352,6 +360,9 @@ class RpmPkgsList(PkgsList): | |||
352 | pkg = line.split()[0] | 360 | pkg = line.split()[0] |
353 | arch = line.split()[1] | 361 | arch = line.split()[1] |
354 | ver = line.split()[2] | 362 | ver = line.split()[2] |
363 | # Skip GPG keys | ||
364 | if pkg == 'gpg-pubkey': | ||
365 | continue | ||
355 | if self.rpm_version == 4: | 366 | if self.rpm_version == 4: |
356 | pkgorigin = "unknown" | 367 | pkgorigin = "unknown" |
357 | else: | 368 | else: |
@@ -864,6 +875,12 @@ class RpmPM(PackageManager): | |||
864 | except subprocess.CalledProcessError as e: | 875 | except subprocess.CalledProcessError as e: |
865 | bb.fatal("Create rpm database failed. Command '%s' " | 876 | bb.fatal("Create rpm database failed. Command '%s' " |
866 | "returned %d:\n%s" % (cmd, e.returncode, e.output)) | 877 | "returned %d:\n%s" % (cmd, e.returncode, e.output)) |
878 | # Import GPG key to RPM database of the target system | ||
879 | if self.d.getVar('RPM_SIGN_PACKAGES', True) == '1': | ||
880 | pubkey_path = self.d.getVar('RPM_GPG_PUBKEY', True) | ||
881 | cmd = "%s --root %s --dbpath /var/lib/rpm --import %s > /dev/null" % ( | ||
882 | self.rpm_cmd, self.target_rootfs, pubkey_path) | ||
883 | subprocess.check_output(cmd, stderr=subprocess.STDOUT, shell=True) | ||
867 | 884 | ||
868 | # Configure smart | 885 | # Configure smart |
869 | bb.note("configuring Smart settings") | 886 | bb.note("configuring Smart settings") |