summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMarkus Lehtonen <markus.lehtonen@linux.intel.com>2016-02-10 16:15:57 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-02-19 01:01:25 +0000
commite845b75f8fc718765158a858cfe904c575315f45 (patch)
treea456ad2949d45e46a9f886717eb02c3c822aa90c
parentd5be8666a1f429283e8200ef67f1fc3afa587c4f (diff)
downloadpoky-e845b75f8fc718765158a858cfe904c575315f45.tar.gz
sign_rpm.bbclass: do not store key details in signer instance
Refactor the LocalSigner class. Do not store keyid or passphrase file in the signer object as they are only needed for some of the methods. For example, the newly added verify() method does not need any key parameters and export_pubkey only uses keyid. (From OE-Core rev: e2412294b6b1d3a80ee97a0706613349edc51d33) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/classes/sign_rpm.bbclass9
-rw-r--r--meta/lib/oe/gpg_sign.py24
-rw-r--r--meta/lib/oe/package_manager.py9
-rw-r--r--meta/recipes-core/meta/signing-keys.bb16
4 files changed, 25 insertions, 33 deletions
diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass
index 8bcabeec91..8b59bacd45 100644
--- a/meta/classes/sign_rpm.bbclass
+++ b/meta/classes/sign_rpm.bbclass
@@ -36,13 +36,12 @@ python sign_rpm () {
36 import glob 36 import glob
37 from oe.gpg_sign import get_signer 37 from oe.gpg_sign import get_signer
38 38
39 signer = get_signer(d, 39 signer = get_signer(d, d.getVar('RPM_GPG_BACKEND', True))
40 d.getVar('RPM_GPG_BACKEND', True),
41 d.getVar('RPM_GPG_NAME', True),
42 d.getVar('RPM_GPG_PASSPHRASE_FILE', True))
43 rpms = glob.glob(d.getVar('RPM_PKGWRITEDIR', True) + '/*') 40 rpms = glob.glob(d.getVar('RPM_PKGWRITEDIR', True) + '/*')
44 41
45 signer.sign_rpms(rpms) 42 signer.sign_rpms(rpms,
43 d.getVar('RPM_GPG_NAME', True),
44 d.getVar('RPM_GPG_PASSPHRASE_FILE', True))
46} 45}
47 46
48do_package_index[depends] += "signing-keys:do_export_public_keys" 47do_package_index[depends] += "signing-keys:do_export_public_keys"
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index 16a23645b6..c4cadd6a24 100644
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -6,31 +6,29 @@ import oe.utils
6 6
7class LocalSigner(object): 7class LocalSigner(object):
8 """Class for handling local (on the build host) signing""" 8 """Class for handling local (on the build host) signing"""
9 def __init__(self, d, keyid, passphrase_file): 9 def __init__(self, d):
10 self.keyid = keyid
11 self.passphrase_file = passphrase_file
12 self.gpg_bin = d.getVar('GPG_BIN', True) or \ 10 self.gpg_bin = d.getVar('GPG_BIN', True) or \
13 bb.utils.which(os.getenv('PATH'), 'gpg') 11 bb.utils.which(os.getenv('PATH'), 'gpg')
14 self.gpg_path = d.getVar('GPG_PATH', True) 12 self.gpg_path = d.getVar('GPG_PATH', True)
15 self.rpm_bin = bb.utils.which(os.getenv('PATH'), "rpm") 13 self.rpm_bin = bb.utils.which(os.getenv('PATH'), "rpm")
16 14
17 def export_pubkey(self, output_file): 15 def export_pubkey(self, output_file, keyid):
18 """Export GPG public key to a file""" 16 """Export GPG public key to a file"""
19 cmd = '%s --batch --yes --export --armor -o %s ' % \ 17 cmd = '%s --batch --yes --export --armor -o %s ' % \
20 (self.gpg_bin, output_file) 18 (self.gpg_bin, output_file)
21 if self.gpg_path: 19 if self.gpg_path:
22 cmd += "--homedir %s " % self.gpg_path 20 cmd += "--homedir %s " % self.gpg_path
23 cmd += self.keyid 21 cmd += keyid
24 status, output = oe.utils.getstatusoutput(cmd) 22 status, output = oe.utils.getstatusoutput(cmd)
25 if status: 23 if status:
26 raise bb.build.FuncFailed('Failed to export gpg public key (%s): %s' % 24 raise bb.build.FuncFailed('Failed to export gpg public key (%s): %s' %
27 (self.keyid, output)) 25 (keyid, output))
28 26
29 def sign_rpms(self, files): 27 def sign_rpms(self, files, keyid, passphrase_file):
30 """Sign RPM files""" 28 """Sign RPM files"""
31 import pexpect 29 import pexpect
32 30
33 cmd = self.rpm_bin + " --addsign --define '_gpg_name %s' " % self.keyid 31 cmd = self.rpm_bin + " --addsign --define '_gpg_name %s' " % keyid
34 if self.gpg_bin: 32 if self.gpg_bin:
35 cmd += "--define '%%__gpg %s' " % self.gpg_bin 33 cmd += "--define '%%__gpg %s' " % self.gpg_bin
36 if self.gpg_path: 34 if self.gpg_path:
@@ -41,7 +39,7 @@ class LocalSigner(object):
41 proc = pexpect.spawn(cmd) 39 proc = pexpect.spawn(cmd)
42 try: 40 try:
43 proc.expect_exact('Enter pass phrase:', timeout=15) 41 proc.expect_exact('Enter pass phrase:', timeout=15)
44 with open(self.passphrase_file) as fobj: 42 with open(passphrase_file) as fobj:
45 proc.sendline(fobj.readline().rstrip('\n')) 43 proc.sendline(fobj.readline().rstrip('\n'))
46 proc.expect(pexpect.EOF, timeout=900) 44 proc.expect(pexpect.EOF, timeout=900)
47 proc.close() 45 proc.close()
@@ -52,11 +50,11 @@ class LocalSigner(object):
52 bb.error('rpmsign failed: %s' % proc.before.strip()) 50 bb.error('rpmsign failed: %s' % proc.before.strip())
53 raise bb.build.FuncFailed("Failed to sign RPM packages") 51 raise bb.build.FuncFailed("Failed to sign RPM packages")
54 52
55 def detach_sign(self, input_file, armor=True): 53 def detach_sign(self, input_file, keyid, passphrase_file, armor=True):
56 """Create a detached signature of a file""" 54 """Create a detached signature of a file"""
57 cmd = "%s --detach-sign --batch --no-tty --yes " \ 55 cmd = "%s --detach-sign --batch --no-tty --yes " \
58 "--passphrase-file '%s' -u '%s' " % \ 56 "--passphrase-file '%s' -u '%s' " % \
59 (self.gpg_bin, self.passphrase_file, self.keyid) 57 (self.gpg_bin, passphrase_file, keyid)
60 if self.gpg_path: 58 if self.gpg_path:
61 cmd += "--homedir %s " % self.gpg_path 59 cmd += "--homedir %s " % self.gpg_path
62 if armor: 60 if armor:
@@ -78,11 +76,11 @@ class LocalSigner(object):
78 return ret 76 return ret
79 77
80 78
81def get_signer(d, backend, keyid, passphrase_file): 79def get_signer(d, backend):
82 """Get signer object for the specified backend""" 80 """Get signer object for the specified backend"""
83 # Use local signing by default 81 # Use local signing by default
84 if backend == 'local': 82 if backend == 'local':
85 return LocalSigner(d, keyid, passphrase_file) 83 return LocalSigner(d)
86 else: 84 else:
87 bb.fatal("Unsupported signing backend '%s'" % backend) 85 bb.fatal("Unsupported signing backend '%s'" % backend)
88 86
diff --git a/meta/lib/oe/package_manager.py b/meta/lib/oe/package_manager.py
index 26f6466ed1..b30a4da057 100644
--- a/meta/lib/oe/package_manager.py
+++ b/meta/lib/oe/package_manager.py
@@ -110,10 +110,7 @@ class RpmIndexer(Indexer):
110 110
111 rpm_createrepo = bb.utils.which(os.getenv('PATH'), "createrepo") 111 rpm_createrepo = bb.utils.which(os.getenv('PATH'), "createrepo")
112 if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1': 112 if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
113 signer = get_signer(self.d, 113 signer = get_signer(self.d, self.d.getVar('PACKAGE_FEED_GPG_BACKEND', True))
114 self.d.getVar('PACKAGE_FEED_GPG_BACKEND', True),
115 self.d.getVar('PACKAGE_FEED_GPG_NAME', True),
116 self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True))
117 else: 114 else:
118 signer = None 115 signer = None
119 index_cmds = [] 116 index_cmds = []
@@ -144,7 +141,9 @@ class RpmIndexer(Indexer):
144 # Sign repomd 141 # Sign repomd
145 if signer: 142 if signer:
146 for repomd in repomd_files: 143 for repomd in repomd_files:
147 signer.detach_sign(repomd) 144 signer.detach_sign(repomd,
145 self.d.getVar('PACKAGE_FEED_GPG_NAME', True),
146 self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True))
148 # Copy pubkey(s) to repo 147 # Copy pubkey(s) to repo
149 distro_version = self.d.getVar('DISTRO_VERSION', True) or "oe.0" 148 distro_version = self.d.getVar('DISTRO_VERSION', True) or "oe.0"
150 if self.d.getVar('RPM_SIGN_PACKAGES', True) == '1': 149 if self.d.getVar('RPM_SIGN_PACKAGES', True) == '1':
diff --git a/meta/recipes-core/meta/signing-keys.bb b/meta/recipes-core/meta/signing-keys.bb
index d7aa79d49f..d7763c664e 100644
--- a/meta/recipes-core/meta/signing-keys.bb
+++ b/meta/recipes-core/meta/signing-keys.bb
@@ -26,18 +26,14 @@ python do_export_public_keys () {
26 26
27 if d.getVar("RPM_SIGN_PACKAGES", True): 27 if d.getVar("RPM_SIGN_PACKAGES", True):
28 # Export public key of the rpm signing key 28 # Export public key of the rpm signing key
29 signer = get_signer(d, 29 signer = get_signer(d, d.getVar('RPM_GPG_BACKEND', True))
30 d.getVar('RPM_GPG_BACKEND', True), 30 signer.export_pubkey(d.getVar('RPM_GPG_PUBKEY', True),
31 d.getVar('RPM_GPG_NAME', True), 31 d.getVar('RPM_GPG_NAME', True))
32 d.getVar('RPM_GPG_PASSPHRASE_FILE', True))
33 signer.export_pubkey(d.getVar('RPM_GPG_PUBKEY', True))
34 32
35 if d.getVar('PACKAGE_FEED_SIGN', True) == '1': 33 if d.getVar('PACKAGE_FEED_SIGN', True) == '1':
36 # Export public key of the feed signing key 34 # Export public key of the feed signing key
37 signer = get_signer(d, 35 signer = get_signer(d, d.getVar('PACKAGE_FEED_GPG_BACKEND', True))
38 d.getVar('PACKAGE_FEED_GPG_BACKEND', True), 36 signer.export_pubkey(d.getVar('PACKAGE_FEED_GPG_PUBKEY', True),
39 d.getVar('PACKAGE_FEED_GPG_NAME', True), 37 d.getVar('PACKAGE_FEED_GPG_NAME', True))
40 d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True))
41 signer.export_pubkey(d.getVar('PACKAGE_FEED_GPG_PUBKEY', True))
42} 38}
43addtask do_export_public_keys before do_build 39addtask do_export_public_keys before do_build