summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMarkus Lehtonen <markus.lehtonen@linux.intel.com>2015-10-16 13:37:32 +0300
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-10-27 07:24:25 +0000
commit787253fd4efcd18d46b3bcf794e3d54a93ef9f19 (patch)
tree6df91b6462ed8abd0eef94ad0f6f896eecc6e695
parent579e2547b857e2973c5fff3b14066ea4d79b1268 (diff)
downloadpoky-787253fd4efcd18d46b3bcf794e3d54a93ef9f19.tar.gz
package signing: automatically export public keys
Automatically export public key(s) of the signing key(s) from the gpg keyring. Adds a new simple recipe that does the actual task of exporting the keys. This patch makes the RPM_GPG_PUBKEY and PACKAGE_FEED_GPG PUBKEY settings obsolete. (From OE-Core rev: 23b30c34581948e1ea02c25cbf7b9194d7e49fb8) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/classes/sign_package_feed.bbclass7
-rw-r--r--meta/classes/sign_rpm.bbclass9
-rw-r--r--meta/recipes-core/meta/signing-keys.bb45
-rw-r--r--meta/recipes-core/os-release/os-release.bb1
4 files changed, 59 insertions, 3 deletions
diff --git a/meta/classes/sign_package_feed.bbclass b/meta/classes/sign_package_feed.bbclass
index 8877d905f7..4263810028 100644
--- a/meta/classes/sign_package_feed.bbclass
+++ b/meta/classes/sign_package_feed.bbclass
@@ -21,4 +21,11 @@ python () {
21 for var in ('PACKAGE_FEED_GPG_NAME', 'PACKAGE_FEED_GPG_PASSPHRASE_FILE'): 21 for var in ('PACKAGE_FEED_GPG_NAME', 'PACKAGE_FEED_GPG_PASSPHRASE_FILE'):
22 if not d.getVar(var, True): 22 if not d.getVar(var, True):
23 raise_sanity_error("You need to define %s in the config" % var, d) 23 raise_sanity_error("You need to define %s in the config" % var, d)
24
25 # Set expected location of the public key
26 d.setVar('PACKAGE_FEED_GPG_PUBKEY',
27 os.path.join(d.getVar('STAGING_ETCDIR_NATIVE'),
28 'PACKAGE-FEED-GPG-PUBKEY'))
24} 29}
30
31do_package_index[depends] += "signing-keys:do_export_public_keys"
diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass
index 4da17633a7..f0c3dc9be3 100644
--- a/meta/classes/sign_rpm.bbclass
+++ b/meta/classes/sign_rpm.bbclass
@@ -5,9 +5,6 @@
5# Path to a file containing the passphrase of the signing key. 5# Path to a file containing the passphrase of the signing key.
6# RPM_GPG_NAME 6# RPM_GPG_NAME
7# Name of the key to sign with. May be key id or key name. 7# Name of the key to sign with. May be key id or key name.
8# RPM_GPG_PUBKEY
9# Path to a file containing the public key (in "armor" format)
10# corresponding the signing key.
11# GPG_BIN 8# GPG_BIN
12# Optional variable for specifying the gpg binary/wrapper to use for 9# Optional variable for specifying the gpg binary/wrapper to use for
13# signing. 10# signing.
@@ -24,6 +21,10 @@ python () {
24 for var in ('RPM_GPG_NAME', 'RPM_GPG_PASSPHRASE_FILE'): 21 for var in ('RPM_GPG_NAME', 'RPM_GPG_PASSPHRASE_FILE'):
25 if not d.getVar(var, True): 22 if not d.getVar(var, True):
26 raise_sanity_error("You need to define %s in the config" % var, d) 23 raise_sanity_error("You need to define %s in the config" % var, d)
24
25 # Set the expected location of the public key
26 d.setVar('RPM_GPG_PUBKEY', os.path.join(d.getVar('STAGING_ETCDIR_NATIVE'),
27 'RPM-GPG-PUBKEY'))
27} 28}
28 29
29 30
@@ -68,3 +69,5 @@ python sign_rpm () {
68 if rpmsign_wrapper(d, rpms, rpm_gpg_passphrase, rpm_gpg_name) != 0: 69 if rpmsign_wrapper(d, rpms, rpm_gpg_passphrase, rpm_gpg_name) != 0:
69 raise bb.build.FuncFailed("RPM signing failed") 70 raise bb.build.FuncFailed("RPM signing failed")
70} 71}
72
73do_package_index[depends] += "signing-keys:do_export_public_keys"
diff --git a/meta/recipes-core/meta/signing-keys.bb b/meta/recipes-core/meta/signing-keys.bb
new file mode 100644
index 0000000000..cc401f3b6c
--- /dev/null
+++ b/meta/recipes-core/meta/signing-keys.bb
@@ -0,0 +1,45 @@
1# Copyright (C) 2015 Intel Corporation
2# Released under the MIT license (see COPYING.MIT for the terms)
3
4DESCRIPTION = "Make public keys of the signing keys available"
5LICENSE = "MIT"
6PACKAGES = ""
7
8do_fetch[noexec] = "1"
9do_unpack[noexec] = "1"
10do_patch[noexec] = "1"
11do_configure[noexec] = "1"
12do_compile[noexec] = "1"
13do_install[noexec] = "1"
14do_package[noexec] = "1"
15do_packagedata[noexec] = "1"
16do_package_write_ipk[noexec] = "1"
17do_package_write_rpm[noexec] = "1"
18do_package_write_deb[noexec] = "1"
19do_populate_sysroot[noexec] = "1"
20
21EXCLUDE_FROM_WORLD = "1"
22
23def export_gpg_pubkey(d, keyid, path):
24 import bb
25 gpg_bin = d.getVar('GPG_BIN', True) or \
26 bb.utils.which(os.getenv('PATH'), "gpg")
27 cmd = '%s --batch --yes --export --armor -o %s %s' % \
28 (gpg_bin, path, keyid)
29 status, output = oe.utils.getstatusoutput(cmd)
30 if status:
31 raise bb.build.FuncFailed('Failed to export gpg public key (%s): %s' %
32 (keyid, output))
33
34python do_export_public_keys () {
35 if d.getVar("RPM_SIGN_PACKAGES", True):
36 # Export public key of the rpm signing key
37 export_gpg_pubkey(d, d.getVar("RPM_GPG_NAME", True),
38 d.getVar('RPM_GPG_PUBKEY', True))
39
40 if d.getVar('PACKAGE_FEED_SIGN', True) == '1':
41 # Export public key of the feed signing key
42 export_gpg_pubkey(d, d.getVar("PACKAGE_FEED_GPG_NAME", True),
43 d.getVar('PACKAGE_FEED_GPG_PUBKEY', True))
44}
45addtask do_export_public_keys before do_build
diff --git a/meta/recipes-core/os-release/os-release.bb b/meta/recipes-core/os-release/os-release.bb
index db827602f3..c690b82b2e 100644
--- a/meta/recipes-core/os-release/os-release.bb
+++ b/meta/recipes-core/os-release/os-release.bb
@@ -37,6 +37,7 @@ python do_compile () {
37 shutil.copy2(rpm_gpg_pubkey, d.expand('${B}/rpm-gpg/RPM-GPG-KEY-%s' % distro_version)) 37 shutil.copy2(rpm_gpg_pubkey, d.expand('${B}/rpm-gpg/RPM-GPG-KEY-%s' % distro_version))
38} 38}
39do_compile[vardeps] += "${OS_RELEASE_FIELDS}" 39do_compile[vardeps] += "${OS_RELEASE_FIELDS}"
40do_compile[depends] += "signing-keys:do_export_public_keys"
40 41
41do_install () { 42do_install () {
42 install -d ${D}${sysconfdir} 43 install -d ${D}${sysconfdir}