diff options
author | Daniel McGregor <daniel.mcgregor@vecima.com> | 2021-10-12 22:04:56 -0600 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-10-14 22:52:31 +0100 |
commit | 652fdf8719ba5cf2c486bf3d19904b5140dbd0d1 (patch) | |
tree | 9c45fddc25bd58a5cfbb56c1592a96d84abce705 | |
parent | 9a7bc68135c8eb2ca2acda36f5cd5d21edd574d6 (diff) | |
download | poky-652fdf8719ba5cf2c486bf3d19904b5140dbd0d1.tar.gz |
sstate: Allow validation of sstate singatures against list of keys
Allow a user to validate sstate objects against a list of keys, instead
of just any known key in the user's keychain.
(From OE-Core rev: 52ba0c5e6e2e3d5d01dc3f01404f0ab1bb29b3b5)
Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/classes/sstate.bbclass | 5 | ||||
-rw-r--r-- | meta/lib/oe/gpg_sign.py | 27 |
2 files changed, 26 insertions, 6 deletions
diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass index c125286f74..7f034d746a 100644 --- a/meta/classes/sstate.bbclass +++ b/meta/classes/sstate.bbclass | |||
@@ -116,6 +116,9 @@ SSTATE_SIG_KEY ?= "" | |||
116 | SSTATE_SIG_PASSPHRASE ?= "" | 116 | SSTATE_SIG_PASSPHRASE ?= "" |
117 | # Whether to verify the GnUPG signatures when extracting sstate archives | 117 | # Whether to verify the GnUPG signatures when extracting sstate archives |
118 | SSTATE_VERIFY_SIG ?= "0" | 118 | SSTATE_VERIFY_SIG ?= "0" |
119 | # List of signatures to consider valid. | ||
120 | SSTATE_VALID_SIGS ??= "" | ||
121 | SSTATE_VALID_SIGS[vardepvalue] = "" | ||
119 | 122 | ||
120 | SSTATE_HASHEQUIV_METHOD ?= "oe.sstatesig.OEOuthashBasic" | 123 | SSTATE_HASHEQUIV_METHOD ?= "oe.sstatesig.OEOuthashBasic" |
121 | SSTATE_HASHEQUIV_METHOD[doc] = "The fully-qualified function used to calculate \ | 124 | SSTATE_HASHEQUIV_METHOD[doc] = "The fully-qualified function used to calculate \ |
@@ -372,7 +375,7 @@ def sstate_installpkg(ss, d): | |||
372 | bb.warn("No signature file for sstate package %s, skipping acceleration..." % sstatepkg) | 375 | bb.warn("No signature file for sstate package %s, skipping acceleration..." % sstatepkg) |
373 | return False | 376 | return False |
374 | signer = get_signer(d, 'local') | 377 | signer = get_signer(d, 'local') |
375 | if not signer.verify(sstatepkg + '.sig'): | 378 | if not signer.verify(sstatepkg + '.sig', d.getVar("SSTATE_VALID_SIGS")): |
376 | bb.warn("Cannot verify signature on sstate package %s, skipping acceleration..." % sstatepkg) | 379 | bb.warn("Cannot verify signature on sstate package %s, skipping acceleration..." % sstatepkg) |
377 | return False | 380 | return False |
378 | 381 | ||
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py index 492f096eaa..1bce6cb792 100644 --- a/meta/lib/oe/gpg_sign.py +++ b/meta/lib/oe/gpg_sign.py | |||
@@ -109,16 +109,33 @@ class LocalSigner(object): | |||
109 | bb.fatal("Could not get gpg version: %s" % e) | 109 | bb.fatal("Could not get gpg version: %s" % e) |
110 | 110 | ||
111 | 111 | ||
112 | def verify(self, sig_file): | 112 | def verify(self, sig_file, valid_sigs = ''): |
113 | """Verify signature""" | 113 | """Verify signature""" |
114 | cmd = self.gpg_cmd + ["--verify", "--no-permission-warning"] | 114 | cmd = self.gpg_cmd + ["--verify", "--no-permission-warning", "--status-fd", "1"] |
115 | if self.gpg_path: | 115 | if self.gpg_path: |
116 | cmd += ["--homedir", self.gpg_path] | 116 | cmd += ["--homedir", self.gpg_path] |
117 | 117 | ||
118 | cmd += [sig_file] | 118 | cmd += [sig_file] |
119 | status = subprocess.call(cmd) | 119 | status = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
120 | ret = False if status else True | 120 | # Valid if any key matches if unspecified |
121 | return ret | 121 | if not valid_sigs: |
122 | ret = False if status.returncode else True | ||
123 | return ret | ||
124 | |||
125 | import re | ||
126 | goodsigs = [] | ||
127 | sigre = re.compile(r'^\[GNUPG:\] GOODSIG (\S+)\s(.*)$') | ||
128 | for l in status.stdout.decode("utf-8").splitlines(): | ||
129 | s = sigre.match(l) | ||
130 | if s: | ||
131 | goodsigs += [s.group(1)] | ||
132 | |||
133 | for sig in valid_sigs.split(): | ||
134 | if sig in goodsigs: | ||
135 | return True | ||
136 | if len(goodsigs): | ||
137 | bb.warn('No accepted signatures found. Good signatures found: %s.' % ' '.join(goodsigs)) | ||
138 | return False | ||
122 | 139 | ||
123 | 140 | ||
124 | def get_signer(d, backend): | 141 | def get_signer(d, backend): |