sstate: Allow validation of sstate singatures against list of keys

Allow a user to validate sstate objects against a list of keys, instead of just any known key in the user's keychain. (From OE-Core rev: 52ba0c5e6e2e3d5d01dc3f01404f0ab1bb29b3b5) Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Daniel McGregor <daniel.mcgregor@vecima.com> 2021-10-12 22:04:56 -0600
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-10-14 22:52:31 +0100
commit: 652fdf8719ba5cf2c486bf3d19904b5140dbd0d1 (patch)
tree: 9c45fddc25bd58a5cfbb56c1592a96d84abce705
parent: 9a7bc68135c8eb2ca2acda36f5cd5d21edd574d6 (diff)
download: poky-652fdf8719ba5cf2c486bf3d19904b5140dbd0d1.tar.gz
2 files changed, 26 insertions, 6 deletions
diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass
index c125286f74..7f034d746a 100644
--- a/meta/classes/sstate.bbclass
+++ b/meta/classes/sstate.bbclass
@@ -116,6 +116,9 @@ SSTATE_SIG_KEY ?= ""
 SSTATE_SIG_PASSPHRASE ?= ""
 # Whether to verify the GnUPG signatures when extracting sstate archives
 SSTATE_VERIFY_SIG ?= "0"
+# List of signatures to consider valid.
+SSTATE_VALID_SIGS ??= ""
+SSTATE_VALID_SIGS[vardepvalue] = ""
 SSTATE_HASHEQUIV_METHOD ?= "oe.sstatesig.OEOuthashBasic"
 SSTATE_HASHEQUIV_METHOD[doc] = "The fully-qualified function used to calculate \
@@ -372,7 +375,7 @@ def sstate_installpkg(ss, d):
            bb.warn("No signature file for sstate package %s, skipping acceleration..." % sstatepkg)
            return False
        signer = get_signer(d, 'local')
-        if not signer.verify(sstatepkg + '.sig'):
+        if not signer.verify(sstatepkg + '.sig', d.getVar("SSTATE_VALID_SIGS")):
            bb.warn("Cannot verify signature on sstate package %s, skipping acceleration..." % sstatepkg)
            return False
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index 492f096eaa..1bce6cb792 100644
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -109,16 +109,33 @@ class LocalSigner(object):
            bb.fatal("Could not get gpg version: %s" % e)
-    def verify(self, sig_file):
+    def verify(self, sig_file, valid_sigs = ''):
        """Verify signature"""
-        cmd = self.gpg_cmd + ["--verify", "--no-permission-warning"]
+        cmd = self.gpg_cmd + ["--verify", "--no-permission-warning", "--status-fd", "1"]
        if self.gpg_path:
            cmd += ["--homedir", self.gpg_path]
        cmd += [sig_file]
-        status = subprocess.call(cmd)
+        status = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-        ret = False if status else True
+        # Valid if any key matches if unspecified
-        return ret
+        if not valid_sigs:
+            ret = False if status.returncode else True
+            return ret
+        import re
+        goodsigs = []
+        sigre = re.compile(r'^\[GNUPG:\] GOODSIG (\S+)\s(.*)$')
+        for l in status.stdout.decode("utf-8").splitlines():
+            s = sigre.match(l)
+            if s:
+                goodsigs += [s.group(1)]
+        for sig in valid_sigs.split():
+            if sig in goodsigs:
+                return True
+        if len(goodsigs):
+            bb.warn('No accepted signatures found. Good signatures found: %s.' % ' '.join(goodsigs))
+        return False
 def get_signer(d, backend):
author	Daniel McGregor <daniel.mcgregor@vecima.com>	2021-10-12 22:04:56 -0600
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-10-14 22:52:31 +0100
commit	652fdf8719ba5cf2c486bf3d19904b5140dbd0d1 (patch)
tree	9c45fddc25bd58a5cfbb56c1592a96d84abce705
parent	9a7bc68135c8eb2ca2acda36f5cd5d21edd574d6 (diff)
download	poky-652fdf8719ba5cf2c486bf3d19904b5140dbd0d1.tar.gz