gpg_sign: add local ipk package signing functionality

Implement ipk signing inside the sign_ipk bbclass using the gpg_sign module and configure signing similar to how rpm does it. sign_ipk uses gpg_sign's detach_sign because its functionality is identical to package feed signing. IPK signing process is a bit different from rpm: - Signatures are stored outside ipk files; opkg connects to a feed server and downloads them to verify a package. - Signatures are of two types (both supported by opkg): binary or ascii armoured. By default we sign using ascii armoured. - Public keys are stored on targets to verify ipks using the opkg-keyrings recipe. (From OE-Core rev: a40f27aa7802e8a0bd87a5417e35adbface62d05) Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ioan-Adrian Ratiu <adrian.ratiu@ni.com> 2016-03-10 12:02:55 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-03-11 16:50:45 +0000
commit: 2fccd8aa1c96a6db056e2352b1d5039ce671a102 (patch)
tree: f89662a5fa662b8eadd3c7df9da31a620f0c32d0 /meta/classes/sign_ipk.bbclass
parent: 6bd6a2b6fe0775e6ec75ad70af6231f944fa399c (diff)
download: poky-2fccd8aa1c96a6db056e2352b1d5039ce671a102.tar.gz
1 files changed, 52 insertions, 0 deletions
diff --git a/meta/classes/sign_ipk.bbclass b/meta/classes/sign_ipk.bbclass
new file mode 100644
index 0000000000..a481f6d9a8
--- /dev/null
+++ b/meta/classes/sign_ipk.bbclass
@@ -0,0 +1,52 @@
+# Class for generating signed IPK packages.
+#
+# Configuration variables used by this class:
+# IPK_GPG_PASSPHRASE_FILE
+#           Path to a file containing the passphrase of the signing key.
+# IPK_GPG_NAME
+#           Name of the key to sign with.
+# IPK_GPG_BACKEND
+#           Optional variable for specifying the backend to use for signing.
+#           Currently the only available option is 'local', i.e. local signing
+#           on the build host.
+# IPK_GPG_SIGNATURE_TYPE
+#           Optional variable for specifying the type of gpg signatures, can be:
+#                     1. Ascii armored (ASC), default if not set
+#                     2. Binary (BIN)
+# GPG_BIN
+#           Optional variable for specifying the gpg binary/wrapper to use for
+#           signing.
+# GPG_PATH
+#           Optional variable for specifying the gnupg "home" directory:
+#
+inherit sanity
+IPK_SIGN_PACKAGES = '1'
+IPK_GPG_BACKEND ?= 'local'
+IPK_GPG_SIGNATURE_TYPE ?= 'ASC'
+python () {
+    # Check configuration
+    for var in ('IPK_GPG_NAME', 'IPK_GPG_PASSPHRASE_FILE'):
+        if not d.getVar(var, True):
+            raise_sanity_error("You need to define %s in the config" % var, d)
+    sigtype = d.getVar("IPK_GPG_SIGNATURE_TYPE", True)
+    if sigtype.upper() != "ASC" and sigtype.upper() != "BIN":
+        raise_sanity_error("Bad value for IPK_GPG_SIGNATURE_TYPE (%s), use either ASC or BIN" % sigtype)
+}
+def sign_ipk(d, ipk_to_sign):
+    from oe.gpg_sign import get_signer
+    bb.debug(1, 'Signing ipk: %s' % ipk_to_sign)
+    signer = get_signer(d, d.getVar('IPK_GPG_BACKEND', True))
+    sig_type = d.getVar('IPK_GPG_SIGNATURE_TYPE', True)
+    is_ascii_sig = (sig_type.upper() != "BIN")
+    signer.detach_sign(ipk_to_sign,
+                       d.getVar('IPK_GPG_NAME', True),
+                       d.getVar('IPK_GPG_PASSPHRASE_FILE', True),
+                       armor=is_ascii_sig)
author	Ioan-Adrian Ratiu <adrian.ratiu@ni.com>	2016-03-10 12:02:55 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-03-11 16:50:45 +0000
commit	2fccd8aa1c96a6db056e2352b1d5039ce671a102 (patch)
tree	f89662a5fa662b8eadd3c7df9da31a620f0c32d0 /meta/classes/sign_ipk.bbclass
parent	6bd6a2b6fe0775e6ec75ad70af6231f944fa399c (diff)
download	poky-2fccd8aa1c96a6db056e2352b1d5039ce671a102.tar.gz

diff --git a/meta/classes/sign_ipk.bbclass b/meta/classes/sign_ipk.bbclass new file mode 100644 index 0000000000..a481f6d9a8 --- /dev/null +++ b/meta/classes/sign_ipk.bbclass
@@ -0,0 +1,52 @@
	1	# Class for generating signed IPK packages.
	2	#
	3	# Configuration variables used by this class:
	4	# IPK_GPG_PASSPHRASE_FILE
	5	# Path to a file containing the passphrase of the signing key.
	6	# IPK_GPG_NAME
	7	# Name of the key to sign with.
	8	# IPK_GPG_BACKEND
	9	# Optional variable for specifying the backend to use for signing.
	10	# Currently the only available option is 'local', i.e. local signing
	11	# on the build host.
	12	# IPK_GPG_SIGNATURE_TYPE
	13	# Optional variable for specifying the type of gpg signatures, can be:
	14	# 1. Ascii armored (ASC), default if not set
	15	# 2. Binary (BIN)
	16	# GPG_BIN
	17	# Optional variable for specifying the gpg binary/wrapper to use for
	18	# signing.
	19	# GPG_PATH
	20	# Optional variable for specifying the gnupg "home" directory:
	21	#
	22
	23	inherit sanity
	24
	25	IPK_SIGN_PACKAGES = '1'
	26	IPK_GPG_BACKEND ?= 'local'
	27	IPK_GPG_SIGNATURE_TYPE ?= 'ASC'
	28
	29	python () {
	30	# Check configuration
	31	for var in ('IPK_GPG_NAME', 'IPK_GPG_PASSPHRASE_FILE'):
	32	if not d.getVar(var, True):
	33	raise_sanity_error("You need to define %s in the config" % var, d)
	34
	35	sigtype = d.getVar("IPK_GPG_SIGNATURE_TYPE", True)
	36	if sigtype.upper() != "ASC" and sigtype.upper() != "BIN":
	37	raise_sanity_error("Bad value for IPK_GPG_SIGNATURE_TYPE (%s), use either ASC or BIN" % sigtype)
	38	}
	39
	40	def sign_ipk(d, ipk_to_sign):
	41	from oe.gpg_sign import get_signer
	42
	43	bb.debug(1, 'Signing ipk: %s' % ipk_to_sign)
	44
	45	signer = get_signer(d, d.getVar('IPK_GPG_BACKEND', True))
	46	sig_type = d.getVar('IPK_GPG_SIGNATURE_TYPE', True)
	47	is_ascii_sig = (sig_type.upper() != "BIN")
	48
	49	signer.detach_sign(ipk_to_sign,
	50	d.getVar('IPK_GPG_NAME', True),
	51	d.getVar('IPK_GPG_PASSPHRASE_FILE', True),
	52	armor=is_ascii_sig)