diff options
author | Markus Lehtonen <markus.lehtonen@linux.intel.com> | 2016-01-25 14:21:34 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-01-26 22:31:58 +0000 |
commit | bb971577ab308caf7177d4bda290d1fe5ab842db (patch) | |
tree | 49c1811106a9b58717dcfd3c6fe4e4810341c1b3 /meta/classes/sign_rpm.bbclass | |
parent | aadb879e5b302e405e05443f56611c17868d10b6 (diff) | |
download | poky-bb971577ab308caf7177d4bda290d1fe5ab842db.tar.gz |
meta/lib: new module for handling GPG signing
Add a new Python module (oe.gpg_sign) for handling GPG signing
operations, i.e. currently package and package feed signing. The purpose
is to be able to more easily support various signing backends and to be
able to centralise signing functionality into one place (e.g. package
signing and sstate signing). Currently, only local signing with gpg is
implemented.
[YOCTO #8755]
(From OE-Core rev: 9b3dc1bd4b8336423a3f8f7db0ab5fa6fa0e7257)
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/classes/sign_rpm.bbclass')
-rw-r--r-- | meta/classes/sign_rpm.bbclass | 47 |
1 files changed, 11 insertions, 36 deletions
diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass index 7906b6413b..8bcabeec91 100644 --- a/meta/classes/sign_rpm.bbclass +++ b/meta/classes/sign_rpm.bbclass | |||
@@ -5,6 +5,10 @@ | |||
5 | # Path to a file containing the passphrase of the signing key. | 5 | # Path to a file containing the passphrase of the signing key. |
6 | # RPM_GPG_NAME | 6 | # RPM_GPG_NAME |
7 | # Name of the key to sign with. May be key id or key name. | 7 | # Name of the key to sign with. May be key id or key name. |
8 | # RPM_GPG_BACKEND | ||
9 | # Optional variable for specifying the backend to use for signing. | ||
10 | # Currently the only available option is 'local', i.e. local signing | ||
11 | # on the build host. | ||
8 | # GPG_BIN | 12 | # GPG_BIN |
9 | # Optional variable for specifying the gpg binary/wrapper to use for | 13 | # Optional variable for specifying the gpg binary/wrapper to use for |
10 | # signing. | 14 | # signing. |
@@ -14,6 +18,7 @@ | |||
14 | inherit sanity | 18 | inherit sanity |
15 | 19 | ||
16 | RPM_SIGN_PACKAGES='1' | 20 | RPM_SIGN_PACKAGES='1' |
21 | RPM_GPG_BACKEND ?= 'local' | ||
17 | 22 | ||
18 | 23 | ||
19 | python () { | 24 | python () { |
@@ -27,47 +32,17 @@ python () { | |||
27 | 'RPM-GPG-PUBKEY')) | 32 | 'RPM-GPG-PUBKEY')) |
28 | } | 33 | } |
29 | 34 | ||
30 | |||
31 | def rpmsign_wrapper(d, files, passphrase, gpg_name=None): | ||
32 | import pexpect | ||
33 | |||
34 | # Find the correct rpm binary | ||
35 | rpm_bin_path = d.getVar('STAGING_BINDIR_NATIVE', True) + '/rpm' | ||
36 | cmd = rpm_bin_path + " --addsign --define '_gpg_name %s' " % gpg_name | ||
37 | if d.getVar('GPG_BIN', True): | ||
38 | cmd += "--define '%%__gpg %s' " % d.getVar('GPG_BIN', True) | ||
39 | if d.getVar('GPG_PATH', True): | ||
40 | cmd += "--define '_gpg_path %s' " % d.getVar('GPG_PATH', True) | ||
41 | cmd += ' '.join(files) | ||
42 | |||
43 | # Need to use pexpect for feeding the passphrase | ||
44 | proc = pexpect.spawn(cmd) | ||
45 | try: | ||
46 | proc.expect_exact('Enter pass phrase:', timeout=15) | ||
47 | proc.sendline(passphrase) | ||
48 | proc.expect(pexpect.EOF, timeout=900) | ||
49 | proc.close() | ||
50 | except pexpect.TIMEOUT as err: | ||
51 | bb.warn('rpmsign timeout: %s' % err) | ||
52 | proc.terminate() | ||
53 | else: | ||
54 | if os.WEXITSTATUS(proc.status) or not os.WIFEXITED(proc.status): | ||
55 | bb.warn('rpmsign failed: %s' % proc.before.strip()) | ||
56 | return proc.exitstatus | ||
57 | |||
58 | |||
59 | python sign_rpm () { | 35 | python sign_rpm () { |
60 | import glob | 36 | import glob |
37 | from oe.gpg_sign import get_signer | ||
61 | 38 | ||
62 | with open(d.getVar("RPM_GPG_PASSPHRASE_FILE", True)) as fobj: | 39 | signer = get_signer(d, |
63 | rpm_gpg_passphrase = fobj.readlines()[0].rstrip('\n') | 40 | d.getVar('RPM_GPG_BACKEND', True), |
64 | 41 | d.getVar('RPM_GPG_NAME', True), | |
65 | rpm_gpg_name = (d.getVar("RPM_GPG_NAME", True) or "") | 42 | d.getVar('RPM_GPG_PASSPHRASE_FILE', True)) |
66 | |||
67 | rpms = glob.glob(d.getVar('RPM_PKGWRITEDIR', True) + '/*') | 43 | rpms = glob.glob(d.getVar('RPM_PKGWRITEDIR', True) + '/*') |
68 | 44 | ||
69 | if rpmsign_wrapper(d, rpms, rpm_gpg_passphrase, rpm_gpg_name) != 0: | 45 | signer.sign_rpms(rpms) |
70 | raise bb.build.FuncFailed("RPM signing failed") | ||
71 | } | 46 | } |
72 | 47 | ||
73 | do_package_index[depends] += "signing-keys:do_export_public_keys" | 48 | do_package_index[depends] += "signing-keys:do_export_public_keys" |