diff options
| author | Alexander Kanavin <alexander.kanavin@linux.intel.com> | 2018-01-10 14:27:42 +0200 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-01-11 10:26:07 +0000 |
| commit | 0f49d9182f9a6204399c0946b9e9ae64ad3c0838 (patch) | |
| tree | 2776060ece2f57e90c308c88c1f5aa62749d7629 /meta/classes | |
| parent | 0a732a9c66ffe33e9bf11757acb3ae599219a89f (diff) | |
| download | poky-0f49d9182f9a6204399c0946b9e9ae64ad3c0838.tar.gz | |
gnupg: use native version for signing, rather than one provided by host
Using host gpg has been problematic, and particularly this removes
the need to serialize package creation, as long as --auto-expand-secmem
is passed to gpg-agent, and gnupg >= 2.2.4 is in use
(https://dev.gnupg.org/T3530).
Sadly, gpg-agent itself is single-threaded, so in the longer run
we might want to seek alternatives:
https://lwn.net/Articles/742542/
(a smaller issue is that rpm itself runs the gpg fronted in a serial
fashion, which slows down the build in cases of recipes with very
large amount of packages, e.g. glibc-locale)
Note that sstate signing and verification continues to use host
gpg, as depending on native gpg would create circular dependencies.
[YOCTO #12022]
(From OE-Core rev: 08fef6198122fe79d4c1213f9a64b862162ed6cd)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/classes')
| -rw-r--r-- | meta/classes/sign_package_feed.bbclass | 2 | ||||
| -rw-r--r-- | meta/classes/sign_rpm.bbclass | 6 |
2 files changed, 2 insertions, 6 deletions
diff --git a/meta/classes/sign_package_feed.bbclass b/meta/classes/sign_package_feed.bbclass index f03c4802d0..7ff3a35a2f 100644 --- a/meta/classes/sign_package_feed.bbclass +++ b/meta/classes/sign_package_feed.bbclass | |||
| @@ -43,4 +43,4 @@ python () { | |||
| 43 | } | 43 | } |
| 44 | 44 | ||
| 45 | do_package_index[depends] += "signing-keys:do_deploy" | 45 | do_package_index[depends] += "signing-keys:do_deploy" |
| 46 | do_rootfs[depends] += "signing-keys:do_populate_sysroot" | 46 | do_rootfs[depends] += "signing-keys:do_populate_sysroot gnupg-native:do_populate_sysroot" |
diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass index 4961b03618..64ae7ce30e 100644 --- a/meta/classes/sign_rpm.bbclass +++ b/meta/classes/sign_rpm.bbclass | |||
| @@ -68,8 +68,4 @@ python sign_rpm () { | |||
| 68 | do_package_index[depends] += "signing-keys:do_deploy" | 68 | do_package_index[depends] += "signing-keys:do_deploy" |
| 69 | do_rootfs[depends] += "signing-keys:do_populate_sysroot" | 69 | do_rootfs[depends] += "signing-keys:do_populate_sysroot" |
| 70 | 70 | ||
| 71 | # Newer versions of gpg (at least 2.1.5 and 2.2.1) have issues when signing occurs in parallel | 71 | PACKAGE_WRITE_DEPS += "gnupg-native" |
| 72 | # so unfortunately the signing must be done serially. Once the upstream problem is fixed, | ||
| 73 | # the following line must be removed otherwise we loose all the intrinsic parallelism from | ||
| 74 | # bitbake. For more information, check https://bugzilla.yoctoproject.org/show_bug.cgi?id=12022. | ||
| 75 | do_package_write_rpm[lockfiles] += "${TMPDIR}/gpg.lock" | ||