gpg_sign: detach_sign: fix gpg > 2.1 STDIN file descriptor

Starting from v2.1 passing passwords directly to gpg does not work anymore [1], instead a loopback interface must be used otherwise gpg >2.1 will error out with: "gpg: signing failed: Inappropriate ioctl for device" gpg <2.1 does not work with the new --pinentry-mode arg and gives an invalid option error, so we detect what is the running version of gpg and pass it accordingly. [1] https://wiki.archlinux.org/index.php/GnuPG#Unattended_passphrase (From OE-Core rev: 0413bd8e294ca8ac972ac68662b43a981952f5ae) Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ioan-Adrian Ratiu <adrian.ratiu@ni.com> 2016-03-10 12:02:56 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-03-11 16:50:45 +0000
commit: 0b088e0829f0187cd67df97b6825674a5a4087ce (patch)
tree: a0dd9b4180badec6a8187250f2a01d32b1e0e6c3 /meta/lib
parent: 2fccd8aa1c96a6db056e2352b1d5039ce671a102 (diff)
download: poky-0b088e0829f0187cd67df97b6825674a5a4087ce.tar.gz
1 files changed, 16 insertions, 0 deletions
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index 059381d5e3..0b5dc20892 100644
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -66,6 +66,13 @@ class LocalSigner(object):
        if armor:
            cmd += ['--armor']
+        #gpg > 2.1 supports password pipes only through the loopback interface
+        #gpg < 2.1 errors out if given unknown parameters
+        dots = self.get_gpg_version().split('.')
+        assert len(dots) >= 2
+        if int(dots[0]) >= 2 and int(dots[1]) >= 1:
+            cmd += ['--pinentry-mode', 'loopback']
        cmd += [input_file]
        try:
@@ -89,6 +96,15 @@ class LocalSigner(object):
            raise Exception("Failed to sign '%s" % input_file)
+    def get_gpg_version(self):
+        """Return the gpg version"""
+        import subprocess
+        try:
+            return subprocess.check_output((self.gpg_bin, "--version")).split()[2]
+        except subprocess.CalledProcessError as e:
+            raise bb.build.FuncFailed("Could not get gpg version: %s" % e)
    def verify(self, sig_file):
        """Verify signature"""
        cmd = self.gpg_bin + " --verify "
author	Ioan-Adrian Ratiu <adrian.ratiu@ni.com>	2016-03-10 12:02:56 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-03-11 16:50:45 +0000
commit	0b088e0829f0187cd67df97b6825674a5a4087ce (patch)
tree	a0dd9b4180badec6a8187250f2a01d32b1e0e6c3 /meta/lib
parent	2fccd8aa1c96a6db056e2352b1d5039ce671a102 (diff)
download	poky-0b088e0829f0187cd67df97b6825674a5a4087ce.tar.gz

diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py index 059381d5e3..0b5dc20892 100644 --- a/meta/lib/oe/gpg_sign.py +++ b/meta/lib/oe/gpg_sign.py
@@ -66,6 +66,13 @@ class LocalSigner(object):
66	if armor:	66	if armor:
67	cmd += ['--armor']	67	cmd += ['--armor']
68		68
		69	#gpg > 2.1 supports password pipes only through the loopback interface
		70	#gpg < 2.1 errors out if given unknown parameters
		71	dots = self.get_gpg_version().split('.')
		72	assert len(dots) >= 2
		73	if int(dots[0]) >= 2 and int(dots[1]) >= 1:
		74	cmd += ['--pinentry-mode', 'loopback']
		75
69	cmd += [input_file]	76	cmd += [input_file]
70		77
71	try:	78	try:
@@ -89,6 +96,15 @@ class LocalSigner(object):
89	raise Exception("Failed to sign '%s" % input_file)	96	raise Exception("Failed to sign '%s" % input_file)
90		97
91		98
		99	def get_gpg_version(self):
		100	"""Return the gpg version"""
		101	import subprocess
		102	try:
		103	return subprocess.check_output((self.gpg_bin, "--version")).split()[2]
		104	except subprocess.CalledProcessError as e:
		105	raise bb.build.FuncFailed("Could not get gpg version: %s" % e)
		106
		107
92	def verify(self, sig_file):	108	def verify(self, sig_file):
93	"""Verify signature"""	109	"""Verify signature"""
94	cmd = self.gpg_bin + " --verify "	110	cmd = self.gpg_bin + " --verify "