summaryrefslogtreecommitdiffstats
path: root/meta/lib
diff options
context:
space:
mode:
authorMarkus Lehtonen <markus.lehtonen@linux.intel.com>2015-08-25 16:48:32 +0300
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-09-03 12:43:20 +0100
commit59c7c7bfcb2cf3682526656fd9eba61a022e5a0a (patch)
treeb9bc72a77ea796649145382e4b7a9801f336a470 /meta/lib
parent3983e3ffcc694a5728effa5f5f81010190830606 (diff)
downloadpoky-59c7c7bfcb2cf3682526656fd9eba61a022e5a0a.tar.gz
package_manager: support for signed RPM package feeds
This change makes it possible to create GPG signed RPM package feeds - i.e. package feed with GPG signed metadata (repodata). All deployed RPM repositories will be signed and the GPG public key is copied to the rpm deployment directory. In order to enable the new feature one needs to define four variables in bitbake configuration. 1. 'PACKAGE_FEED_SIGN = "1"' enabling the feature 2. 'PACKAGE_FEED_GPG_NAME = "<key_id>"' defining the GPG key to use for signing 3. 'PACKAGE_FEED_GPG_PASSPHRASE_FILE = "<path_to_file>"' pointing to a file containing the passphrase for the secret signing key 4. 'PACKAGE_FEED_GPG_PUBKEY = "<path_to_pubkey>"' pointing to the corresponding public key (in "armor" format) The user may define "GPG_BIN" in the bitbake configuration in order to specify a specific the gpg binary/wrapper to use for signing. [YOCTO #8134] (From OE-Core rev: a576eea1eb5ed54e2f72d5f7c3e5d6a723382485) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/lib')
-rw-r--r--meta/lib/oe/package_manager.py25
1 files changed, 24 insertions, 1 deletions
diff --git a/meta/lib/oe/package_manager.py b/meta/lib/oe/package_manager.py
index 3632a7af94..622669af6a 100644
--- a/meta/lib/oe/package_manager.py
+++ b/meta/lib/oe/package_manager.py
@@ -108,8 +108,17 @@ class RpmIndexer(Indexer):
108 archs = archs.union(set(sdk_pkg_archs)) 108 archs = archs.union(set(sdk_pkg_archs))
109 109
110 rpm_createrepo = bb.utils.which(os.getenv('PATH'), "createrepo") 110 rpm_createrepo = bb.utils.which(os.getenv('PATH'), "createrepo")
111 if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
112 pkgfeed_gpg_name = self.d.getVar('PACKAGE_FEED_GPG_NAME', True)
113 pkgfeed_gpg_pass = self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True)
114 else:
115 pkgfeed_gpg_name = None
116 pkgfeed_gpg_pass = None
117 gpg_bin = self.d.getVar('GPG_BIN', True) or \
118 bb.utils.which(os.getenv('PATH'), "gpg")
111 119
112 index_cmds = [] 120 index_cmds = []
121 repo_sign_cmds = []
113 rpm_dirs_found = False 122 rpm_dirs_found = False
114 for arch in archs: 123 for arch in archs:
115 dbpath = os.path.join(self.d.getVar('WORKDIR', True), 'rpmdb', arch) 124 dbpath = os.path.join(self.d.getVar('WORKDIR', True), 'rpmdb', arch)
@@ -121,6 +130,12 @@ class RpmIndexer(Indexer):
121 130
122 index_cmds.append("%s --dbpath %s --update -q %s" % \ 131 index_cmds.append("%s --dbpath %s --update -q %s" % \
123 (rpm_createrepo, dbpath, arch_dir)) 132 (rpm_createrepo, dbpath, arch_dir))
133 if pkgfeed_gpg_name:
134 repomd_file = os.path.join(arch_dir, 'repodata', 'repomd.xml')
135 gpg_cmd = "%s --detach-sign --armor --batch --no-tty --yes " \
136 "--passphrase-file '%s' -u '%s' %s" % (gpg_bin,
137 pkgfeed_gpg_pass, pkgfeed_gpg_name, repomd_file)
138 repo_sign_cmds.append(gpg_cmd)
124 139
125 rpm_dirs_found = True 140 rpm_dirs_found = True
126 141
@@ -132,12 +147,20 @@ class RpmIndexer(Indexer):
132 result = oe.utils.multiprocess_exec(index_cmds, create_index) 147 result = oe.utils.multiprocess_exec(index_cmds, create_index)
133 if result: 148 if result:
134 bb.fatal('%s' % ('\n'.join(result))) 149 bb.fatal('%s' % ('\n'.join(result)))
135 # Copy pubkey to repo 150 # Sign repomd
151 result = oe.utils.multiprocess_exec(repo_sign_cmds, create_index)
152 if result:
153 bb.fatal('%s' % ('\n'.join(result)))
154 # Copy pubkey(s) to repo
136 distro_version = self.d.getVar('DISTRO_VERSION', True) or "oe.0" 155 distro_version = self.d.getVar('DISTRO_VERSION', True) or "oe.0"
137 if self.d.getVar('RPM_SIGN_PACKAGES', True) == '1': 156 if self.d.getVar('RPM_SIGN_PACKAGES', True) == '1':
138 shutil.copy2(self.d.getVar('RPM_GPG_PUBKEY', True), 157 shutil.copy2(self.d.getVar('RPM_GPG_PUBKEY', True),
139 os.path.join(self.deploy_dir, 158 os.path.join(self.deploy_dir,
140 'RPM-GPG-KEY-%s' % distro_version)) 159 'RPM-GPG-KEY-%s' % distro_version))
160 if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
161 shutil.copy2(self.d.getVar('PACKAGE_FEED_GPG_PUBKEY', True),
162 os.path.join(self.deploy_dir,
163 'REPODATA-GPG-KEY-%s' % distro_version))
141 164
142 165
143class OpkgIndexer(Indexer): 166class OpkgIndexer(Indexer):