rpm: Enable specific crypto and digest settings via variables

Allow the user to set the specific digest and non-repudiable signature algorithms. This should be done on a distribution wide basis. See recipe for exact instructions, but values are now set using: RPM_FILE_DIGEST_ALGO (default 1 - md5) RPM_SELF_SIGN_ALGO (default DSA) Also, change the PACKAGECONFIG to define the default crypto engine for RPM5. Not just the available crypto engines. If a crypto engine is not selected, the system will default to the internal beecrypt version. (From OE-Core rev: 2f6529d9dc8aa82eb5bdcccec9c69d93dad63505) Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Mark Hatle <mark.hatle@windriver.com> 2016-02-25 09:49:57 -0600
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-03-09 17:00:28 +0000
commit: 6833c5d77b99ab3f07945ba8e0bbe03df3dc317c (patch)
tree: 6881c031f89db00b6a28ca5f69a6cf2078e1d909 /meta/recipes-devtools/rpm/rpm_5.4+cvs.bb
parent: 59a4d99c20af0ef60513eab5928c40b03903e5e8 (diff)
download: poky-6833c5d77b99ab3f07945ba8e0bbe03df3dc317c.tar.gz
1 files changed, 76 insertions, 5 deletions
diff --git a/meta/recipes-devtools/rpm/rpm_5.4+cvs.bb b/meta/recipes-devtools/rpm/rpm_5.4+cvs.bb
index 62526fde5f..e35ddbe910 100644
--- a/meta/recipes-devtools/rpm/rpm_5.4+cvs.bb
+++ b/meta/recipes-devtools/rpm/rpm_5.4+cvs.bb
@@ -168,6 +168,68 @@ rpm_macros_class-nativesdk = "%{_usrlibrpm}/macros:%{_usrlibrpm}/${DISTRO}/macro
 # sqlite lua tcl augeas nss gcrypt neon xz xar keyutils perl selinux
+# Set the digest algorithm used for verifying file integrity
+# If this value changes, and two different packages have different values
+# the "same file" validation (two packages have a non-conflict file)
+# will fail.  This may lead to upgrade problems.  You should treat this
+# value as a distribution wide setting, and only change it when you intend
+# a full system upgrade!
+#
+# Defined file digest algorithm values (note: not all are available!):
+#       1       MD5 (legacy RPM default)
+#       2       SHA1
+#       3       RIPEMD-160
+#       5       MD2
+#       6       TIGER-192
+#       8       SHA256
+#       9       SHA384
+#       10      SHA512
+#       11      SHA224
+#       104     MD4
+#       105     RIPEMD-128
+#       106     CRC-32
+#       107     ADLER-32
+#       108     CRC-64 (ECMA-182 polynomial, untested uint64_t problems)
+#       109     Jenkins lookup3.c hashlittle()
+#       111     RIPEMD-256
+#       112     RIPEMD-320
+#       188     BLAKE2B
+#       189     BLAKE2BP
+#       190     BLAKE2S
+#       191     BLAKE2SP
+RPM_FILE_DIGEST_ALGO ?= "1"
+# All packages build with RPM5 contain a non-repudiable signature.
+# The purpose of this signature is not to show authenticity of a package,
+# but instead act as a secondary package wide validation that shows it
+# wasn't damaged by accident in transport.  (When later you sign the package, 
+# this signature may or may not be replaced as there are three signature 
+# slots, one for DSA/RSA, one for ECSDA, and one reserved.)
+#
+# There is a known issue w/ RSA signatures that if they start with an 0x00
+# the signing and validation may fail.
+#
+# The following is the list of choices for the non-rpudiable signature
+# (note: not all of these are implemented):
+#       DSA             (default)
+#       RSA             (implies SHA1)
+#       ECDSA           (implies SHA256)
+#       DSA/SHA1
+#       DSA/SHA224
+#       DSA/SHA256
+#       DSA/SHA384
+#       DSA/SHA512
+#       RSA/SHA1
+#       RSA/SHA224
+#       RSA/SHA256
+#       RSA/SHA384
+#       RSA/SHA512
+#       ECDSA/SHA224    (using NIST P-224)
+#       ECDSA/SHA256    (using NIST P-256)
+#       ECDSA/SHA384    (using NIST P-384)
+#       ECDSA/SHA512    (using NIST P-521)
+RPM_SELF_SIGN_ALGO ?= "DSA"
 # Note: perl and sqlite w/o db specified does not currently work.
 #       tcl, augeas, nss, gcrypt, xar and keyutils support is untested.
 PACKAGECONFIG ??= "db bzip2 zlib popt openssl libelf python"
@@ -203,10 +265,17 @@ PACKAGECONFIG[db] = "${WITH_DB},--without-db,db,"
 PACKAGECONFIG[sqlite] = "--with-sqlite,--without-sqlite,sqlite3,"
+# This switch simply disables external beecrypt, RPM5 always uses beecrypt
+# for base64 processing and various digest algorithms.
+# Beecrypt is only the preferred crypto engine if it's the only engine enabled.
 PACKAGECONFIG[beecrypt] = "--with-beecrypt=external,--with-beecrypt=internal,beecrypt,"
-PACKAGECONFIG[openssl] = "--with-openssl,--without-openssl,openssl,"
-PACKAGECONFIG[nss] = "--with-nss,--without-nss,nss,"
+# --with-usecrypto= setting defined the item as the preferred system
-PACKAGECONFIG[gcrypt] = "--with-gcrypt,--without-gcrypt,gcrypt,"
+# crypto engine, which will take priority over the included beecrypt
+PACKAGECONFIG[openssl] = "--with-openssl --with-usecrypto=openssl,--without-openssl,openssl,"
+PACKAGECONFIG[nss] = "--with-nss --with-usecrypto=nss,--without-nss,nss,"
+PACKAGECONFIG[gcrypt] = "--with-gcrypt --with-usecrypto=gcrypt,--without-gcrypt,gcrypt,"
 PACKAGECONFIG[keyutils] = "--with-keyutils,--without-keyutils,keyutils,"
 PACKAGECONFIG[libelf] = "--with-libelf,--without-libelf,elfutils,"
@@ -450,8 +519,10 @@ do_configure() {
 }
 do_install_append() {
-        # Preserve the previous default of DSA self-signed pkgs
+        # Configure -distribution wide- package crypto settings
-        sed -i -e 's,%_build_sign.*,%_build_sign DSA,' ${D}/${libdir}/rpm/macros.rpmbuild
+        # If these change, effectively all packages have to be upgraded!
+        sed -i -e 's,%_build_file_digest_algo.*,%_build_sign ${RPM_FILE_DIGEST_ALGO},' ${D}/${libdir}/rpm/macros.rpmbuild
+        sed -i -e 's,%_build_sign.*,%_build_sign ${RPM_SELF_SIGN_ALGO},' ${D}/${libdir}/rpm/macros.rpmbuild
        sed -i -e 's,%__scriptlet_requires,#%%__scriptlet_requires,' ${D}/${libdir}/rpm/macros
        sed -i -e 's,%__perl_provides,#%%__perl_provides,' ${D}/${libdir}/rpm/macros ${D}/${libdir}/rpm/macros.d/*
author	Mark Hatle <mark.hatle@windriver.com>	2016-02-25 09:49:57 -0600
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-03-09 17:00:28 +0000
commit	6833c5d77b99ab3f07945ba8e0bbe03df3dc317c (patch)
tree	6881c031f89db00b6a28ca5f69a6cf2078e1d909 /meta/recipes-devtools/rpm/rpm_5.4+cvs.bb
parent	59a4d99c20af0ef60513eab5928c40b03903e5e8 (diff)
download	poky-6833c5d77b99ab3f07945ba8e0bbe03df3dc317c.tar.gz

diff --git a/meta/recipes-devtools/rpm/rpm_5.4+cvs.bb b/meta/recipes-devtools/rpm/rpm_5.4+cvs.bb index 62526fde5f..e35ddbe910 100644 --- a/meta/recipes-devtools/rpm/rpm_5.4+cvs.bb +++ b/meta/recipes-devtools/rpm/rpm_5.4+cvs.bb
@@ -168,6 +168,68 @@ rpm_macros_class-nativesdk = "%{_usrlibrpm}/macros:%{_usrlibrpm}/${DISTRO}/macro
168		168
169	# sqlite lua tcl augeas nss gcrypt neon xz xar keyutils perl selinux	169	# sqlite lua tcl augeas nss gcrypt neon xz xar keyutils perl selinux
170		170
		171	# Set the digest algorithm used for verifying file integrity
		172	# If this value changes, and two different packages have different values
		173	# the "same file" validation (two packages have a non-conflict file)
		174	# will fail. This may lead to upgrade problems. You should treat this
		175	# value as a distribution wide setting, and only change it when you intend
		176	# a full system upgrade!
		177	#
		178	# Defined file digest algorithm values (note: not all are available!):
		179	# 1 MD5 (legacy RPM default)
		180	# 2 SHA1
		181	# 3 RIPEMD-160
		182	# 5 MD2
		183	# 6 TIGER-192
		184	# 8 SHA256
		185	# 9 SHA384
		186	# 10 SHA512
		187	# 11 SHA224
		188	# 104 MD4
		189	# 105 RIPEMD-128
		190	# 106 CRC-32
		191	# 107 ADLER-32
		192	# 108 CRC-64 (ECMA-182 polynomial, untested uint64_t problems)
		193	# 109 Jenkins lookup3.c hashlittle()
		194	# 111 RIPEMD-256
		195	# 112 RIPEMD-320
		196	# 188 BLAKE2B
		197	# 189 BLAKE2BP
		198	# 190 BLAKE2S
		199	# 191 BLAKE2SP
		200	RPM_FILE_DIGEST_ALGO ?= "1"
		201
		202	# All packages build with RPM5 contain a non-repudiable signature.
		203	# The purpose of this signature is not to show authenticity of a package,
		204	# but instead act as a secondary package wide validation that shows it
		205	# wasn't damaged by accident in transport. (When later you sign the package,
		206	# this signature may or may not be replaced as there are three signature
		207	# slots, one for DSA/RSA, one for ECSDA, and one reserved.)
		208	#
		209	# There is a known issue w/ RSA signatures that if they start with an 0x00
		210	# the signing and validation may fail.
		211	#
		212	# The following is the list of choices for the non-rpudiable signature
		213	# (note: not all of these are implemented):
		214	# DSA (default)
		215	# RSA (implies SHA1)
		216	# ECDSA (implies SHA256)
		217	# DSA/SHA1
		218	# DSA/SHA224
		219	# DSA/SHA256
		220	# DSA/SHA384
		221	# DSA/SHA512
		222	# RSA/SHA1
		223	# RSA/SHA224
		224	# RSA/SHA256
		225	# RSA/SHA384
		226	# RSA/SHA512
		227	# ECDSA/SHA224 (using NIST P-224)
		228	# ECDSA/SHA256 (using NIST P-256)
		229	# ECDSA/SHA384 (using NIST P-384)
		230	# ECDSA/SHA512 (using NIST P-521)
		231	RPM_SELF_SIGN_ALGO ?= "DSA"
		232
171	# Note: perl and sqlite w/o db specified does not currently work.	233	# Note: perl and sqlite w/o db specified does not currently work.
172	# tcl, augeas, nss, gcrypt, xar and keyutils support is untested.	234	# tcl, augeas, nss, gcrypt, xar and keyutils support is untested.
173	PACKAGECONFIG ??= "db bzip2 zlib popt openssl libelf python"	235	PACKAGECONFIG ??= "db bzip2 zlib popt openssl libelf python"
@@ -203,10 +265,17 @@ PACKAGECONFIG[db] = "${WITH_DB},--without-db,db,"
203		265
204	PACKAGECONFIG[sqlite] = "--with-sqlite,--without-sqlite,sqlite3,"	266	PACKAGECONFIG[sqlite] = "--with-sqlite,--without-sqlite,sqlite3,"
205		267
		268	# This switch simply disables external beecrypt, RPM5 always uses beecrypt
		269	# for base64 processing and various digest algorithms.
		270	# Beecrypt is only the preferred crypto engine if it's the only engine enabled.
206	PACKAGECONFIG[beecrypt] = "--with-beecrypt=external,--with-beecrypt=internal,beecrypt,"	271	PACKAGECONFIG[beecrypt] = "--with-beecrypt=external,--with-beecrypt=internal,beecrypt,"
207	PACKAGECONFIG[openssl] = "--with-openssl,--without-openssl,openssl,"	272
208	PACKAGECONFIG[nss] = "--with-nss,--without-nss,nss,"	273	# --with-usecrypto= setting defined the item as the preferred system
209	PACKAGECONFIG[gcrypt] = "--with-gcrypt,--without-gcrypt,gcrypt,"	274	# crypto engine, which will take priority over the included beecrypt
		275	PACKAGECONFIG[openssl] = "--with-openssl --with-usecrypto=openssl,--without-openssl,openssl,"
		276	PACKAGECONFIG[nss] = "--with-nss --with-usecrypto=nss,--without-nss,nss,"
		277	PACKAGECONFIG[gcrypt] = "--with-gcrypt --with-usecrypto=gcrypt,--without-gcrypt,gcrypt,"
		278
210	PACKAGECONFIG[keyutils] = "--with-keyutils,--without-keyutils,keyutils,"	279	PACKAGECONFIG[keyutils] = "--with-keyutils,--without-keyutils,keyutils,"
211	PACKAGECONFIG[libelf] = "--with-libelf,--without-libelf,elfutils,"	280	PACKAGECONFIG[libelf] = "--with-libelf,--without-libelf,elfutils,"
212		281
@@ -450,8 +519,10 @@ do_configure() {
450	}	519	}
451		520
452	do_install_append() {	521	do_install_append() {
453	# Preserve the previous default of DSA self-signed pkgs	522	# Configure -distribution wide- package crypto settings
454	sed -i -e 's,%_build_sign.*,%_build_sign DSA,' ${D}/${libdir}/rpm/macros.rpmbuild	523	# If these change, effectively all packages have to be upgraded!
		524	sed -i -e 's,%_build_file_digest_algo.*,%_build_sign ${RPM_FILE_DIGEST_ALGO},' ${D}/${libdir}/rpm/macros.rpmbuild
		525	sed -i -e 's,%_build_sign.*,%_build_sign ${RPM_SELF_SIGN_ALGO},' ${D}/${libdir}/rpm/macros.rpmbuild
455		526
456	sed -i -e 's,%__scriptlet_requires,#%%__scriptlet_requires,' ${D}/${libdir}/rpm/macros	527	sed -i -e 's,%__scriptlet_requires,#%%__scriptlet_requires,' ${D}/${libdir}/rpm/macros
457	sed -i -e 's,%__perl_provides,#%%__perl_provides,' ${D}/${libdir}/rpm/macros ${D}/${libdir}/rpm/macros.d/*	528	sed -i -e 's,%__perl_provides,#%%__perl_provides,' ${D}/${libdir}/rpm/macros ${D}/${libdir}/rpm/macros.d/*