summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/rpm
diff options
context:
space:
mode:
authorMark Hatle <mark.hatle@windriver.com>2016-02-25 09:49:57 -0600
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-03-09 17:00:28 +0000
commit6833c5d77b99ab3f07945ba8e0bbe03df3dc317c (patch)
tree6881c031f89db00b6a28ca5f69a6cf2078e1d909 /meta/recipes-devtools/rpm
parent59a4d99c20af0ef60513eab5928c40b03903e5e8 (diff)
downloadpoky-6833c5d77b99ab3f07945ba8e0bbe03df3dc317c.tar.gz
rpm: Enable specific crypto and digest settings via variables
Allow the user to set the specific digest and non-repudiable signature algorithms. This should be done on a distribution wide basis. See recipe for exact instructions, but values are now set using: RPM_FILE_DIGEST_ALGO (default 1 - md5) RPM_SELF_SIGN_ALGO (default DSA) Also, change the PACKAGECONFIG to define the default crypto engine for RPM5. Not just the available crypto engines. If a crypto engine is not selected, the system will default to the internal beecrypt version. (From OE-Core rev: 2f6529d9dc8aa82eb5bdcccec9c69d93dad63505) Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/rpm')
-rw-r--r--meta/recipes-devtools/rpm/rpm_5.4+cvs.bb81
-rw-r--r--meta/recipes-devtools/rpm/rpm_5.4.16.bb81
2 files changed, 152 insertions, 10 deletions
diff --git a/meta/recipes-devtools/rpm/rpm_5.4+cvs.bb b/meta/recipes-devtools/rpm/rpm_5.4+cvs.bb
index 62526fde5f..e35ddbe910 100644
--- a/meta/recipes-devtools/rpm/rpm_5.4+cvs.bb
+++ b/meta/recipes-devtools/rpm/rpm_5.4+cvs.bb
@@ -168,6 +168,68 @@ rpm_macros_class-nativesdk = "%{_usrlibrpm}/macros:%{_usrlibrpm}/${DISTRO}/macro
168 168
169# sqlite lua tcl augeas nss gcrypt neon xz xar keyutils perl selinux 169# sqlite lua tcl augeas nss gcrypt neon xz xar keyutils perl selinux
170 170
171# Set the digest algorithm used for verifying file integrity
172# If this value changes, and two different packages have different values
173# the "same file" validation (two packages have a non-conflict file)
174# will fail. This may lead to upgrade problems. You should treat this
175# value as a distribution wide setting, and only change it when you intend
176# a full system upgrade!
177#
178# Defined file digest algorithm values (note: not all are available!):
179# 1 MD5 (legacy RPM default)
180# 2 SHA1
181# 3 RIPEMD-160
182# 5 MD2
183# 6 TIGER-192
184# 8 SHA256
185# 9 SHA384
186# 10 SHA512
187# 11 SHA224
188# 104 MD4
189# 105 RIPEMD-128
190# 106 CRC-32
191# 107 ADLER-32
192# 108 CRC-64 (ECMA-182 polynomial, untested uint64_t problems)
193# 109 Jenkins lookup3.c hashlittle()
194# 111 RIPEMD-256
195# 112 RIPEMD-320
196# 188 BLAKE2B
197# 189 BLAKE2BP
198# 190 BLAKE2S
199# 191 BLAKE2SP
200RPM_FILE_DIGEST_ALGO ?= "1"
201
202# All packages build with RPM5 contain a non-repudiable signature.
203# The purpose of this signature is not to show authenticity of a package,
204# but instead act as a secondary package wide validation that shows it
205# wasn't damaged by accident in transport. (When later you sign the package,
206# this signature may or may not be replaced as there are three signature
207# slots, one for DSA/RSA, one for ECSDA, and one reserved.)
208#
209# There is a known issue w/ RSA signatures that if they start with an 0x00
210# the signing and validation may fail.
211#
212# The following is the list of choices for the non-rpudiable signature
213# (note: not all of these are implemented):
214# DSA (default)
215# RSA (implies SHA1)
216# ECDSA (implies SHA256)
217# DSA/SHA1
218# DSA/SHA224
219# DSA/SHA256
220# DSA/SHA384
221# DSA/SHA512
222# RSA/SHA1
223# RSA/SHA224
224# RSA/SHA256
225# RSA/SHA384
226# RSA/SHA512
227# ECDSA/SHA224 (using NIST P-224)
228# ECDSA/SHA256 (using NIST P-256)
229# ECDSA/SHA384 (using NIST P-384)
230# ECDSA/SHA512 (using NIST P-521)
231RPM_SELF_SIGN_ALGO ?= "DSA"
232
171# Note: perl and sqlite w/o db specified does not currently work. 233# Note: perl and sqlite w/o db specified does not currently work.
172# tcl, augeas, nss, gcrypt, xar and keyutils support is untested. 234# tcl, augeas, nss, gcrypt, xar and keyutils support is untested.
173PACKAGECONFIG ??= "db bzip2 zlib popt openssl libelf python" 235PACKAGECONFIG ??= "db bzip2 zlib popt openssl libelf python"
@@ -203,10 +265,17 @@ PACKAGECONFIG[db] = "${WITH_DB},--without-db,db,"
203 265
204PACKAGECONFIG[sqlite] = "--with-sqlite,--without-sqlite,sqlite3," 266PACKAGECONFIG[sqlite] = "--with-sqlite,--without-sqlite,sqlite3,"
205 267
268# This switch simply disables external beecrypt, RPM5 always uses beecrypt
269# for base64 processing and various digest algorithms.
270# Beecrypt is only the preferred crypto engine if it's the only engine enabled.
206PACKAGECONFIG[beecrypt] = "--with-beecrypt=external,--with-beecrypt=internal,beecrypt," 271PACKAGECONFIG[beecrypt] = "--with-beecrypt=external,--with-beecrypt=internal,beecrypt,"
207PACKAGECONFIG[openssl] = "--with-openssl,--without-openssl,openssl," 272
208PACKAGECONFIG[nss] = "--with-nss,--without-nss,nss," 273# --with-usecrypto= setting defined the item as the preferred system
209PACKAGECONFIG[gcrypt] = "--with-gcrypt,--without-gcrypt,gcrypt," 274# crypto engine, which will take priority over the included beecrypt
275PACKAGECONFIG[openssl] = "--with-openssl --with-usecrypto=openssl,--without-openssl,openssl,"
276PACKAGECONFIG[nss] = "--with-nss --with-usecrypto=nss,--without-nss,nss,"
277PACKAGECONFIG[gcrypt] = "--with-gcrypt --with-usecrypto=gcrypt,--without-gcrypt,gcrypt,"
278
210PACKAGECONFIG[keyutils] = "--with-keyutils,--without-keyutils,keyutils," 279PACKAGECONFIG[keyutils] = "--with-keyutils,--without-keyutils,keyutils,"
211PACKAGECONFIG[libelf] = "--with-libelf,--without-libelf,elfutils," 280PACKAGECONFIG[libelf] = "--with-libelf,--without-libelf,elfutils,"
212 281
@@ -450,8 +519,10 @@ do_configure() {
450} 519}
451 520
452do_install_append() { 521do_install_append() {
453 # Preserve the previous default of DSA self-signed pkgs 522 # Configure -distribution wide- package crypto settings
454 sed -i -e 's,%_build_sign.*,%_build_sign DSA,' ${D}/${libdir}/rpm/macros.rpmbuild 523 # If these change, effectively all packages have to be upgraded!
524 sed -i -e 's,%_build_file_digest_algo.*,%_build_sign ${RPM_FILE_DIGEST_ALGO},' ${D}/${libdir}/rpm/macros.rpmbuild
525 sed -i -e 's,%_build_sign.*,%_build_sign ${RPM_SELF_SIGN_ALGO},' ${D}/${libdir}/rpm/macros.rpmbuild
455 526
456 sed -i -e 's,%__scriptlet_requires,#%%__scriptlet_requires,' ${D}/${libdir}/rpm/macros 527 sed -i -e 's,%__scriptlet_requires,#%%__scriptlet_requires,' ${D}/${libdir}/rpm/macros
457 sed -i -e 's,%__perl_provides,#%%__perl_provides,' ${D}/${libdir}/rpm/macros ${D}/${libdir}/rpm/macros.d/* 528 sed -i -e 's,%__perl_provides,#%%__perl_provides,' ${D}/${libdir}/rpm/macros ${D}/${libdir}/rpm/macros.d/*
diff --git a/meta/recipes-devtools/rpm/rpm_5.4.16.bb b/meta/recipes-devtools/rpm/rpm_5.4.16.bb
index 142706f30c..c961bac5dc 100644
--- a/meta/recipes-devtools/rpm/rpm_5.4.16.bb
+++ b/meta/recipes-devtools/rpm/rpm_5.4.16.bb
@@ -173,6 +173,68 @@ rpm_macros_class-nativesdk = "%{_usrlibrpm}/macros:%{_usrlibrpm}/${DISTRO}/macro
173 173
174# sqlite lua tcl augeas nss gcrypt neon xz xar keyutils perl selinux 174# sqlite lua tcl augeas nss gcrypt neon xz xar keyutils perl selinux
175 175
176# Set the digest algorithm used for verifying file integrity
177# If this value changes, and two different packages have different values
178# the "same file" validation (two packages have a non-conflict file)
179# will fail. This may lead to upgrade problems. You should treat this
180# value as a distribution wide setting, and only change it when you intend
181# a full system upgrade!
182#
183# Defined file digest algorithm values (note: not all are available!):
184# 1 MD5 (legacy RPM default)
185# 2 SHA1
186# 3 RIPEMD-160
187# 5 MD2
188# 6 TIGER-192
189# 8 SHA256
190# 9 SHA384
191# 10 SHA512
192# 11 SHA224
193# 104 MD4
194# 105 RIPEMD-128
195# 106 CRC-32
196# 107 ADLER-32
197# 108 CRC-64 (ECMA-182 polynomial, untested uint64_t problems)
198# 109 Jenkins lookup3.c hashlittle()
199# 111 RIPEMD-256
200# 112 RIPEMD-320
201# 188 BLAKE2B
202# 189 BLAKE2BP
203# 190 BLAKE2S
204# 191 BLAKE2SP
205RPM_FILE_DIGEST_ALGO ?= "1"
206
207# All packages build with RPM5 contain a non-repudiable signature.
208# The purpose of this signature is not to show authenticity of a package,
209# but instead act as a secondary package wide validation that shows it
210# wasn't damaged by accident in transport. (When later you sign the package,
211# this signature may or may not be replaced as there are three signature
212# slots, one for DSA/RSA, one for ECSDA, and one reserved.)
213#
214# There is a known issue w/ RSA signatures that if they start with an 0x00
215# the signing and validation may fail.
216#
217# The following is the list of choices for the non-rpudiable signature
218# (note: not all of these are implemented):
219# DSA (default)
220# RSA (implies SHA1)
221# ECDSA (implies SHA256)
222# DSA/SHA1
223# DSA/SHA224
224# DSA/SHA256
225# DSA/SHA384
226# DSA/SHA512
227# RSA/SHA1
228# RSA/SHA224
229# RSA/SHA256
230# RSA/SHA384
231# RSA/SHA512
232# ECDSA/SHA224 (using NIST P-224)
233# ECDSA/SHA256 (using NIST P-256)
234# ECDSA/SHA384 (using NIST P-384)
235# ECDSA/SHA512 (using NIST P-521)
236RPM_SELF_SIGN_ALGO ?= "DSA"
237
176# Note: perl and sqlite w/o db specified does not currently work. 238# Note: perl and sqlite w/o db specified does not currently work.
177# tcl, augeas, nss, gcrypt, xar and keyutils support is untested. 239# tcl, augeas, nss, gcrypt, xar and keyutils support is untested.
178PACKAGECONFIG ??= "db bzip2 zlib popt openssl libelf python" 240PACKAGECONFIG ??= "db bzip2 zlib popt openssl libelf python"
@@ -208,10 +270,17 @@ PACKAGECONFIG[db] = "${WITH_DB},--without-db,db,"
208 270
209PACKAGECONFIG[sqlite] = "--with-sqlite,--without-sqlite,sqlite3," 271PACKAGECONFIG[sqlite] = "--with-sqlite,--without-sqlite,sqlite3,"
210 272
273# This switch simply disables external beecrypt, RPM5 always uses beecrypt
274# for base64 processing and various digest algorithms.
275# Beecrypt is only the preferred crypto engine if it's the only engine enabled.
211PACKAGECONFIG[beecrypt] = "--with-beecrypt=external,--with-beecrypt=internal,beecrypt," 276PACKAGECONFIG[beecrypt] = "--with-beecrypt=external,--with-beecrypt=internal,beecrypt,"
212PACKAGECONFIG[openssl] = "--with-openssl,--without-openssl,openssl," 277
213PACKAGECONFIG[nss] = "--with-nss,--without-nss,nss," 278# --with-usecrypto= setting defined the item as the preferred system
214PACKAGECONFIG[gcrypt] = "--with-gcrypt,--without-gcrypt,gcrypt," 279# crypto engine, which will take priority over the included beecrypt
280PACKAGECONFIG[openssl] = "--with-openssl --with-usecrypto=openssl,--without-openssl,openssl,"
281PACKAGECONFIG[nss] = "--with-nss --with-usecrypto=nss,--without-nss,nss,"
282PACKAGECONFIG[gcrypt] = "--with-gcrypt --with-usecrypto=gcrypt,--without-gcrypt,gcrypt,"
283
215PACKAGECONFIG[keyutils] = "--with-keyutils,--without-keyutils,keyutils," 284PACKAGECONFIG[keyutils] = "--with-keyutils,--without-keyutils,keyutils,"
216PACKAGECONFIG[libelf] = "--with-libelf,--without-libelf,elfutils," 285PACKAGECONFIG[libelf] = "--with-libelf,--without-libelf,elfutils,"
217 286
@@ -455,8 +524,10 @@ do_configure() {
455} 524}
456 525
457do_install_append() { 526do_install_append() {
458 # Preserve the previous default of DSA self-signed pkgs 527 # Configure -distribution wide- package crypto settings
459 sed -i -e 's,%_build_sign.*,%_build_sign DSA,' ${D}/${libdir}/rpm/macros.rpmbuild 528 # If these change, effectively all packages have to be upgraded!
529 sed -i -e 's,%_build_file_digest_algo.*,%_build_sign ${RPM_FILE_DIGEST_ALGO},' ${D}/${libdir}/rpm/macros.rpmbuild
530 sed -i -e 's,%_build_sign.*,%_build_sign ${RPM_SELF_SIGN_ALGO},' ${D}/${libdir}/rpm/macros.rpmbuild
460 531
461 sed -i -e 's,%__scriptlet_requires,#%%__scriptlet_requires,' ${D}/${libdir}/rpm/macros 532 sed -i -e 's,%__scriptlet_requires,#%%__scriptlet_requires,' ${D}/${libdir}/rpm/macros
462 sed -i -e 's,%__perl_provides,#%%__perl_provides,' ${D}/${libdir}/rpm/macros ${D}/${libdir}/rpm/macros.d/* 533 sed -i -e 's,%__perl_provides,#%%__perl_provides,' ${D}/${libdir}/rpm/macros ${D}/${libdir}/rpm/macros.d/*