diff options
author | Markus Lehtonen <markus.lehtonen@linux.intel.com> | 2015-10-16 13:37:32 +0300 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-10-27 07:24:25 +0000 |
commit | 787253fd4efcd18d46b3bcf794e3d54a93ef9f19 (patch) | |
tree | 6df91b6462ed8abd0eef94ad0f6f896eecc6e695 /meta | |
parent | 579e2547b857e2973c5fff3b14066ea4d79b1268 (diff) | |
download | poky-787253fd4efcd18d46b3bcf794e3d54a93ef9f19.tar.gz |
package signing: automatically export public keys
Automatically export public key(s) of the signing key(s) from the gpg
keyring. Adds a new simple recipe that does the actual task of exporting
the keys. This patch makes the RPM_GPG_PUBKEY and PACKAGE_FEED_GPG
PUBKEY settings obsolete.
(From OE-Core rev: 23b30c34581948e1ea02c25cbf7b9194d7e49fb8)
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/classes/sign_package_feed.bbclass | 7 | ||||
-rw-r--r-- | meta/classes/sign_rpm.bbclass | 9 | ||||
-rw-r--r-- | meta/recipes-core/meta/signing-keys.bb | 45 | ||||
-rw-r--r-- | meta/recipes-core/os-release/os-release.bb | 1 |
4 files changed, 59 insertions, 3 deletions
diff --git a/meta/classes/sign_package_feed.bbclass b/meta/classes/sign_package_feed.bbclass index 8877d905f7..4263810028 100644 --- a/meta/classes/sign_package_feed.bbclass +++ b/meta/classes/sign_package_feed.bbclass | |||
@@ -21,4 +21,11 @@ python () { | |||
21 | for var in ('PACKAGE_FEED_GPG_NAME', 'PACKAGE_FEED_GPG_PASSPHRASE_FILE'): | 21 | for var in ('PACKAGE_FEED_GPG_NAME', 'PACKAGE_FEED_GPG_PASSPHRASE_FILE'): |
22 | if not d.getVar(var, True): | 22 | if not d.getVar(var, True): |
23 | raise_sanity_error("You need to define %s in the config" % var, d) | 23 | raise_sanity_error("You need to define %s in the config" % var, d) |
24 | |||
25 | # Set expected location of the public key | ||
26 | d.setVar('PACKAGE_FEED_GPG_PUBKEY', | ||
27 | os.path.join(d.getVar('STAGING_ETCDIR_NATIVE'), | ||
28 | 'PACKAGE-FEED-GPG-PUBKEY')) | ||
24 | } | 29 | } |
30 | |||
31 | do_package_index[depends] += "signing-keys:do_export_public_keys" | ||
diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass index 4da17633a7..f0c3dc9be3 100644 --- a/meta/classes/sign_rpm.bbclass +++ b/meta/classes/sign_rpm.bbclass | |||
@@ -5,9 +5,6 @@ | |||
5 | # Path to a file containing the passphrase of the signing key. | 5 | # Path to a file containing the passphrase of the signing key. |
6 | # RPM_GPG_NAME | 6 | # RPM_GPG_NAME |
7 | # Name of the key to sign with. May be key id or key name. | 7 | # Name of the key to sign with. May be key id or key name. |
8 | # RPM_GPG_PUBKEY | ||
9 | # Path to a file containing the public key (in "armor" format) | ||
10 | # corresponding the signing key. | ||
11 | # GPG_BIN | 8 | # GPG_BIN |
12 | # Optional variable for specifying the gpg binary/wrapper to use for | 9 | # Optional variable for specifying the gpg binary/wrapper to use for |
13 | # signing. | 10 | # signing. |
@@ -24,6 +21,10 @@ python () { | |||
24 | for var in ('RPM_GPG_NAME', 'RPM_GPG_PASSPHRASE_FILE'): | 21 | for var in ('RPM_GPG_NAME', 'RPM_GPG_PASSPHRASE_FILE'): |
25 | if not d.getVar(var, True): | 22 | if not d.getVar(var, True): |
26 | raise_sanity_error("You need to define %s in the config" % var, d) | 23 | raise_sanity_error("You need to define %s in the config" % var, d) |
24 | |||
25 | # Set the expected location of the public key | ||
26 | d.setVar('RPM_GPG_PUBKEY', os.path.join(d.getVar('STAGING_ETCDIR_NATIVE'), | ||
27 | 'RPM-GPG-PUBKEY')) | ||
27 | } | 28 | } |
28 | 29 | ||
29 | 30 | ||
@@ -68,3 +69,5 @@ python sign_rpm () { | |||
68 | if rpmsign_wrapper(d, rpms, rpm_gpg_passphrase, rpm_gpg_name) != 0: | 69 | if rpmsign_wrapper(d, rpms, rpm_gpg_passphrase, rpm_gpg_name) != 0: |
69 | raise bb.build.FuncFailed("RPM signing failed") | 70 | raise bb.build.FuncFailed("RPM signing failed") |
70 | } | 71 | } |
72 | |||
73 | do_package_index[depends] += "signing-keys:do_export_public_keys" | ||
diff --git a/meta/recipes-core/meta/signing-keys.bb b/meta/recipes-core/meta/signing-keys.bb new file mode 100644 index 0000000000..cc401f3b6c --- /dev/null +++ b/meta/recipes-core/meta/signing-keys.bb | |||
@@ -0,0 +1,45 @@ | |||
1 | # Copyright (C) 2015 Intel Corporation | ||
2 | # Released under the MIT license (see COPYING.MIT for the terms) | ||
3 | |||
4 | DESCRIPTION = "Make public keys of the signing keys available" | ||
5 | LICENSE = "MIT" | ||
6 | PACKAGES = "" | ||
7 | |||
8 | do_fetch[noexec] = "1" | ||
9 | do_unpack[noexec] = "1" | ||
10 | do_patch[noexec] = "1" | ||
11 | do_configure[noexec] = "1" | ||
12 | do_compile[noexec] = "1" | ||
13 | do_install[noexec] = "1" | ||
14 | do_package[noexec] = "1" | ||
15 | do_packagedata[noexec] = "1" | ||
16 | do_package_write_ipk[noexec] = "1" | ||
17 | do_package_write_rpm[noexec] = "1" | ||
18 | do_package_write_deb[noexec] = "1" | ||
19 | do_populate_sysroot[noexec] = "1" | ||
20 | |||
21 | EXCLUDE_FROM_WORLD = "1" | ||
22 | |||
23 | def export_gpg_pubkey(d, keyid, path): | ||
24 | import bb | ||
25 | gpg_bin = d.getVar('GPG_BIN', True) or \ | ||
26 | bb.utils.which(os.getenv('PATH'), "gpg") | ||
27 | cmd = '%s --batch --yes --export --armor -o %s %s' % \ | ||
28 | (gpg_bin, path, keyid) | ||
29 | status, output = oe.utils.getstatusoutput(cmd) | ||
30 | if status: | ||
31 | raise bb.build.FuncFailed('Failed to export gpg public key (%s): %s' % | ||
32 | (keyid, output)) | ||
33 | |||
34 | python do_export_public_keys () { | ||
35 | if d.getVar("RPM_SIGN_PACKAGES", True): | ||
36 | # Export public key of the rpm signing key | ||
37 | export_gpg_pubkey(d, d.getVar("RPM_GPG_NAME", True), | ||
38 | d.getVar('RPM_GPG_PUBKEY', True)) | ||
39 | |||
40 | if d.getVar('PACKAGE_FEED_SIGN', True) == '1': | ||
41 | # Export public key of the feed signing key | ||
42 | export_gpg_pubkey(d, d.getVar("PACKAGE_FEED_GPG_NAME", True), | ||
43 | d.getVar('PACKAGE_FEED_GPG_PUBKEY', True)) | ||
44 | } | ||
45 | addtask do_export_public_keys before do_build | ||
diff --git a/meta/recipes-core/os-release/os-release.bb b/meta/recipes-core/os-release/os-release.bb index db827602f3..c690b82b2e 100644 --- a/meta/recipes-core/os-release/os-release.bb +++ b/meta/recipes-core/os-release/os-release.bb | |||
@@ -37,6 +37,7 @@ python do_compile () { | |||
37 | shutil.copy2(rpm_gpg_pubkey, d.expand('${B}/rpm-gpg/RPM-GPG-KEY-%s' % distro_version)) | 37 | shutil.copy2(rpm_gpg_pubkey, d.expand('${B}/rpm-gpg/RPM-GPG-KEY-%s' % distro_version)) |
38 | } | 38 | } |
39 | do_compile[vardeps] += "${OS_RELEASE_FIELDS}" | 39 | do_compile[vardeps] += "${OS_RELEASE_FIELDS}" |
40 | do_compile[depends] += "signing-keys:do_export_public_keys" | ||
40 | 41 | ||
41 | do_install () { | 42 | do_install () { |
42 | install -d ${D}${sysconfdir} | 43 | install -d ${D}${sysconfdir} |