summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorRoss Burton <ross.burton@intel.com>2015-09-03 19:39:07 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-09-06 15:26:27 +0100
commite3feac122b6baa67a6e75a99da6e8834f0f2a7b0 (patch)
tree75df8bd01ccb66fc9c83c938350ce49a6c7bd2d1 /meta
parent3bafddbadf92dd25fb4e224d62e41e9f9c37b72f (diff)
downloadpoky-e3feac122b6baa67a6e75a99da6e8834f0f2a7b0.tar.gz
sstate: implement basic signing/validation
To provide some element of integrity to sstate archives, allow sstate archives to be GPG signed with a specified key (detached signature to a sidecar .sig file), and verify the signatures when sstate archives are unpacked. (From OE-Core rev: 237b6c51b42b0c64434dc45685e10f757ac939c2) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/classes/sstate.bbclass19
1 files changed, 18 insertions, 1 deletions
diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass
index 4e6afef541..77313bcfbc 100644
--- a/meta/classes/sstate.bbclass
+++ b/meta/classes/sstate.bbclass
@@ -54,6 +54,13 @@ EXTRA_STAGING_FIXMES ?= ""
54 54
55SIGGEN_LOCKEDSIGS_CHECK_LEVEL ?= 'error' 55SIGGEN_LOCKEDSIGS_CHECK_LEVEL ?= 'error'
56 56
57# The GnuPG key ID and passphrase to use to sign sstate archives (or unset to
58# not sign)
59SSTATE_SIG_KEY ?= ""
60SSTATE_SIG_PASSPHRASE ?= ""
61# Whether to verify the GnUPG signatures when extracting sstate archives
62SSTATE_VERIFY_SIG ?= "0"
63
57# Specify dirs in which the shell function is executed and don't use ${B} 64# Specify dirs in which the shell function is executed and don't use ${B}
58# as default dirs to avoid possible race about ${B} with other task. 65# as default dirs to avoid possible race about ${B} with other task.
59sstate_create_package[dirs] = "${SSTATE_BUILDDIR}" 66sstate_create_package[dirs] = "${SSTATE_BUILDDIR}"
@@ -298,6 +305,10 @@ def sstate_installpkg(ss, d):
298 d.setVar('SSTATE_INSTDIR', sstateinst) 305 d.setVar('SSTATE_INSTDIR', sstateinst)
299 d.setVar('SSTATE_PKG', sstatepkg) 306 d.setVar('SSTATE_PKG', sstatepkg)
300 307
308 if bb.utils.to_boolean(d.getVar("SSTATE_VERIFY_SIG", True), False):
309 if subprocess.call(["gpg", "--verify", sstatepkg + ".sig", sstatepkg]) != 0:
310 bb.warn("Cannot verify signature on sstate package %s" % sstatepkg)
311
301 for f in (d.getVar('SSTATEPREINSTFUNCS', True) or '').split() + ['sstate_unpack_package'] + (d.getVar('SSTATEPOSTUNPACKFUNCS', True) or '').split(): 312 for f in (d.getVar('SSTATEPREINSTFUNCS', True) or '').split() + ['sstate_unpack_package'] + (d.getVar('SSTATEPOSTUNPACKFUNCS', True) or '').split():
302 bb.build.exec_func(f, d) 313 bb.build.exec_func(f, d)
303 314
@@ -605,7 +616,8 @@ def pstaging_fetch(sstatefetch, sstatepkg, d):
605 # Try a fetch from the sstate mirror, if it fails just return and 616 # Try a fetch from the sstate mirror, if it fails just return and
606 # we will build the package 617 # we will build the package
607 for srcuri in ['file://{0}'.format(sstatefetch), 618 for srcuri in ['file://{0}'.format(sstatefetch),
608 'file://{0}.siginfo'.format(sstatefetch)]: 619 'file://{0}.siginfo'.format(sstatefetch),
620 'file://{0}.sig'.format(sstatefetch)]:
609 localdata.setVar('SRC_URI', srcuri) 621 localdata.setVar('SRC_URI', srcuri)
610 try: 622 try:
611 fetcher = bb.fetch2.Fetch([srcuri], localdata, cache=False) 623 fetcher = bb.fetch2.Fetch([srcuri], localdata, cache=False)
@@ -665,6 +677,11 @@ sstate_create_package () {
665 chmod 0664 $TFILE 677 chmod 0664 $TFILE
666 mv -f $TFILE ${SSTATE_PKG} 678 mv -f $TFILE ${SSTATE_PKG}
667 679
680 if [ -n "${SSTATE_SIG_KEY}" ]; then
681 rm -f ${SSTATE_PKG}.sig
682 echo ${SSTATE_SIG_PASSPHRASE} | gpg --batch --passphrase-fd 0 --detach-sign --local-user ${SSTATE_SIG_KEY} --output ${SSTATE_PKG}.sig ${SSTATE_PKG}
683 fi
684
668 cd ${WORKDIR} 685 cd ${WORKDIR}
669 rm -rf ${SSTATE_BUILDDIR} 686 rm -rf ${SSTATE_BUILDDIR}
670} 687}