diff options
| author | Lans Zhang <jia.zhang@windriver.com> | 2017-07-11 12:43:03 +0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-07-17 14:01:37 +0100 |
| commit | 30ba8b6894fc332651eba1f2451eb5aba23a7251 (patch) | |
| tree | f4d911b60d6b29f17975c1494f8d1754697c58ee /meta | |
| parent | 946a3dae158ed4709915645ba06dc9bab159be34 (diff) | |
| download | poky-30ba8b6894fc332651eba1f2451eb5aba23a7251.tar.gz | |
sign_rpm: support signing files in RPM payload
Currently, RPM4 supports to sign the files in RPM payload with plugin
mechanism. We introduce more definitions to make the file signing
available for the users:
- RPM_FILE_CHECKSUM_DIGEST
Global switch to enable file signing.
- RPM_FSK_PATH
The file signing key.
- RPM_FSK_PASSWORD
The password of file signing key.
- RPM_FILE_CHECKSUM_DIGEST
The file checksum digest.
(From OE-Core rev: 95b9ee33d5595078e90c633f6155ec9ba3d184f0)
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/classes/sign_rpm.bbclass | 20 | ||||
| -rw-r--r-- | meta/lib/oe/gpg_sign.py | 7 |
2 files changed, 25 insertions, 2 deletions
diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass index bc2e947107..c49406c74d 100644 --- a/meta/classes/sign_rpm.bbclass +++ b/meta/classes/sign_rpm.bbclass | |||
| @@ -9,6 +9,13 @@ | |||
| 9 | # Optional variable for specifying the backend to use for signing. | 9 | # Optional variable for specifying the backend to use for signing. |
| 10 | # Currently the only available option is 'local', i.e. local signing | 10 | # Currently the only available option is 'local', i.e. local signing |
| 11 | # on the build host. | 11 | # on the build host. |
| 12 | # RPM_FILE_CHECKSUM_DIGEST | ||
| 13 | # Optional variable for specifying the algorithm for generating file | ||
| 14 | # checksum digest. | ||
| 15 | # RPM_FSK_PATH | ||
| 16 | # Optional variable for the file signing key. | ||
| 17 | # RPM_FSK_PASSWORD | ||
| 18 | # Optional variable for the file signing key password. | ||
| 12 | # GPG_BIN | 19 | # GPG_BIN |
| 13 | # Optional variable for specifying the gpg binary/wrapper to use for | 20 | # Optional variable for specifying the gpg binary/wrapper to use for |
| 14 | # signing. | 21 | # signing. |
| @@ -18,7 +25,10 @@ | |||
| 18 | inherit sanity | 25 | inherit sanity |
| 19 | 26 | ||
| 20 | RPM_SIGN_PACKAGES='1' | 27 | RPM_SIGN_PACKAGES='1' |
| 28 | RPM_SIGN_FILES ?= '0' | ||
| 21 | RPM_GPG_BACKEND ?= 'local' | 29 | RPM_GPG_BACKEND ?= 'local' |
| 30 | # SHA-256 is used by default | ||
| 31 | RPM_FILE_CHECKSUM_DIGEST ?= '8' | ||
| 22 | 32 | ||
| 23 | 33 | ||
| 24 | python () { | 34 | python () { |
| @@ -28,6 +38,11 @@ python () { | |||
| 28 | for var in ('RPM_GPG_NAME', 'RPM_GPG_PASSPHRASE'): | 38 | for var in ('RPM_GPG_NAME', 'RPM_GPG_PASSPHRASE'): |
| 29 | if not d.getVar(var): | 39 | if not d.getVar(var): |
| 30 | raise_sanity_error("You need to define %s in the config" % var, d) | 40 | raise_sanity_error("You need to define %s in the config" % var, d) |
| 41 | |||
| 42 | if d.getVar('RPM_SIGN_FILES') == '1': | ||
| 43 | for var in ('RPM_FSK_PATH', 'RPM_FSK_PASSWORD'): | ||
| 44 | if not d.getVar(var): | ||
| 45 | raise_sanity_error("You need to define %s in the config" % var, d) | ||
| 31 | } | 46 | } |
| 32 | 47 | ||
| 33 | python sign_rpm () { | 48 | python sign_rpm () { |
| @@ -39,7 +54,10 @@ python sign_rpm () { | |||
| 39 | 54 | ||
| 40 | signer.sign_rpms(rpms, | 55 | signer.sign_rpms(rpms, |
| 41 | d.getVar('RPM_GPG_NAME'), | 56 | d.getVar('RPM_GPG_NAME'), |
| 42 | d.getVar('RPM_GPG_PASSPHRASE')) | 57 | d.getVar('RPM_GPG_PASSPHRASE'), |
| 58 | d.getVar('RPM_FILE_CHECKSUM_DIGEST'), | ||
| 59 | d.getVar('RPM_FSK_PATH'), | ||
| 60 | d.getVar('RPM_FSK_PASSWORD')) | ||
| 43 | } | 61 | } |
| 44 | 62 | ||
| 45 | do_package_index[depends] += "signing-keys:do_deploy" | 63 | do_package_index[depends] += "signing-keys:do_deploy" |
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py index c53df54a5b..f4d8b10e4b 100644 --- a/meta/lib/oe/gpg_sign.py +++ b/meta/lib/oe/gpg_sign.py | |||
| @@ -27,7 +27,7 @@ class LocalSigner(object): | |||
| 27 | raise bb.build.FuncFailed('Failed to export gpg public key (%s): %s' % | 27 | raise bb.build.FuncFailed('Failed to export gpg public key (%s): %s' % |
| 28 | (keyid, output)) | 28 | (keyid, output)) |
| 29 | 29 | ||
| 30 | def sign_rpms(self, files, keyid, passphrase): | 30 | def sign_rpms(self, files, keyid, passphrase, digest, fsk=None, fsk_password=None): |
| 31 | """Sign RPM files""" | 31 | """Sign RPM files""" |
| 32 | 32 | ||
| 33 | cmd = self.rpm_bin + " --addsign --define '_gpg_name %s' " % keyid | 33 | cmd = self.rpm_bin + " --addsign --define '_gpg_name %s' " % keyid |
| @@ -35,10 +35,15 @@ class LocalSigner(object): | |||
| 35 | if self.gpg_version > (2,1,): | 35 | if self.gpg_version > (2,1,): |
| 36 | gpg_args += ' --pinentry-mode=loopback' | 36 | gpg_args += ' --pinentry-mode=loopback' |
| 37 | cmd += "--define '_gpg_sign_cmd_extra_args %s' " % gpg_args | 37 | cmd += "--define '_gpg_sign_cmd_extra_args %s' " % gpg_args |
| 38 | cmd += "--define '_binary_filedigest_algorithm %s' " % digest | ||
| 38 | if self.gpg_bin: | 39 | if self.gpg_bin: |
| 39 | cmd += "--define '__gpg %s' " % self.gpg_bin | 40 | cmd += "--define '__gpg %s' " % self.gpg_bin |
| 40 | if self.gpg_path: | 41 | if self.gpg_path: |
| 41 | cmd += "--define '_gpg_path %s' " % self.gpg_path | 42 | cmd += "--define '_gpg_path %s' " % self.gpg_path |
| 43 | if fsk: | ||
| 44 | cmd += "--signfiles --fskpath %s " % fsk | ||
| 45 | if fsk_password: | ||
| 46 | cmd += "--define '_file_signing_key_password %s' " % fsk_password | ||
| 42 | 47 | ||
| 43 | # Sign in chunks of 100 packages | 48 | # Sign in chunks of 100 packages |
| 44 | for i in range(0, len(files), 100): | 49 | for i in range(0, len(files), 100): |