diff options
author | Mark Hatle <mark.hatle@windriver.com> | 2016-02-25 09:49:57 -0600 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-03-09 17:00:28 +0000 |
commit | 6833c5d77b99ab3f07945ba8e0bbe03df3dc317c (patch) | |
tree | 6881c031f89db00b6a28ca5f69a6cf2078e1d909 /meta | |
parent | 59a4d99c20af0ef60513eab5928c40b03903e5e8 (diff) | |
download | poky-6833c5d77b99ab3f07945ba8e0bbe03df3dc317c.tar.gz |
rpm: Enable specific crypto and digest settings via variables
Allow the user to set the specific digest and non-repudiable signature
algorithms. This should be done on a distribution wide basis.
See recipe for exact instructions, but values are now set using:
RPM_FILE_DIGEST_ALGO (default 1 - md5)
RPM_SELF_SIGN_ALGO (default DSA)
Also, change the PACKAGECONFIG to define the default crypto engine for
RPM5. Not just the available crypto engines. If a crypto engine is not
selected, the system will default to the internal beecrypt version.
(From OE-Core rev: 2f6529d9dc8aa82eb5bdcccec9c69d93dad63505)
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-devtools/rpm/rpm_5.4+cvs.bb | 81 | ||||
-rw-r--r-- | meta/recipes-devtools/rpm/rpm_5.4.16.bb | 81 |
2 files changed, 152 insertions, 10 deletions
diff --git a/meta/recipes-devtools/rpm/rpm_5.4+cvs.bb b/meta/recipes-devtools/rpm/rpm_5.4+cvs.bb index 62526fde5f..e35ddbe910 100644 --- a/meta/recipes-devtools/rpm/rpm_5.4+cvs.bb +++ b/meta/recipes-devtools/rpm/rpm_5.4+cvs.bb | |||
@@ -168,6 +168,68 @@ rpm_macros_class-nativesdk = "%{_usrlibrpm}/macros:%{_usrlibrpm}/${DISTRO}/macro | |||
168 | 168 | ||
169 | # sqlite lua tcl augeas nss gcrypt neon xz xar keyutils perl selinux | 169 | # sqlite lua tcl augeas nss gcrypt neon xz xar keyutils perl selinux |
170 | 170 | ||
171 | # Set the digest algorithm used for verifying file integrity | ||
172 | # If this value changes, and two different packages have different values | ||
173 | # the "same file" validation (two packages have a non-conflict file) | ||
174 | # will fail. This may lead to upgrade problems. You should treat this | ||
175 | # value as a distribution wide setting, and only change it when you intend | ||
176 | # a full system upgrade! | ||
177 | # | ||
178 | # Defined file digest algorithm values (note: not all are available!): | ||
179 | # 1 MD5 (legacy RPM default) | ||
180 | # 2 SHA1 | ||
181 | # 3 RIPEMD-160 | ||
182 | # 5 MD2 | ||
183 | # 6 TIGER-192 | ||
184 | # 8 SHA256 | ||
185 | # 9 SHA384 | ||
186 | # 10 SHA512 | ||
187 | # 11 SHA224 | ||
188 | # 104 MD4 | ||
189 | # 105 RIPEMD-128 | ||
190 | # 106 CRC-32 | ||
191 | # 107 ADLER-32 | ||
192 | # 108 CRC-64 (ECMA-182 polynomial, untested uint64_t problems) | ||
193 | # 109 Jenkins lookup3.c hashlittle() | ||
194 | # 111 RIPEMD-256 | ||
195 | # 112 RIPEMD-320 | ||
196 | # 188 BLAKE2B | ||
197 | # 189 BLAKE2BP | ||
198 | # 190 BLAKE2S | ||
199 | # 191 BLAKE2SP | ||
200 | RPM_FILE_DIGEST_ALGO ?= "1" | ||
201 | |||
202 | # All packages build with RPM5 contain a non-repudiable signature. | ||
203 | # The purpose of this signature is not to show authenticity of a package, | ||
204 | # but instead act as a secondary package wide validation that shows it | ||
205 | # wasn't damaged by accident in transport. (When later you sign the package, | ||
206 | # this signature may or may not be replaced as there are three signature | ||
207 | # slots, one for DSA/RSA, one for ECSDA, and one reserved.) | ||
208 | # | ||
209 | # There is a known issue w/ RSA signatures that if they start with an 0x00 | ||
210 | # the signing and validation may fail. | ||
211 | # | ||
212 | # The following is the list of choices for the non-rpudiable signature | ||
213 | # (note: not all of these are implemented): | ||
214 | # DSA (default) | ||
215 | # RSA (implies SHA1) | ||
216 | # ECDSA (implies SHA256) | ||
217 | # DSA/SHA1 | ||
218 | # DSA/SHA224 | ||
219 | # DSA/SHA256 | ||
220 | # DSA/SHA384 | ||
221 | # DSA/SHA512 | ||
222 | # RSA/SHA1 | ||
223 | # RSA/SHA224 | ||
224 | # RSA/SHA256 | ||
225 | # RSA/SHA384 | ||
226 | # RSA/SHA512 | ||
227 | # ECDSA/SHA224 (using NIST P-224) | ||
228 | # ECDSA/SHA256 (using NIST P-256) | ||
229 | # ECDSA/SHA384 (using NIST P-384) | ||
230 | # ECDSA/SHA512 (using NIST P-521) | ||
231 | RPM_SELF_SIGN_ALGO ?= "DSA" | ||
232 | |||
171 | # Note: perl and sqlite w/o db specified does not currently work. | 233 | # Note: perl and sqlite w/o db specified does not currently work. |
172 | # tcl, augeas, nss, gcrypt, xar and keyutils support is untested. | 234 | # tcl, augeas, nss, gcrypt, xar and keyutils support is untested. |
173 | PACKAGECONFIG ??= "db bzip2 zlib popt openssl libelf python" | 235 | PACKAGECONFIG ??= "db bzip2 zlib popt openssl libelf python" |
@@ -203,10 +265,17 @@ PACKAGECONFIG[db] = "${WITH_DB},--without-db,db," | |||
203 | 265 | ||
204 | PACKAGECONFIG[sqlite] = "--with-sqlite,--without-sqlite,sqlite3," | 266 | PACKAGECONFIG[sqlite] = "--with-sqlite,--without-sqlite,sqlite3," |
205 | 267 | ||
268 | # This switch simply disables external beecrypt, RPM5 always uses beecrypt | ||
269 | # for base64 processing and various digest algorithms. | ||
270 | # Beecrypt is only the preferred crypto engine if it's the only engine enabled. | ||
206 | PACKAGECONFIG[beecrypt] = "--with-beecrypt=external,--with-beecrypt=internal,beecrypt," | 271 | PACKAGECONFIG[beecrypt] = "--with-beecrypt=external,--with-beecrypt=internal,beecrypt," |
207 | PACKAGECONFIG[openssl] = "--with-openssl,--without-openssl,openssl," | 272 | |
208 | PACKAGECONFIG[nss] = "--with-nss,--without-nss,nss," | 273 | # --with-usecrypto= setting defined the item as the preferred system |
209 | PACKAGECONFIG[gcrypt] = "--with-gcrypt,--without-gcrypt,gcrypt," | 274 | # crypto engine, which will take priority over the included beecrypt |
275 | PACKAGECONFIG[openssl] = "--with-openssl --with-usecrypto=openssl,--without-openssl,openssl," | ||
276 | PACKAGECONFIG[nss] = "--with-nss --with-usecrypto=nss,--without-nss,nss," | ||
277 | PACKAGECONFIG[gcrypt] = "--with-gcrypt --with-usecrypto=gcrypt,--without-gcrypt,gcrypt," | ||
278 | |||
210 | PACKAGECONFIG[keyutils] = "--with-keyutils,--without-keyutils,keyutils," | 279 | PACKAGECONFIG[keyutils] = "--with-keyutils,--without-keyutils,keyutils," |
211 | PACKAGECONFIG[libelf] = "--with-libelf,--without-libelf,elfutils," | 280 | PACKAGECONFIG[libelf] = "--with-libelf,--without-libelf,elfutils," |
212 | 281 | ||
@@ -450,8 +519,10 @@ do_configure() { | |||
450 | } | 519 | } |
451 | 520 | ||
452 | do_install_append() { | 521 | do_install_append() { |
453 | # Preserve the previous default of DSA self-signed pkgs | 522 | # Configure -distribution wide- package crypto settings |
454 | sed -i -e 's,%_build_sign.*,%_build_sign DSA,' ${D}/${libdir}/rpm/macros.rpmbuild | 523 | # If these change, effectively all packages have to be upgraded! |
524 | sed -i -e 's,%_build_file_digest_algo.*,%_build_sign ${RPM_FILE_DIGEST_ALGO},' ${D}/${libdir}/rpm/macros.rpmbuild | ||
525 | sed -i -e 's,%_build_sign.*,%_build_sign ${RPM_SELF_SIGN_ALGO},' ${D}/${libdir}/rpm/macros.rpmbuild | ||
455 | 526 | ||
456 | sed -i -e 's,%__scriptlet_requires,#%%__scriptlet_requires,' ${D}/${libdir}/rpm/macros | 527 | sed -i -e 's,%__scriptlet_requires,#%%__scriptlet_requires,' ${D}/${libdir}/rpm/macros |
457 | sed -i -e 's,%__perl_provides,#%%__perl_provides,' ${D}/${libdir}/rpm/macros ${D}/${libdir}/rpm/macros.d/* | 528 | sed -i -e 's,%__perl_provides,#%%__perl_provides,' ${D}/${libdir}/rpm/macros ${D}/${libdir}/rpm/macros.d/* |
diff --git a/meta/recipes-devtools/rpm/rpm_5.4.16.bb b/meta/recipes-devtools/rpm/rpm_5.4.16.bb index 142706f30c..c961bac5dc 100644 --- a/meta/recipes-devtools/rpm/rpm_5.4.16.bb +++ b/meta/recipes-devtools/rpm/rpm_5.4.16.bb | |||
@@ -173,6 +173,68 @@ rpm_macros_class-nativesdk = "%{_usrlibrpm}/macros:%{_usrlibrpm}/${DISTRO}/macro | |||
173 | 173 | ||
174 | # sqlite lua tcl augeas nss gcrypt neon xz xar keyutils perl selinux | 174 | # sqlite lua tcl augeas nss gcrypt neon xz xar keyutils perl selinux |
175 | 175 | ||
176 | # Set the digest algorithm used for verifying file integrity | ||
177 | # If this value changes, and two different packages have different values | ||
178 | # the "same file" validation (two packages have a non-conflict file) | ||
179 | # will fail. This may lead to upgrade problems. You should treat this | ||
180 | # value as a distribution wide setting, and only change it when you intend | ||
181 | # a full system upgrade! | ||
182 | # | ||
183 | # Defined file digest algorithm values (note: not all are available!): | ||
184 | # 1 MD5 (legacy RPM default) | ||
185 | # 2 SHA1 | ||
186 | # 3 RIPEMD-160 | ||
187 | # 5 MD2 | ||
188 | # 6 TIGER-192 | ||
189 | # 8 SHA256 | ||
190 | # 9 SHA384 | ||
191 | # 10 SHA512 | ||
192 | # 11 SHA224 | ||
193 | # 104 MD4 | ||
194 | # 105 RIPEMD-128 | ||
195 | # 106 CRC-32 | ||
196 | # 107 ADLER-32 | ||
197 | # 108 CRC-64 (ECMA-182 polynomial, untested uint64_t problems) | ||
198 | # 109 Jenkins lookup3.c hashlittle() | ||
199 | # 111 RIPEMD-256 | ||
200 | # 112 RIPEMD-320 | ||
201 | # 188 BLAKE2B | ||
202 | # 189 BLAKE2BP | ||
203 | # 190 BLAKE2S | ||
204 | # 191 BLAKE2SP | ||
205 | RPM_FILE_DIGEST_ALGO ?= "1" | ||
206 | |||
207 | # All packages build with RPM5 contain a non-repudiable signature. | ||
208 | # The purpose of this signature is not to show authenticity of a package, | ||
209 | # but instead act as a secondary package wide validation that shows it | ||
210 | # wasn't damaged by accident in transport. (When later you sign the package, | ||
211 | # this signature may or may not be replaced as there are three signature | ||
212 | # slots, one for DSA/RSA, one for ECSDA, and one reserved.) | ||
213 | # | ||
214 | # There is a known issue w/ RSA signatures that if they start with an 0x00 | ||
215 | # the signing and validation may fail. | ||
216 | # | ||
217 | # The following is the list of choices for the non-rpudiable signature | ||
218 | # (note: not all of these are implemented): | ||
219 | # DSA (default) | ||
220 | # RSA (implies SHA1) | ||
221 | # ECDSA (implies SHA256) | ||
222 | # DSA/SHA1 | ||
223 | # DSA/SHA224 | ||
224 | # DSA/SHA256 | ||
225 | # DSA/SHA384 | ||
226 | # DSA/SHA512 | ||
227 | # RSA/SHA1 | ||
228 | # RSA/SHA224 | ||
229 | # RSA/SHA256 | ||
230 | # RSA/SHA384 | ||
231 | # RSA/SHA512 | ||
232 | # ECDSA/SHA224 (using NIST P-224) | ||
233 | # ECDSA/SHA256 (using NIST P-256) | ||
234 | # ECDSA/SHA384 (using NIST P-384) | ||
235 | # ECDSA/SHA512 (using NIST P-521) | ||
236 | RPM_SELF_SIGN_ALGO ?= "DSA" | ||
237 | |||
176 | # Note: perl and sqlite w/o db specified does not currently work. | 238 | # Note: perl and sqlite w/o db specified does not currently work. |
177 | # tcl, augeas, nss, gcrypt, xar and keyutils support is untested. | 239 | # tcl, augeas, nss, gcrypt, xar and keyutils support is untested. |
178 | PACKAGECONFIG ??= "db bzip2 zlib popt openssl libelf python" | 240 | PACKAGECONFIG ??= "db bzip2 zlib popt openssl libelf python" |
@@ -208,10 +270,17 @@ PACKAGECONFIG[db] = "${WITH_DB},--without-db,db," | |||
208 | 270 | ||
209 | PACKAGECONFIG[sqlite] = "--with-sqlite,--without-sqlite,sqlite3," | 271 | PACKAGECONFIG[sqlite] = "--with-sqlite,--without-sqlite,sqlite3," |
210 | 272 | ||
273 | # This switch simply disables external beecrypt, RPM5 always uses beecrypt | ||
274 | # for base64 processing and various digest algorithms. | ||
275 | # Beecrypt is only the preferred crypto engine if it's the only engine enabled. | ||
211 | PACKAGECONFIG[beecrypt] = "--with-beecrypt=external,--with-beecrypt=internal,beecrypt," | 276 | PACKAGECONFIG[beecrypt] = "--with-beecrypt=external,--with-beecrypt=internal,beecrypt," |
212 | PACKAGECONFIG[openssl] = "--with-openssl,--without-openssl,openssl," | 277 | |
213 | PACKAGECONFIG[nss] = "--with-nss,--without-nss,nss," | 278 | # --with-usecrypto= setting defined the item as the preferred system |
214 | PACKAGECONFIG[gcrypt] = "--with-gcrypt,--without-gcrypt,gcrypt," | 279 | # crypto engine, which will take priority over the included beecrypt |
280 | PACKAGECONFIG[openssl] = "--with-openssl --with-usecrypto=openssl,--without-openssl,openssl," | ||
281 | PACKAGECONFIG[nss] = "--with-nss --with-usecrypto=nss,--without-nss,nss," | ||
282 | PACKAGECONFIG[gcrypt] = "--with-gcrypt --with-usecrypto=gcrypt,--without-gcrypt,gcrypt," | ||
283 | |||
215 | PACKAGECONFIG[keyutils] = "--with-keyutils,--without-keyutils,keyutils," | 284 | PACKAGECONFIG[keyutils] = "--with-keyutils,--without-keyutils,keyutils," |
216 | PACKAGECONFIG[libelf] = "--with-libelf,--without-libelf,elfutils," | 285 | PACKAGECONFIG[libelf] = "--with-libelf,--without-libelf,elfutils," |
217 | 286 | ||
@@ -455,8 +524,10 @@ do_configure() { | |||
455 | } | 524 | } |
456 | 525 | ||
457 | do_install_append() { | 526 | do_install_append() { |
458 | # Preserve the previous default of DSA self-signed pkgs | 527 | # Configure -distribution wide- package crypto settings |
459 | sed -i -e 's,%_build_sign.*,%_build_sign DSA,' ${D}/${libdir}/rpm/macros.rpmbuild | 528 | # If these change, effectively all packages have to be upgraded! |
529 | sed -i -e 's,%_build_file_digest_algo.*,%_build_sign ${RPM_FILE_DIGEST_ALGO},' ${D}/${libdir}/rpm/macros.rpmbuild | ||
530 | sed -i -e 's,%_build_sign.*,%_build_sign ${RPM_SELF_SIGN_ALGO},' ${D}/${libdir}/rpm/macros.rpmbuild | ||
460 | 531 | ||
461 | sed -i -e 's,%__scriptlet_requires,#%%__scriptlet_requires,' ${D}/${libdir}/rpm/macros | 532 | sed -i -e 's,%__scriptlet_requires,#%%__scriptlet_requires,' ${D}/${libdir}/rpm/macros |
462 | sed -i -e 's,%__perl_provides,#%%__perl_provides,' ${D}/${libdir}/rpm/macros ${D}/${libdir}/rpm/macros.d/* | 533 | sed -i -e 's,%__perl_provides,#%%__perl_provides,' ${D}/${libdir}/rpm/macros ${D}/${libdir}/rpm/macros.d/* |