summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorIoan-Adrian Ratiu <adrian.ratiu@ni.com>2016-03-10 12:02:55 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-03-11 16:50:45 +0000
commit2fccd8aa1c96a6db056e2352b1d5039ce671a102 (patch)
treef89662a5fa662b8eadd3c7df9da31a620f0c32d0 /meta
parent6bd6a2b6fe0775e6ec75ad70af6231f944fa399c (diff)
downloadpoky-2fccd8aa1c96a6db056e2352b1d5039ce671a102.tar.gz
gpg_sign: add local ipk package signing functionality
Implement ipk signing inside the sign_ipk bbclass using the gpg_sign module and configure signing similar to how rpm does it. sign_ipk uses gpg_sign's detach_sign because its functionality is identical to package feed signing. IPK signing process is a bit different from rpm: - Signatures are stored outside ipk files; opkg connects to a feed server and downloads them to verify a package. - Signatures are of two types (both supported by opkg): binary or ascii armoured. By default we sign using ascii armoured. - Public keys are stored on targets to verify ipks using the opkg-keyrings recipe. (From OE-Core rev: a40f27aa7802e8a0bd87a5417e35adbface62d05) Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/classes/package_ipk.bbclass5
-rw-r--r--meta/classes/sign_ipk.bbclass52
-rw-r--r--meta/lib/oe/gpg_sign.py38
3 files changed, 83 insertions, 12 deletions
diff --git a/meta/classes/package_ipk.bbclass b/meta/classes/package_ipk.bbclass
index 51bee2890b..f1ad1d5c17 100644
--- a/meta/classes/package_ipk.bbclass
+++ b/meta/classes/package_ipk.bbclass
@@ -246,6 +246,11 @@ python do_package_ipk () {
246 bb.utils.unlockfile(lf) 246 bb.utils.unlockfile(lf)
247 raise bb.build.FuncFailed("opkg-build execution failed") 247 raise bb.build.FuncFailed("opkg-build execution failed")
248 248
249 if d.getVar('IPK_SIGN_PACKAGES', True) == '1':
250 ipkver = "%s-%s" % (d.getVar('PKGV', True), d.getVar('PKGR', True))
251 ipk_to_sign = "%s/%s_%s_%s.ipk" % (pkgoutdir, pkgname, ipkver, d.getVar('PACKAGE_ARCH', True))
252 sign_ipk(d, ipk_to_sign)
253
249 cleanupcontrol(root) 254 cleanupcontrol(root)
250 bb.utils.unlockfile(lf) 255 bb.utils.unlockfile(lf)
251 256
diff --git a/meta/classes/sign_ipk.bbclass b/meta/classes/sign_ipk.bbclass
new file mode 100644
index 0000000000..a481f6d9a8
--- /dev/null
+++ b/meta/classes/sign_ipk.bbclass
@@ -0,0 +1,52 @@
1# Class for generating signed IPK packages.
2#
3# Configuration variables used by this class:
4# IPK_GPG_PASSPHRASE_FILE
5# Path to a file containing the passphrase of the signing key.
6# IPK_GPG_NAME
7# Name of the key to sign with.
8# IPK_GPG_BACKEND
9# Optional variable for specifying the backend to use for signing.
10# Currently the only available option is 'local', i.e. local signing
11# on the build host.
12# IPK_GPG_SIGNATURE_TYPE
13# Optional variable for specifying the type of gpg signatures, can be:
14# 1. Ascii armored (ASC), default if not set
15# 2. Binary (BIN)
16# GPG_BIN
17# Optional variable for specifying the gpg binary/wrapper to use for
18# signing.
19# GPG_PATH
20# Optional variable for specifying the gnupg "home" directory:
21#
22
23inherit sanity
24
25IPK_SIGN_PACKAGES = '1'
26IPK_GPG_BACKEND ?= 'local'
27IPK_GPG_SIGNATURE_TYPE ?= 'ASC'
28
29python () {
30 # Check configuration
31 for var in ('IPK_GPG_NAME', 'IPK_GPG_PASSPHRASE_FILE'):
32 if not d.getVar(var, True):
33 raise_sanity_error("You need to define %s in the config" % var, d)
34
35 sigtype = d.getVar("IPK_GPG_SIGNATURE_TYPE", True)
36 if sigtype.upper() != "ASC" and sigtype.upper() != "BIN":
37 raise_sanity_error("Bad value for IPK_GPG_SIGNATURE_TYPE (%s), use either ASC or BIN" % sigtype)
38}
39
40def sign_ipk(d, ipk_to_sign):
41 from oe.gpg_sign import get_signer
42
43 bb.debug(1, 'Signing ipk: %s' % ipk_to_sign)
44
45 signer = get_signer(d, d.getVar('IPK_GPG_BACKEND', True))
46 sig_type = d.getVar('IPK_GPG_SIGNATURE_TYPE', True)
47 is_ascii_sig = (sig_type.upper() != "BIN")
48
49 signer.detach_sign(ipk_to_sign,
50 d.getVar('IPK_GPG_NAME', True),
51 d.getVar('IPK_GPG_PASSPHRASE_FILE', True),
52 armor=is_ascii_sig)
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index ada1b2f408..059381d5e3 100644
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -50,6 +50,7 @@ class LocalSigner(object):
50 bb.error('rpmsign failed: %s' % proc.before.strip()) 50 bb.error('rpmsign failed: %s' % proc.before.strip())
51 raise bb.build.FuncFailed("Failed to sign RPM packages") 51 raise bb.build.FuncFailed("Failed to sign RPM packages")
52 52
53
53 def detach_sign(self, input_file, keyid, passphrase_file, passphrase=None, armor=True): 54 def detach_sign(self, input_file, keyid, passphrase_file, passphrase=None, armor=True):
54 """Create a detached signature of a file""" 55 """Create a detached signature of a file"""
55 import subprocess 56 import subprocess
@@ -58,22 +59,35 @@ class LocalSigner(object):
58 raise Exception("You should use either passphrase_file of passphrase, not both") 59 raise Exception("You should use either passphrase_file of passphrase, not both")
59 60
60 cmd = [self.gpg_bin, '--detach-sign', '--batch', '--no-tty', '--yes', 61 cmd = [self.gpg_bin, '--detach-sign', '--batch', '--no-tty', '--yes',
61 '-u', keyid] 62 '--passphrase-fd', '0', '-u', keyid]
62 if passphrase_file: 63
63 cmd += ['--passphrase-file', passphrase_file]
64 else:
65 cmd += ['--passphrase-fd', '0']
66 if self.gpg_path: 64 if self.gpg_path:
67 cmd += ['--homedir', self.gpg_path] 65 cmd += ['--homedir', self.gpg_path]
68 if armor: 66 if armor:
69 cmd += ['--armor'] 67 cmd += ['--armor']
70 cmd.append(input_file) 68
71 job = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, 69 cmd += [input_file]
72 stderr=subprocess.PIPE) 70
73 _, stderr = job.communicate(passphrase) 71 try:
74 if job.returncode: 72 if passphrase_file:
75 raise bb.build.FuncFailed("Failed to create signature for '%s': %s" % 73 with open(passphrase_file) as fobj:
76 (input_file, stderr)) 74 passphrase = fobj.readline();
75
76 job = subprocess.Popen(cmd, stdin=subprocess.PIPE, stderr=subprocess.PIPE)
77 (_, stderr) = job.communicate(passphrase)
78
79 if job.returncode:
80 raise bb.build.FuncFailed("GPG exited with code %d: %s" %
81 (job.returncode, stderr))
82
83 except IOError as e:
84 bb.error("IO error (%s): %s" % (e.errno, e.strerror))
85 raise Exception("Failed to sign '%s'" % input_file)
86
87 except OSError as e:
88 bb.error("OS error (%s): %s" % (e.errno, e.strerror))
89 raise Exception("Failed to sign '%s" % input_file)
90
77 91
78 def verify(self, sig_file): 92 def verify(self, sig_file):
79 """Verify signature""" 93 """Verify signature"""