summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorRandy Witt <randy.e.witt@linux.intel.com>2016-02-19 08:45:25 -0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-02-26 17:16:25 +0000
commit7bb9e8ddbfabfbaebe1b3cb635b6d9979854cc47 (patch)
tree2255b9e26f87d9aab9c92fe9f76d44f2ef421e8f /meta
parent64ab17b707dc431aaed880d6d8615971243f46f8 (diff)
downloadpoky-7bb9e8ddbfabfbaebe1b3cb635b6d9979854cc47.tar.gz
signing-keys: Make signing keys the only publisher of keys
Previously the keys were put into the os-release package. The package indexing code was also deploying the keys rather than only using the keys. This change makes signing-keys.bb the only publisher of the keys and also uses standard tasks that already have sstate. (From OE-Core rev: 1e38068ac38dfd067655dfd41464e28439179306) Signed-off-by: Randy Witt <randy.e.witt@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/classes/sign_package_feed.bbclass9
-rw-r--r--meta/classes/sign_rpm.bbclass11
-rw-r--r--meta/lib/oe/package_manager.py10
-rw-r--r--meta/recipes-core/meta/signing-keys.bb61
-rw-r--r--meta/recipes-core/os-release/os-release.bb11
5 files changed, 52 insertions, 50 deletions
diff --git a/meta/classes/sign_package_feed.bbclass b/meta/classes/sign_package_feed.bbclass
index 63ca02fd9d..e1ec82e2ff 100644
--- a/meta/classes/sign_package_feed.bbclass
+++ b/meta/classes/sign_package_feed.bbclass
@@ -27,12 +27,7 @@ python () {
27 for var in ('PACKAGE_FEED_GPG_NAME', 'PACKAGE_FEED_GPG_PASSPHRASE_FILE'): 27 for var in ('PACKAGE_FEED_GPG_NAME', 'PACKAGE_FEED_GPG_PASSPHRASE_FILE'):
28 if not d.getVar(var, True): 28 if not d.getVar(var, True):
29 raise_sanity_error("You need to define %s in the config" % var, d) 29 raise_sanity_error("You need to define %s in the config" % var, d)
30
31 # Set expected location of the public key
32 d.setVar('PACKAGE_FEED_GPG_PUBKEY',
33 os.path.join(d.getVar('STAGING_ETCDIR_NATIVE', False),
34 'PACKAGE-FEED-GPG-PUBKEY'))
35} 30}
36 31
37do_package_index[depends] += "signing-keys:do_export_public_keys" 32do_package_index[depends] += "signing-keys:do_deploy"
38do_rootfs[depends] += "signing-keys:do_export_public_keys" 33do_rootfs[depends] += "signing-keys:do_populate_sysroot"
diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass
index 8b59bacd45..c21e3f09af 100644
--- a/meta/classes/sign_rpm.bbclass
+++ b/meta/classes/sign_rpm.bbclass
@@ -28,8 +28,11 @@ python () {
28 raise_sanity_error("You need to define %s in the config" % var, d) 28 raise_sanity_error("You need to define %s in the config" % var, d)
29 29
30 # Set the expected location of the public key 30 # Set the expected location of the public key
31 d.setVar('RPM_GPG_PUBKEY', os.path.join(d.getVar('STAGING_ETCDIR_NATIVE', False), 31 d.setVar('RPM_GPG_PUBKEY', os.path.join(d.getVar('STAGING_DIR_TARGET', False),
32 'RPM-GPG-PUBKEY')) 32 d.getVar('sysconfdir', False),
33 'pki',
34 'rpm-gpg',
35 'RPM-GPG-KEY-${DISTRO_VERSION}'))
33} 36}
34 37
35python sign_rpm () { 38python sign_rpm () {
@@ -44,5 +47,5 @@ python sign_rpm () {
44 d.getVar('RPM_GPG_PASSPHRASE_FILE', True)) 47 d.getVar('RPM_GPG_PASSPHRASE_FILE', True))
45} 48}
46 49
47do_package_index[depends] += "signing-keys:do_export_public_keys" 50do_package_index[depends] += "signing-keys:do_deploy"
48do_rootfs[depends] += "signing-keys:do_export_public_keys" 51do_rootfs[depends] += "signing-keys:do_populate_sysroot"
diff --git a/meta/lib/oe/package_manager.py b/meta/lib/oe/package_manager.py
index b30a4da057..5cd43e9b1d 100644
--- a/meta/lib/oe/package_manager.py
+++ b/meta/lib/oe/package_manager.py
@@ -144,16 +144,6 @@ class RpmIndexer(Indexer):
144 signer.detach_sign(repomd, 144 signer.detach_sign(repomd,
145 self.d.getVar('PACKAGE_FEED_GPG_NAME', True), 145 self.d.getVar('PACKAGE_FEED_GPG_NAME', True),
146 self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True)) 146 self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True))
147 # Copy pubkey(s) to repo
148 distro_version = self.d.getVar('DISTRO_VERSION', True) or "oe.0"
149 if self.d.getVar('RPM_SIGN_PACKAGES', True) == '1':
150 shutil.copy2(self.d.getVar('RPM_GPG_PUBKEY', True),
151 os.path.join(self.deploy_dir,
152 'RPM-GPG-KEY-%s' % distro_version))
153 if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
154 shutil.copy2(self.d.getVar('PACKAGE_FEED_GPG_PUBKEY', True),
155 os.path.join(self.deploy_dir,
156 'REPODATA-GPG-KEY-%s' % distro_version))
157 147
158 148
159class OpkgIndexer(Indexer): 149class OpkgIndexer(Indexer):
diff --git a/meta/recipes-core/meta/signing-keys.bb b/meta/recipes-core/meta/signing-keys.bb
index d7763c664e..1d0e8344ef 100644
--- a/meta/recipes-core/meta/signing-keys.bb
+++ b/meta/recipes-core/meta/signing-keys.bb
@@ -3,37 +3,62 @@
3 3
4DESCRIPTION = "Make public keys of the signing keys available" 4DESCRIPTION = "Make public keys of the signing keys available"
5LICENSE = "MIT" 5LICENSE = "MIT"
6PACKAGES = "" 6LIC_FILES_CHKSUM = "file://${COREBASE}/LICENSE;md5=4d92cd373abda3937c2bc47fbc49d690 \
7 7 file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
8do_fetch[noexec] = "1" 8
9do_unpack[noexec] = "1" 9
10do_patch[noexec] = "1" 10inherit allarch deploy
11do_configure[noexec] = "1"
12do_compile[noexec] = "1"
13do_install[noexec] = "1"
14do_package[noexec] = "1"
15do_packagedata[noexec] = "1"
16do_package_write_ipk[noexec] = "1"
17do_package_write_rpm[noexec] = "1"
18do_package_write_deb[noexec] = "1"
19do_populate_sysroot[noexec] = "1"
20 11
21EXCLUDE_FROM_WORLD = "1" 12EXCLUDE_FROM_WORLD = "1"
13INHIBIT_DEFAULT_DEPS = "1"
14
15PACKAGES =+ "${PN}-rpm ${PN}-packagefeed"
22 16
17FILES_${PN}-rpm = "${sysconfdir}/pki/rpm-gpg"
18FILES_${PN}-packagefeed = "${sysconfdir}/pki/packagefeed-gpg"
23 19
24python do_export_public_keys () { 20python do_get_public_keys () {
25 from oe.gpg_sign import get_signer 21 from oe.gpg_sign import get_signer
26 22
27 if d.getVar("RPM_SIGN_PACKAGES", True): 23 if d.getVar("RPM_SIGN_PACKAGES", True):
28 # Export public key of the rpm signing key 24 # Export public key of the rpm signing key
29 signer = get_signer(d, d.getVar('RPM_GPG_BACKEND', True)) 25 signer = get_signer(d, d.getVar('RPM_GPG_BACKEND', True))
30 signer.export_pubkey(d.getVar('RPM_GPG_PUBKEY', True), 26 signer.export_pubkey(os.path.join(d.expand('${B}'), 'rpm-key'),
31 d.getVar('RPM_GPG_NAME', True)) 27 d.getVar('RPM_GPG_NAME', True))
32 28
33 if d.getVar('PACKAGE_FEED_SIGN', True) == '1': 29 if d.getVar('PACKAGE_FEED_SIGN', True) == '1':
34 # Export public key of the feed signing key 30 # Export public key of the feed signing key
35 signer = get_signer(d, d.getVar('PACKAGE_FEED_GPG_BACKEND', True)) 31 signer = get_signer(d, d.getVar('PACKAGE_FEED_GPG_BACKEND', True))
36 signer.export_pubkey(d.getVar('PACKAGE_FEED_GPG_PUBKEY', True), 32 signer.export_pubkey(os.path.join(d.expand('${B}'), 'pf-key'),
37 d.getVar('PACKAGE_FEED_GPG_NAME', True)) 33 d.getVar('PACKAGE_FEED_GPG_NAME', True))
38} 34}
39addtask do_export_public_keys before do_build 35do_get_public_keys[cleandirs] = "${B}"
36addtask get_public_keys before do_install
37
38do_install () {
39 if [ -f "${B}/rpm-key" ]; then
40 install -D -m 0644 "${B}/rpm-key" "${D}${sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-${DISTRO_VERSION}"
41 fi
42 if [ -f "${B}/pf-key" ]; then
43 install -D -m 0644 "${B}/pf-key" "${D}${sysconfdir}/pki/packagefeed-gpg/PACKAGEFEED-GPG-KEY-${DISTRO_VERSION}"
44 fi
45}
46
47sysroot_stage_all_append () {
48 sysroot_stage_dir ${D}${sysconfdir}/pki ${SYSROOT_DESTDIR}${sysconfdir}/pki
49}
50
51do_deploy () {
52 if [ -f "${B}/rpm-key" ]; then
53 install -D -m 0644 "${B}/rpm-key" "${DEPLOYDIR}/RPM-GPG-KEY-${DISTRO_VERSION}"
54 fi
55 if [ -f "${B}/pf-key" ]; then
56 install -D -m 0644 "${B}/pf-key" "${DEPLOYDIR}/PACKAGEFEED-GPG-KEY-${DISTRO_VERSION}"
57 fi
58}
59do_deploy[sstate-outputdirs] = "${DEPLOY_DIR_RPM}"
60# cleandirs should possibly be in deploy.bbclass but we need it
61do_deploy[cleandirs] = "${DEPLOYDIR}"
62# clear stamp-extra-info since MACHINE is normally put there by deploy.bbclass
63do_deploy[stamp-extra-info] = ""
64addtask deploy after do_get_public_keys
diff --git a/meta/recipes-core/os-release/os-release.bb b/meta/recipes-core/os-release/os-release.bb
index df19ca216f..58364ea249 100644
--- a/meta/recipes-core/os-release/os-release.bb
+++ b/meta/recipes-core/os-release/os-release.bb
@@ -30,21 +30,10 @@ python do_compile () {
30 value = d.getVar(field, True) 30 value = d.getVar(field, True)
31 if value: 31 if value:
32 f.write('{0}="{1}"\n'.format(field, value)) 32 f.write('{0}="{1}"\n'.format(field, value))
33 if d.getVar('RPM_SIGN_PACKAGES', True) == '1':
34 rpm_gpg_pubkey = d.getVar('RPM_GPG_PUBKEY', True)
35 bb.utils.mkdirhier('${B}/rpm-gpg')
36 distro_version = d.getVar('DISTRO_VERSION', True) or "oe.0"
37 shutil.copy2(rpm_gpg_pubkey, d.expand('${B}/rpm-gpg/RPM-GPG-KEY-%s' % distro_version))
38} 33}
39do_compile[vardeps] += "${OS_RELEASE_FIELDS}" 34do_compile[vardeps] += "${OS_RELEASE_FIELDS}"
40do_compile[depends] += "signing-keys:do_export_public_keys"
41 35
42do_install () { 36do_install () {
43 install -d ${D}${sysconfdir} 37 install -d ${D}${sysconfdir}
44 install -m 0644 os-release ${D}${sysconfdir}/ 38 install -m 0644 os-release ${D}${sysconfdir}/
45
46 if [ -d "rpm-gpg" ]; then
47 install -d "${D}${sysconfdir}/pki"
48 cp -r "rpm-gpg" "${D}${sysconfdir}/pki/"
49 fi
50} 39}