diff options
| -rw-r--r-- | meta/classes/sign_rpm.bbclass | 9 | ||||
| -rw-r--r-- | meta/lib/oe/gpg_sign.py | 24 | ||||
| -rw-r--r-- | meta/lib/oe/package_manager.py | 9 | ||||
| -rw-r--r-- | meta/recipes-core/meta/signing-keys.bb | 16 |
4 files changed, 25 insertions, 33 deletions
diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass index 8bcabeec91..8b59bacd45 100644 --- a/meta/classes/sign_rpm.bbclass +++ b/meta/classes/sign_rpm.bbclass | |||
| @@ -36,13 +36,12 @@ python sign_rpm () { | |||
| 36 | import glob | 36 | import glob |
| 37 | from oe.gpg_sign import get_signer | 37 | from oe.gpg_sign import get_signer |
| 38 | 38 | ||
| 39 | signer = get_signer(d, | 39 | signer = get_signer(d, d.getVar('RPM_GPG_BACKEND', True)) |
| 40 | d.getVar('RPM_GPG_BACKEND', True), | ||
| 41 | d.getVar('RPM_GPG_NAME', True), | ||
| 42 | d.getVar('RPM_GPG_PASSPHRASE_FILE', True)) | ||
| 43 | rpms = glob.glob(d.getVar('RPM_PKGWRITEDIR', True) + '/*') | 40 | rpms = glob.glob(d.getVar('RPM_PKGWRITEDIR', True) + '/*') |
| 44 | 41 | ||
| 45 | signer.sign_rpms(rpms) | 42 | signer.sign_rpms(rpms, |
| 43 | d.getVar('RPM_GPG_NAME', True), | ||
| 44 | d.getVar('RPM_GPG_PASSPHRASE_FILE', True)) | ||
| 46 | } | 45 | } |
| 47 | 46 | ||
| 48 | do_package_index[depends] += "signing-keys:do_export_public_keys" | 47 | do_package_index[depends] += "signing-keys:do_export_public_keys" |
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py index 16a23645b6..c4cadd6a24 100644 --- a/meta/lib/oe/gpg_sign.py +++ b/meta/lib/oe/gpg_sign.py | |||
| @@ -6,31 +6,29 @@ import oe.utils | |||
| 6 | 6 | ||
| 7 | class LocalSigner(object): | 7 | class LocalSigner(object): |
| 8 | """Class for handling local (on the build host) signing""" | 8 | """Class for handling local (on the build host) signing""" |
| 9 | def __init__(self, d, keyid, passphrase_file): | 9 | def __init__(self, d): |
| 10 | self.keyid = keyid | ||
| 11 | self.passphrase_file = passphrase_file | ||
| 12 | self.gpg_bin = d.getVar('GPG_BIN', True) or \ | 10 | self.gpg_bin = d.getVar('GPG_BIN', True) or \ |
| 13 | bb.utils.which(os.getenv('PATH'), 'gpg') | 11 | bb.utils.which(os.getenv('PATH'), 'gpg') |
| 14 | self.gpg_path = d.getVar('GPG_PATH', True) | 12 | self.gpg_path = d.getVar('GPG_PATH', True) |
| 15 | self.rpm_bin = bb.utils.which(os.getenv('PATH'), "rpm") | 13 | self.rpm_bin = bb.utils.which(os.getenv('PATH'), "rpm") |
| 16 | 14 | ||
| 17 | def export_pubkey(self, output_file): | 15 | def export_pubkey(self, output_file, keyid): |
| 18 | """Export GPG public key to a file""" | 16 | """Export GPG public key to a file""" |
| 19 | cmd = '%s --batch --yes --export --armor -o %s ' % \ | 17 | cmd = '%s --batch --yes --export --armor -o %s ' % \ |
| 20 | (self.gpg_bin, output_file) | 18 | (self.gpg_bin, output_file) |
| 21 | if self.gpg_path: | 19 | if self.gpg_path: |
| 22 | cmd += "--homedir %s " % self.gpg_path | 20 | cmd += "--homedir %s " % self.gpg_path |
| 23 | cmd += self.keyid | 21 | cmd += keyid |
| 24 | status, output = oe.utils.getstatusoutput(cmd) | 22 | status, output = oe.utils.getstatusoutput(cmd) |
| 25 | if status: | 23 | if status: |
| 26 | raise bb.build.FuncFailed('Failed to export gpg public key (%s): %s' % | 24 | raise bb.build.FuncFailed('Failed to export gpg public key (%s): %s' % |
| 27 | (self.keyid, output)) | 25 | (keyid, output)) |
| 28 | 26 | ||
| 29 | def sign_rpms(self, files): | 27 | def sign_rpms(self, files, keyid, passphrase_file): |
| 30 | """Sign RPM files""" | 28 | """Sign RPM files""" |
| 31 | import pexpect | 29 | import pexpect |
| 32 | 30 | ||
| 33 | cmd = self.rpm_bin + " --addsign --define '_gpg_name %s' " % self.keyid | 31 | cmd = self.rpm_bin + " --addsign --define '_gpg_name %s' " % keyid |
| 34 | if self.gpg_bin: | 32 | if self.gpg_bin: |
| 35 | cmd += "--define '%%__gpg %s' " % self.gpg_bin | 33 | cmd += "--define '%%__gpg %s' " % self.gpg_bin |
| 36 | if self.gpg_path: | 34 | if self.gpg_path: |
| @@ -41,7 +39,7 @@ class LocalSigner(object): | |||
| 41 | proc = pexpect.spawn(cmd) | 39 | proc = pexpect.spawn(cmd) |
| 42 | try: | 40 | try: |
| 43 | proc.expect_exact('Enter pass phrase:', timeout=15) | 41 | proc.expect_exact('Enter pass phrase:', timeout=15) |
| 44 | with open(self.passphrase_file) as fobj: | 42 | with open(passphrase_file) as fobj: |
| 45 | proc.sendline(fobj.readline().rstrip('\n')) | 43 | proc.sendline(fobj.readline().rstrip('\n')) |
| 46 | proc.expect(pexpect.EOF, timeout=900) | 44 | proc.expect(pexpect.EOF, timeout=900) |
| 47 | proc.close() | 45 | proc.close() |
| @@ -52,11 +50,11 @@ class LocalSigner(object): | |||
| 52 | bb.error('rpmsign failed: %s' % proc.before.strip()) | 50 | bb.error('rpmsign failed: %s' % proc.before.strip()) |
| 53 | raise bb.build.FuncFailed("Failed to sign RPM packages") | 51 | raise bb.build.FuncFailed("Failed to sign RPM packages") |
| 54 | 52 | ||
| 55 | def detach_sign(self, input_file, armor=True): | 53 | def detach_sign(self, input_file, keyid, passphrase_file, armor=True): |
| 56 | """Create a detached signature of a file""" | 54 | """Create a detached signature of a file""" |
| 57 | cmd = "%s --detach-sign --batch --no-tty --yes " \ | 55 | cmd = "%s --detach-sign --batch --no-tty --yes " \ |
| 58 | "--passphrase-file '%s' -u '%s' " % \ | 56 | "--passphrase-file '%s' -u '%s' " % \ |
| 59 | (self.gpg_bin, self.passphrase_file, self.keyid) | 57 | (self.gpg_bin, passphrase_file, keyid) |
| 60 | if self.gpg_path: | 58 | if self.gpg_path: |
| 61 | cmd += "--homedir %s " % self.gpg_path | 59 | cmd += "--homedir %s " % self.gpg_path |
| 62 | if armor: | 60 | if armor: |
| @@ -78,11 +76,11 @@ class LocalSigner(object): | |||
| 78 | return ret | 76 | return ret |
| 79 | 77 | ||
| 80 | 78 | ||
| 81 | def get_signer(d, backend, keyid, passphrase_file): | 79 | def get_signer(d, backend): |
| 82 | """Get signer object for the specified backend""" | 80 | """Get signer object for the specified backend""" |
| 83 | # Use local signing by default | 81 | # Use local signing by default |
| 84 | if backend == 'local': | 82 | if backend == 'local': |
| 85 | return LocalSigner(d, keyid, passphrase_file) | 83 | return LocalSigner(d) |
| 86 | else: | 84 | else: |
| 87 | bb.fatal("Unsupported signing backend '%s'" % backend) | 85 | bb.fatal("Unsupported signing backend '%s'" % backend) |
| 88 | 86 | ||
diff --git a/meta/lib/oe/package_manager.py b/meta/lib/oe/package_manager.py index 26f6466ed1..b30a4da057 100644 --- a/meta/lib/oe/package_manager.py +++ b/meta/lib/oe/package_manager.py | |||
| @@ -110,10 +110,7 @@ class RpmIndexer(Indexer): | |||
| 110 | 110 | ||
| 111 | rpm_createrepo = bb.utils.which(os.getenv('PATH'), "createrepo") | 111 | rpm_createrepo = bb.utils.which(os.getenv('PATH'), "createrepo") |
| 112 | if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1': | 112 | if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1': |
| 113 | signer = get_signer(self.d, | 113 | signer = get_signer(self.d, self.d.getVar('PACKAGE_FEED_GPG_BACKEND', True)) |
| 114 | self.d.getVar('PACKAGE_FEED_GPG_BACKEND', True), | ||
| 115 | self.d.getVar('PACKAGE_FEED_GPG_NAME', True), | ||
| 116 | self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True)) | ||
| 117 | else: | 114 | else: |
| 118 | signer = None | 115 | signer = None |
| 119 | index_cmds = [] | 116 | index_cmds = [] |
| @@ -144,7 +141,9 @@ class RpmIndexer(Indexer): | |||
| 144 | # Sign repomd | 141 | # Sign repomd |
| 145 | if signer: | 142 | if signer: |
| 146 | for repomd in repomd_files: | 143 | for repomd in repomd_files: |
| 147 | signer.detach_sign(repomd) | 144 | signer.detach_sign(repomd, |
| 145 | self.d.getVar('PACKAGE_FEED_GPG_NAME', True), | ||
| 146 | self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True)) | ||
| 148 | # Copy pubkey(s) to repo | 147 | # Copy pubkey(s) to repo |
| 149 | distro_version = self.d.getVar('DISTRO_VERSION', True) or "oe.0" | 148 | distro_version = self.d.getVar('DISTRO_VERSION', True) or "oe.0" |
| 150 | if self.d.getVar('RPM_SIGN_PACKAGES', True) == '1': | 149 | if self.d.getVar('RPM_SIGN_PACKAGES', True) == '1': |
diff --git a/meta/recipes-core/meta/signing-keys.bb b/meta/recipes-core/meta/signing-keys.bb index d7aa79d49f..d7763c664e 100644 --- a/meta/recipes-core/meta/signing-keys.bb +++ b/meta/recipes-core/meta/signing-keys.bb | |||
| @@ -26,18 +26,14 @@ python do_export_public_keys () { | |||
| 26 | 26 | ||
| 27 | if d.getVar("RPM_SIGN_PACKAGES", True): | 27 | if d.getVar("RPM_SIGN_PACKAGES", True): |
| 28 | # Export public key of the rpm signing key | 28 | # Export public key of the rpm signing key |
| 29 | signer = get_signer(d, | 29 | signer = get_signer(d, d.getVar('RPM_GPG_BACKEND', True)) |
| 30 | d.getVar('RPM_GPG_BACKEND', True), | 30 | signer.export_pubkey(d.getVar('RPM_GPG_PUBKEY', True), |
| 31 | d.getVar('RPM_GPG_NAME', True), | 31 | d.getVar('RPM_GPG_NAME', True)) |
| 32 | d.getVar('RPM_GPG_PASSPHRASE_FILE', True)) | ||
| 33 | signer.export_pubkey(d.getVar('RPM_GPG_PUBKEY', True)) | ||
| 34 | 32 | ||
| 35 | if d.getVar('PACKAGE_FEED_SIGN', True) == '1': | 33 | if d.getVar('PACKAGE_FEED_SIGN', True) == '1': |
| 36 | # Export public key of the feed signing key | 34 | # Export public key of the feed signing key |
| 37 | signer = get_signer(d, | 35 | signer = get_signer(d, d.getVar('PACKAGE_FEED_GPG_BACKEND', True)) |
| 38 | d.getVar('PACKAGE_FEED_GPG_BACKEND', True), | 36 | signer.export_pubkey(d.getVar('PACKAGE_FEED_GPG_PUBKEY', True), |
| 39 | d.getVar('PACKAGE_FEED_GPG_NAME', True), | 37 | d.getVar('PACKAGE_FEED_GPG_NAME', True)) |
| 40 | d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True)) | ||
| 41 | signer.export_pubkey(d.getVar('PACKAGE_FEED_GPG_PUBKEY', True)) | ||
| 42 | } | 38 | } |
| 43 | addtask do_export_public_keys before do_build | 39 | addtask do_export_public_keys before do_build |