diff options
| -rw-r--r-- | meta/classes/sign_rpm.bbclass | 20 | ||||
| -rw-r--r-- | meta/lib/oe/gpg_sign.py | 7 |
2 files changed, 25 insertions, 2 deletions
diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass index bc2e947107..c49406c74d 100644 --- a/meta/classes/sign_rpm.bbclass +++ b/meta/classes/sign_rpm.bbclass | |||
| @@ -9,6 +9,13 @@ | |||
| 9 | # Optional variable for specifying the backend to use for signing. | 9 | # Optional variable for specifying the backend to use for signing. |
| 10 | # Currently the only available option is 'local', i.e. local signing | 10 | # Currently the only available option is 'local', i.e. local signing |
| 11 | # on the build host. | 11 | # on the build host. |
| 12 | # RPM_FILE_CHECKSUM_DIGEST | ||
| 13 | # Optional variable for specifying the algorithm for generating file | ||
| 14 | # checksum digest. | ||
| 15 | # RPM_FSK_PATH | ||
| 16 | # Optional variable for the file signing key. | ||
| 17 | # RPM_FSK_PASSWORD | ||
| 18 | # Optional variable for the file signing key password. | ||
| 12 | # GPG_BIN | 19 | # GPG_BIN |
| 13 | # Optional variable for specifying the gpg binary/wrapper to use for | 20 | # Optional variable for specifying the gpg binary/wrapper to use for |
| 14 | # signing. | 21 | # signing. |
| @@ -18,7 +25,10 @@ | |||
| 18 | inherit sanity | 25 | inherit sanity |
| 19 | 26 | ||
| 20 | RPM_SIGN_PACKAGES='1' | 27 | RPM_SIGN_PACKAGES='1' |
| 28 | RPM_SIGN_FILES ?= '0' | ||
| 21 | RPM_GPG_BACKEND ?= 'local' | 29 | RPM_GPG_BACKEND ?= 'local' |
| 30 | # SHA-256 is used by default | ||
| 31 | RPM_FILE_CHECKSUM_DIGEST ?= '8' | ||
| 22 | 32 | ||
| 23 | 33 | ||
| 24 | python () { | 34 | python () { |
| @@ -28,6 +38,11 @@ python () { | |||
| 28 | for var in ('RPM_GPG_NAME', 'RPM_GPG_PASSPHRASE'): | 38 | for var in ('RPM_GPG_NAME', 'RPM_GPG_PASSPHRASE'): |
| 29 | if not d.getVar(var): | 39 | if not d.getVar(var): |
| 30 | raise_sanity_error("You need to define %s in the config" % var, d) | 40 | raise_sanity_error("You need to define %s in the config" % var, d) |
| 41 | |||
| 42 | if d.getVar('RPM_SIGN_FILES') == '1': | ||
| 43 | for var in ('RPM_FSK_PATH', 'RPM_FSK_PASSWORD'): | ||
| 44 | if not d.getVar(var): | ||
| 45 | raise_sanity_error("You need to define %s in the config" % var, d) | ||
| 31 | } | 46 | } |
| 32 | 47 | ||
| 33 | python sign_rpm () { | 48 | python sign_rpm () { |
| @@ -39,7 +54,10 @@ python sign_rpm () { | |||
| 39 | 54 | ||
| 40 | signer.sign_rpms(rpms, | 55 | signer.sign_rpms(rpms, |
| 41 | d.getVar('RPM_GPG_NAME'), | 56 | d.getVar('RPM_GPG_NAME'), |
| 42 | d.getVar('RPM_GPG_PASSPHRASE')) | 57 | d.getVar('RPM_GPG_PASSPHRASE'), |
| 58 | d.getVar('RPM_FILE_CHECKSUM_DIGEST'), | ||
| 59 | d.getVar('RPM_FSK_PATH'), | ||
| 60 | d.getVar('RPM_FSK_PASSWORD')) | ||
| 43 | } | 61 | } |
| 44 | 62 | ||
| 45 | do_package_index[depends] += "signing-keys:do_deploy" | 63 | do_package_index[depends] += "signing-keys:do_deploy" |
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py index c53df54a5b..f4d8b10e4b 100644 --- a/meta/lib/oe/gpg_sign.py +++ b/meta/lib/oe/gpg_sign.py | |||
| @@ -27,7 +27,7 @@ class LocalSigner(object): | |||
| 27 | raise bb.build.FuncFailed('Failed to export gpg public key (%s): %s' % | 27 | raise bb.build.FuncFailed('Failed to export gpg public key (%s): %s' % |
| 28 | (keyid, output)) | 28 | (keyid, output)) |
| 29 | 29 | ||
| 30 | def sign_rpms(self, files, keyid, passphrase): | 30 | def sign_rpms(self, files, keyid, passphrase, digest, fsk=None, fsk_password=None): |
| 31 | """Sign RPM files""" | 31 | """Sign RPM files""" |
| 32 | 32 | ||
| 33 | cmd = self.rpm_bin + " --addsign --define '_gpg_name %s' " % keyid | 33 | cmd = self.rpm_bin + " --addsign --define '_gpg_name %s' " % keyid |
| @@ -35,10 +35,15 @@ class LocalSigner(object): | |||
| 35 | if self.gpg_version > (2,1,): | 35 | if self.gpg_version > (2,1,): |
| 36 | gpg_args += ' --pinentry-mode=loopback' | 36 | gpg_args += ' --pinentry-mode=loopback' |
| 37 | cmd += "--define '_gpg_sign_cmd_extra_args %s' " % gpg_args | 37 | cmd += "--define '_gpg_sign_cmd_extra_args %s' " % gpg_args |
| 38 | cmd += "--define '_binary_filedigest_algorithm %s' " % digest | ||
| 38 | if self.gpg_bin: | 39 | if self.gpg_bin: |
| 39 | cmd += "--define '__gpg %s' " % self.gpg_bin | 40 | cmd += "--define '__gpg %s' " % self.gpg_bin |
| 40 | if self.gpg_path: | 41 | if self.gpg_path: |
| 41 | cmd += "--define '_gpg_path %s' " % self.gpg_path | 42 | cmd += "--define '_gpg_path %s' " % self.gpg_path |
| 43 | if fsk: | ||
| 44 | cmd += "--signfiles --fskpath %s " % fsk | ||
| 45 | if fsk_password: | ||
| 46 | cmd += "--define '_file_signing_key_password %s' " % fsk_password | ||
| 42 | 47 | ||
| 43 | # Sign in chunks of 100 packages | 48 | # Sign in chunks of 100 packages |
| 44 | for i in range(0, len(files), 100): | 49 | for i in range(0, len(files), 100): |