diff options
Diffstat (limited to 'meta/lib/oe')
-rw-r--r-- | meta/lib/oe/gpg_sign.py | 76 | ||||
-rw-r--r-- | meta/lib/oe/package_manager.py | 31 |
2 files changed, 87 insertions, 20 deletions
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py new file mode 100644 index 0000000000..55abad8ffc --- /dev/null +++ b/meta/lib/oe/gpg_sign.py | |||
@@ -0,0 +1,76 @@ | |||
1 | """Helper module for GPG signing""" | ||
2 | import os | ||
3 | |||
4 | import bb | ||
5 | import oe.utils | ||
6 | |||
7 | class LocalSigner(object): | ||
8 | """Class for handling local (on the build host) signing""" | ||
9 | def __init__(self, d, keyid, passphrase_file): | ||
10 | self.keyid = keyid | ||
11 | self.passphrase_file = passphrase_file | ||
12 | self.gpg_bin = d.getVar('GPG_BIN', True) or \ | ||
13 | bb.utils.which(os.getenv('PATH'), 'gpg') | ||
14 | self.gpg_path = d.getVar('GPG_PATH', True) | ||
15 | self.rpm_bin = bb.utils.which(os.getenv('PATH'), "rpm") | ||
16 | |||
17 | def export_pubkey(self, output_file): | ||
18 | """Export GPG public key to a file""" | ||
19 | cmd = '%s --batch --yes --export --armor -o %s ' % \ | ||
20 | (self.gpg_bin, output_file) | ||
21 | if self.gpg_path: | ||
22 | cmd += "--homedir %s " % self.gpg_path | ||
23 | cmd += self.keyid | ||
24 | status, output = oe.utils.getstatusoutput(cmd) | ||
25 | if status: | ||
26 | raise bb.build.FuncFailed('Failed to export gpg public key (%s): %s' % | ||
27 | (self.keyid, output)) | ||
28 | |||
29 | def sign_rpms(self, files): | ||
30 | """Sign RPM files""" | ||
31 | import pexpect | ||
32 | |||
33 | cmd = self.rpm_bin + " --addsign --define '_gpg_name %s' " % self.keyid | ||
34 | if self.gpg_bin: | ||
35 | cmd += "--define '%%__gpg %s' " % self.gpg_bin | ||
36 | if self.gpg_path: | ||
37 | cmd += "--define '_gpg_path %s' " % self.gpg_path | ||
38 | cmd += ' '.join(files) | ||
39 | |||
40 | # Need to use pexpect for feeding the passphrase | ||
41 | proc = pexpect.spawn(cmd) | ||
42 | try: | ||
43 | proc.expect_exact('Enter pass phrase:', timeout=15) | ||
44 | with open(self.passphrase_file) as fobj: | ||
45 | proc.sendline(fobj.readline().rstrip('\n')) | ||
46 | proc.expect(pexpect.EOF, timeout=900) | ||
47 | proc.close() | ||
48 | except pexpect.TIMEOUT as err: | ||
49 | bb.error('rpmsign timeout: %s' % err) | ||
50 | proc.terminate() | ||
51 | if os.WEXITSTATUS(proc.status) or not os.WIFEXITED(proc.status): | ||
52 | bb.error('rpmsign failed: %s' % proc.before.strip()) | ||
53 | raise bb.build.FuncFailed("Failed to sign RPM packages") | ||
54 | |||
55 | def detach_sign(self, input_file): | ||
56 | """Create a detached signature of a file""" | ||
57 | cmd = "%s --detach-sign --armor --batch --no-tty --yes " \ | ||
58 | "--passphrase-file '%s' -u '%s' " % \ | ||
59 | (self.gpg_bin, self.passphrase_file, self.keyid) | ||
60 | if self.gpg_path: | ||
61 | gpg_cmd += "--homedir %s " % self.gpg_path | ||
62 | cmd += input_file | ||
63 | status, output = oe.utils.getstatusoutput(cmd) | ||
64 | if status: | ||
65 | raise bb.build.FuncFailed("Failed to create signature for '%s': %s" % | ||
66 | (input_file, output)) | ||
67 | |||
68 | |||
69 | def get_signer(d, backend, keyid, passphrase_file): | ||
70 | """Get signer object for the specified backend""" | ||
71 | # Use local signing by default | ||
72 | if backend == 'local': | ||
73 | return LocalSigner(d, keyid, passphrase_file) | ||
74 | else: | ||
75 | bb.fatal("Unsupported signing backend '%s'" % backend) | ||
76 | |||
diff --git a/meta/lib/oe/package_manager.py b/meta/lib/oe/package_manager.py index 5b87f45127..3f9e4e3b60 100644 --- a/meta/lib/oe/package_manager.py +++ b/meta/lib/oe/package_manager.py | |||
@@ -9,6 +9,7 @@ import bb | |||
9 | import tempfile | 9 | import tempfile |
10 | import oe.utils | 10 | import oe.utils |
11 | import string | 11 | import string |
12 | from oe.gpg_sign import get_signer | ||
12 | 13 | ||
13 | # this can be used by all PM backends to create the index files in parallel | 14 | # this can be used by all PM backends to create the index files in parallel |
14 | def create_index(arg): | 15 | def create_index(arg): |
@@ -109,16 +110,14 @@ class RpmIndexer(Indexer): | |||
109 | 110 | ||
110 | rpm_createrepo = bb.utils.which(os.getenv('PATH'), "createrepo") | 111 | rpm_createrepo = bb.utils.which(os.getenv('PATH'), "createrepo") |
111 | if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1': | 112 | if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1': |
112 | pkgfeed_gpg_name = self.d.getVar('PACKAGE_FEED_GPG_NAME', True) | 113 | signer = get_signer(self.d, |
113 | pkgfeed_gpg_pass = self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True) | 114 | self.d.getVar('PACKAGE_FEED_GPG_BACKEND', True), |
115 | self.d.getVar('PACKAGE_FEED_GPG_NAME', True), | ||
116 | self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True)) | ||
114 | else: | 117 | else: |
115 | pkgfeed_gpg_name = None | 118 | signer = None |
116 | pkgfeed_gpg_pass = None | ||
117 | gpg_bin = self.d.getVar('GPG_BIN', True) or \ | ||
118 | bb.utils.which(os.getenv('PATH'), "gpg") | ||
119 | |||
120 | index_cmds = [] | 119 | index_cmds = [] |
121 | repo_sign_cmds = [] | 120 | repomd_files = [] |
122 | rpm_dirs_found = False | 121 | rpm_dirs_found = False |
123 | for arch in archs: | 122 | for arch in archs: |
124 | dbpath = os.path.join(self.d.getVar('WORKDIR', True), 'rpmdb', arch) | 123 | dbpath = os.path.join(self.d.getVar('WORKDIR', True), 'rpmdb', arch) |
@@ -130,15 +129,7 @@ class RpmIndexer(Indexer): | |||
130 | 129 | ||
131 | index_cmds.append("%s --dbpath %s --update -q %s" % \ | 130 | index_cmds.append("%s --dbpath %s --update -q %s" % \ |
132 | (rpm_createrepo, dbpath, arch_dir)) | 131 | (rpm_createrepo, dbpath, arch_dir)) |
133 | if pkgfeed_gpg_name: | 132 | repomd_files.append(os.path.join(arch_dir, 'repodata', 'repomd.xml')) |
134 | repomd_file = os.path.join(arch_dir, 'repodata', 'repomd.xml') | ||
135 | gpg_cmd = "%s --detach-sign --armor --batch --no-tty --yes " \ | ||
136 | "--passphrase-file '%s' -u '%s' " % \ | ||
137 | (gpg_bin, pkgfeed_gpg_pass, pkgfeed_gpg_name) | ||
138 | if self.d.getVar('GPG_PATH', True): | ||
139 | gpg_cmd += "--homedir %s " % self.d.getVar('GPG_PATH', True) | ||
140 | gpg_cmd += repomd_file | ||
141 | repo_sign_cmds.append(gpg_cmd) | ||
142 | 133 | ||
143 | rpm_dirs_found = True | 134 | rpm_dirs_found = True |
144 | 135 | ||
@@ -151,9 +142,9 @@ class RpmIndexer(Indexer): | |||
151 | if result: | 142 | if result: |
152 | bb.fatal('%s' % ('\n'.join(result))) | 143 | bb.fatal('%s' % ('\n'.join(result))) |
153 | # Sign repomd | 144 | # Sign repomd |
154 | result = oe.utils.multiprocess_exec(repo_sign_cmds, create_index) | 145 | if signer: |
155 | if result: | 146 | for repomd in repomd_files: |
156 | bb.fatal('%s' % ('\n'.join(result))) | 147 | signer.detach_sign(repomd) |
157 | # Copy pubkey(s) to repo | 148 | # Copy pubkey(s) to repo |
158 | distro_version = self.d.getVar('DISTRO_VERSION', True) or "oe.0" | 149 | distro_version = self.d.getVar('DISTRO_VERSION', True) or "oe.0" |
159 | if self.d.getVar('RPM_SIGN_PACKAGES', True) == '1': | 150 | if self.d.getVar('RPM_SIGN_PACKAGES', True) == '1': |