2 files changed, 24 insertions, 18 deletions
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index a95d2ba34c..2fd8c3b1ac 100644
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -15,21 +15,27 @@ class LocalSigner(object):
    def __init__(self, d):
        self.gpg_bin = d.getVar('GPG_BIN') or \
                  bb.utils.which(os.getenv('PATH'), 'gpg')
+        self.gpg_cmd = [self.gpg_bin]
+        self.gpg_agent_bin = bb.utils.which(os.getenv('PATH'), "gpg-agent")
+        # Without this we see "Cannot allocate memory" errors when running processes in parallel
+        # It needs to be set for any gpg command since any agent launched can stick around in memory
+        # and this parameter must be set.
+        if self.gpg_agent_bin:
+            self.gpg_cmd += ["--agent-program=%s|--auto-expand-secmem" % (self.gpg_agent_bin)]
        self.gpg_path = d.getVar('GPG_PATH')
-        self.gpg_version = self.get_gpg_version()
        self.rpm_bin = bb.utils.which(os.getenv('PATH'), "rpmsign")
-        self.gpg_agent_bin = bb.utils.which(os.getenv('PATH'), "gpg-agent")
+        self.gpg_version = self.get_gpg_version()
    def export_pubkey(self, output_file, keyid, armor=True):
        """Export GPG public key to a file"""
-        cmd = '%s --no-permission-warning --batch --yes --export -o %s ' % \
+        cmd = self.gpg_cmd + ["--no-permission-warning", "--batch", "--yes", "--export", "-o", output_file]
-                (self.gpg_bin, output_file)
        if self.gpg_path:
-            cmd += "--homedir %s " % self.gpg_path
+            cmd += ["--homedir", self.gpg_path]
        if armor:
-            cmd += "--armor "
+            cmd += ["--armor"]
-        cmd += keyid
+        cmd += [keyid]
-        subprocess.check_output(shlex.split(cmd), stderr=subprocess.STDOUT)
+        subprocess.check_output(cmd, stderr=subprocess.STDOUT)
    def sign_rpms(self, files, keyid, passphrase, digest, sign_chunk, fsk=None, fsk_password=None):
        """Sign RPM files"""
@@ -59,7 +65,7 @@ class LocalSigner(object):
        if passphrase_file and passphrase:
            raise Exception("You should use either passphrase_file of passphrase, not both")
-        cmd = [self.gpg_bin, '--detach-sign', '--no-permission-warning', '--batch',
+        cmd = self.gpg_cmd + ['--detach-sign', '--no-permission-warning', '--batch',
               '--no-tty', '--yes', '--passphrase-fd', '0', '-u', keyid]
        if self.gpg_path:
@@ -72,9 +78,6 @@ class LocalSigner(object):
        if self.gpg_version > (2,1,):
            cmd += ['--pinentry-mode', 'loopback']
-        if self.gpg_agent_bin:
-            cmd += ["--agent-program=%s|--auto-expand-secmem" % (self.gpg_agent_bin)]
        cmd += [input_file]
        try:
@@ -101,7 +104,8 @@ class LocalSigner(object):
    def get_gpg_version(self):
        """Return the gpg version as a tuple of ints"""
        try:
-            ver_str = subprocess.check_output((self.gpg_bin, "--version", "--no-permission-warning")).split()[2].decode("utf-8")
+            cmd = self.gpg_cmd + ["--version", "--no-permission-warning"]
+            ver_str = subprocess.check_output(cmd).split()[2].decode("utf-8")
            return tuple([int(i) for i in ver_str.split("-")[0].split('.')])
        except subprocess.CalledProcessError as e:
            raise bb.build.FuncFailed("Could not get gpg version: %s" % e)
@@ -109,11 +113,12 @@ class LocalSigner(object):
    def verify(self, sig_file):
        """Verify signature"""
-        cmd = self.gpg_bin + " --verify --no-permission-warning "
+        cmd = self.gpg_cmd + [" --verify", "--no-permission-warning"]
        if self.gpg_path:
-            cmd += "--homedir %s " % self.gpg_path
+            cmd += ["--homedir", self.gpg_path]
-        cmd += sig_file
-        status = subprocess.call(shlex.split(cmd))
+        cmd += [sig_file]
+        status = subprocess.call(cmd)
        ret = False if status else True
        return ret
diff --git a/meta/lib/oeqa/selftest/cases/signing.py b/meta/lib/oeqa/selftest/cases/signing.py
index 9c710bd0ff..b390f37d8e 100644
--- a/meta/lib/oeqa/selftest/cases/signing.py
+++ b/meta/lib/oeqa/selftest/cases/signing.py
@@ -30,7 +30,8 @@ class Signing(OESelftestTestCase):
        self.secret_key_path = os.path.join(self.testlayer_path, 'files', 'signing', "key.secret")
        nsysroot = get_bb_var("RECIPE_SYSROOT_NATIVE", "gnupg-native")
-        runCmd('gpg --batch --homedir %s --import %s %s' % (self.gpg_dir, self.pub_key_path, self.secret_key_path), native_sysroot=nsysroot)
+        runCmd('gpg --agent-program=`which gpg-agent`\|--auto-expand-secmem --batch --homedir %s --import %s %s' % (self.gpg_dir, self.pub_key_path, self.secret_key_path), native_sysroot=nsysroot)
        return nsysroot + get_bb_var("bindir_native")

diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py index a95d2ba34c..2fd8c3b1ac 100644 --- a/meta/lib/oe/gpg_sign.py +++ b/meta/lib/oe/gpg_sign.py
@@ -15,21 +15,27 @@ class LocalSigner(object):
15	def __init__(self, d):	15	def __init__(self, d):
16	self.gpg_bin = d.getVar('GPG_BIN') or \	16	self.gpg_bin = d.getVar('GPG_BIN') or \
17	bb.utils.which(os.getenv('PATH'), 'gpg')	17	bb.utils.which(os.getenv('PATH'), 'gpg')
		18	self.gpg_cmd = [self.gpg_bin]
		19	self.gpg_agent_bin = bb.utils.which(os.getenv('PATH'), "gpg-agent")
		20	# Without this we see "Cannot allocate memory" errors when running processes in parallel
		21	# It needs to be set for any gpg command since any agent launched can stick around in memory
		22	# and this parameter must be set.
		23	if self.gpg_agent_bin:
		24	self.gpg_cmd += ["--agent-program=%s\|--auto-expand-secmem" % (self.gpg_agent_bin)]
18	self.gpg_path = d.getVar('GPG_PATH')	25	self.gpg_path = d.getVar('GPG_PATH')
19	self.gpg_version = self.get_gpg_version()
20	self.rpm_bin = bb.utils.which(os.getenv('PATH'), "rpmsign")	26	self.rpm_bin = bb.utils.which(os.getenv('PATH'), "rpmsign")
21	self.gpg_agent_bin = bb.utils.which(os.getenv('PATH'), "gpg-agent")	27	self.gpg_version = self.get_gpg_version()
		28
22		29
23	def export_pubkey(self, output_file, keyid, armor=True):	30	def export_pubkey(self, output_file, keyid, armor=True):
24	"""Export GPG public key to a file"""	31	"""Export GPG public key to a file"""
25	cmd = '%s --no-permission-warning --batch --yes --export -o %s ' % \	32	cmd = self.gpg_cmd + ["--no-permission-warning", "--batch", "--yes", "--export", "-o", output_file]
26	(self.gpg_bin, output_file)
27	if self.gpg_path:	33	if self.gpg_path:
28	cmd += "--homedir %s " % self.gpg_path	34	cmd += ["--homedir", self.gpg_path]
29	if armor:	35	if armor:
30	cmd += "--armor "	36	cmd += ["--armor"]
31	cmd += keyid	37	cmd += [keyid]
32	subprocess.check_output(shlex.split(cmd), stderr=subprocess.STDOUT)	38	subprocess.check_output(cmd, stderr=subprocess.STDOUT)
33		39
34	def sign_rpms(self, files, keyid, passphrase, digest, sign_chunk, fsk=None, fsk_password=None):	40	def sign_rpms(self, files, keyid, passphrase, digest, sign_chunk, fsk=None, fsk_password=None):
35	"""Sign RPM files"""	41	"""Sign RPM files"""
@@ -59,7 +65,7 @@ class LocalSigner(object):
59	if passphrase_file and passphrase:	65	if passphrase_file and passphrase:
60	raise Exception("You should use either passphrase_file of passphrase, not both")	66	raise Exception("You should use either passphrase_file of passphrase, not both")
61		67
62	cmd = [self.gpg_bin, '--detach-sign', '--no-permission-warning', '--batch',	68	cmd = self.gpg_cmd + ['--detach-sign', '--no-permission-warning', '--batch',
63	'--no-tty', '--yes', '--passphrase-fd', '0', '-u', keyid]	69	'--no-tty', '--yes', '--passphrase-fd', '0', '-u', keyid]
64		70
65	if self.gpg_path:	71	if self.gpg_path:
@@ -72,9 +78,6 @@ class LocalSigner(object):
72	if self.gpg_version > (2,1,):	78	if self.gpg_version > (2,1,):
73	cmd += ['--pinentry-mode', 'loopback']	79	cmd += ['--pinentry-mode', 'loopback']
74		80
75	if self.gpg_agent_bin:
76	cmd += ["--agent-program=%s\|--auto-expand-secmem" % (self.gpg_agent_bin)]
77
78	cmd += [input_file]	81	cmd += [input_file]
79		82
80	try:	83	try:
@@ -101,7 +104,8 @@ class LocalSigner(object):
101	def get_gpg_version(self):	104	def get_gpg_version(self):
102	"""Return the gpg version as a tuple of ints"""	105	"""Return the gpg version as a tuple of ints"""
103	try:	106	try:
104	ver_str = subprocess.check_output((self.gpg_bin, "--version", "--no-permission-warning")).split()[2].decode("utf-8")	107	cmd = self.gpg_cmd + ["--version", "--no-permission-warning"]
		108	ver_str = subprocess.check_output(cmd).split()[2].decode("utf-8")
105	return tuple([int(i) for i in ver_str.split("-")[0].split('.')])	109	return tuple([int(i) for i in ver_str.split("-")[0].split('.')])
106	except subprocess.CalledProcessError as e:	110	except subprocess.CalledProcessError as e:
107	raise bb.build.FuncFailed("Could not get gpg version: %s" % e)	111	raise bb.build.FuncFailed("Could not get gpg version: %s" % e)
@@ -109,11 +113,12 @@ class LocalSigner(object):
109		113
110	def verify(self, sig_file):	114	def verify(self, sig_file):
111	"""Verify signature"""	115	"""Verify signature"""
112	cmd = self.gpg_bin + " --verify --no-permission-warning "	116	cmd = self.gpg_cmd + [" --verify", "--no-permission-warning"]
113	if self.gpg_path:	117	if self.gpg_path:
114	cmd += "--homedir %s " % self.gpg_path	118	cmd += ["--homedir", self.gpg_path]
115	cmd += sig_file	119
116	status = subprocess.call(shlex.split(cmd))	120	cmd += [sig_file]
		121	status = subprocess.call(cmd)
117	ret = False if status else True	122	ret = False if status else True
118	return ret	123	return ret
119		124


diff --git a/meta/lib/oeqa/selftest/cases/signing.py b/meta/lib/oeqa/selftest/cases/signing.py index 9c710bd0ff..b390f37d8e 100644 --- a/meta/lib/oeqa/selftest/cases/signing.py +++ b/meta/lib/oeqa/selftest/cases/signing.py
@@ -30,7 +30,8 @@ class Signing(OESelftestTestCase):
30	self.secret_key_path = os.path.join(self.testlayer_path, 'files', 'signing', "key.secret")	30	self.secret_key_path = os.path.join(self.testlayer_path, 'files', 'signing', "key.secret")
31		31
32	nsysroot = get_bb_var("RECIPE_SYSROOT_NATIVE", "gnupg-native")	32	nsysroot = get_bb_var("RECIPE_SYSROOT_NATIVE", "gnupg-native")
33	runCmd('gpg --batch --homedir %s --import %s %s' % (self.gpg_dir, self.pub_key_path, self.secret_key_path), native_sysroot=nsysroot)	33
		34	runCmd('gpg --agent-program=`which gpg-agent`\\|--auto-expand-secmem --batch --homedir %s --import %s %s' % (self.gpg_dir, self.pub_key_path, self.secret_key_path), native_sysroot=nsysroot)
34	return nsysroot + get_bb_var("bindir_native")	35	return nsysroot + get_bb_var("bindir_native")
35		36
36		37