diff options
Diffstat (limited to 'meta')
-rw-r--r-- | meta/classes/package_ipk.bbclass | 5 | ||||
-rw-r--r-- | meta/classes/sign_ipk.bbclass | 52 | ||||
-rw-r--r-- | meta/lib/oe/gpg_sign.py | 38 |
3 files changed, 83 insertions, 12 deletions
diff --git a/meta/classes/package_ipk.bbclass b/meta/classes/package_ipk.bbclass index 51bee2890b..f1ad1d5c17 100644 --- a/meta/classes/package_ipk.bbclass +++ b/meta/classes/package_ipk.bbclass | |||
@@ -246,6 +246,11 @@ python do_package_ipk () { | |||
246 | bb.utils.unlockfile(lf) | 246 | bb.utils.unlockfile(lf) |
247 | raise bb.build.FuncFailed("opkg-build execution failed") | 247 | raise bb.build.FuncFailed("opkg-build execution failed") |
248 | 248 | ||
249 | if d.getVar('IPK_SIGN_PACKAGES', True) == '1': | ||
250 | ipkver = "%s-%s" % (d.getVar('PKGV', True), d.getVar('PKGR', True)) | ||
251 | ipk_to_sign = "%s/%s_%s_%s.ipk" % (pkgoutdir, pkgname, ipkver, d.getVar('PACKAGE_ARCH', True)) | ||
252 | sign_ipk(d, ipk_to_sign) | ||
253 | |||
249 | cleanupcontrol(root) | 254 | cleanupcontrol(root) |
250 | bb.utils.unlockfile(lf) | 255 | bb.utils.unlockfile(lf) |
251 | 256 | ||
diff --git a/meta/classes/sign_ipk.bbclass b/meta/classes/sign_ipk.bbclass new file mode 100644 index 0000000000..a481f6d9a8 --- /dev/null +++ b/meta/classes/sign_ipk.bbclass | |||
@@ -0,0 +1,52 @@ | |||
1 | # Class for generating signed IPK packages. | ||
2 | # | ||
3 | # Configuration variables used by this class: | ||
4 | # IPK_GPG_PASSPHRASE_FILE | ||
5 | # Path to a file containing the passphrase of the signing key. | ||
6 | # IPK_GPG_NAME | ||
7 | # Name of the key to sign with. | ||
8 | # IPK_GPG_BACKEND | ||
9 | # Optional variable for specifying the backend to use for signing. | ||
10 | # Currently the only available option is 'local', i.e. local signing | ||
11 | # on the build host. | ||
12 | # IPK_GPG_SIGNATURE_TYPE | ||
13 | # Optional variable for specifying the type of gpg signatures, can be: | ||
14 | # 1. Ascii armored (ASC), default if not set | ||
15 | # 2. Binary (BIN) | ||
16 | # GPG_BIN | ||
17 | # Optional variable for specifying the gpg binary/wrapper to use for | ||
18 | # signing. | ||
19 | # GPG_PATH | ||
20 | # Optional variable for specifying the gnupg "home" directory: | ||
21 | # | ||
22 | |||
23 | inherit sanity | ||
24 | |||
25 | IPK_SIGN_PACKAGES = '1' | ||
26 | IPK_GPG_BACKEND ?= 'local' | ||
27 | IPK_GPG_SIGNATURE_TYPE ?= 'ASC' | ||
28 | |||
29 | python () { | ||
30 | # Check configuration | ||
31 | for var in ('IPK_GPG_NAME', 'IPK_GPG_PASSPHRASE_FILE'): | ||
32 | if not d.getVar(var, True): | ||
33 | raise_sanity_error("You need to define %s in the config" % var, d) | ||
34 | |||
35 | sigtype = d.getVar("IPK_GPG_SIGNATURE_TYPE", True) | ||
36 | if sigtype.upper() != "ASC" and sigtype.upper() != "BIN": | ||
37 | raise_sanity_error("Bad value for IPK_GPG_SIGNATURE_TYPE (%s), use either ASC or BIN" % sigtype) | ||
38 | } | ||
39 | |||
40 | def sign_ipk(d, ipk_to_sign): | ||
41 | from oe.gpg_sign import get_signer | ||
42 | |||
43 | bb.debug(1, 'Signing ipk: %s' % ipk_to_sign) | ||
44 | |||
45 | signer = get_signer(d, d.getVar('IPK_GPG_BACKEND', True)) | ||
46 | sig_type = d.getVar('IPK_GPG_SIGNATURE_TYPE', True) | ||
47 | is_ascii_sig = (sig_type.upper() != "BIN") | ||
48 | |||
49 | signer.detach_sign(ipk_to_sign, | ||
50 | d.getVar('IPK_GPG_NAME', True), | ||
51 | d.getVar('IPK_GPG_PASSPHRASE_FILE', True), | ||
52 | armor=is_ascii_sig) | ||
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py index ada1b2f408..059381d5e3 100644 --- a/meta/lib/oe/gpg_sign.py +++ b/meta/lib/oe/gpg_sign.py | |||
@@ -50,6 +50,7 @@ class LocalSigner(object): | |||
50 | bb.error('rpmsign failed: %s' % proc.before.strip()) | 50 | bb.error('rpmsign failed: %s' % proc.before.strip()) |
51 | raise bb.build.FuncFailed("Failed to sign RPM packages") | 51 | raise bb.build.FuncFailed("Failed to sign RPM packages") |
52 | 52 | ||
53 | |||
53 | def detach_sign(self, input_file, keyid, passphrase_file, passphrase=None, armor=True): | 54 | def detach_sign(self, input_file, keyid, passphrase_file, passphrase=None, armor=True): |
54 | """Create a detached signature of a file""" | 55 | """Create a detached signature of a file""" |
55 | import subprocess | 56 | import subprocess |
@@ -58,22 +59,35 @@ class LocalSigner(object): | |||
58 | raise Exception("You should use either passphrase_file of passphrase, not both") | 59 | raise Exception("You should use either passphrase_file of passphrase, not both") |
59 | 60 | ||
60 | cmd = [self.gpg_bin, '--detach-sign', '--batch', '--no-tty', '--yes', | 61 | cmd = [self.gpg_bin, '--detach-sign', '--batch', '--no-tty', '--yes', |
61 | '-u', keyid] | 62 | '--passphrase-fd', '0', '-u', keyid] |
62 | if passphrase_file: | 63 | |
63 | cmd += ['--passphrase-file', passphrase_file] | ||
64 | else: | ||
65 | cmd += ['--passphrase-fd', '0'] | ||
66 | if self.gpg_path: | 64 | if self.gpg_path: |
67 | cmd += ['--homedir', self.gpg_path] | 65 | cmd += ['--homedir', self.gpg_path] |
68 | if armor: | 66 | if armor: |
69 | cmd += ['--armor'] | 67 | cmd += ['--armor'] |
70 | cmd.append(input_file) | 68 | |
71 | job = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, | 69 | cmd += [input_file] |
72 | stderr=subprocess.PIPE) | 70 | |
73 | _, stderr = job.communicate(passphrase) | 71 | try: |
74 | if job.returncode: | 72 | if passphrase_file: |
75 | raise bb.build.FuncFailed("Failed to create signature for '%s': %s" % | 73 | with open(passphrase_file) as fobj: |
76 | (input_file, stderr)) | 74 | passphrase = fobj.readline(); |
75 | |||
76 | job = subprocess.Popen(cmd, stdin=subprocess.PIPE, stderr=subprocess.PIPE) | ||
77 | (_, stderr) = job.communicate(passphrase) | ||
78 | |||
79 | if job.returncode: | ||
80 | raise bb.build.FuncFailed("GPG exited with code %d: %s" % | ||
81 | (job.returncode, stderr)) | ||
82 | |||
83 | except IOError as e: | ||
84 | bb.error("IO error (%s): %s" % (e.errno, e.strerror)) | ||
85 | raise Exception("Failed to sign '%s'" % input_file) | ||
86 | |||
87 | except OSError as e: | ||
88 | bb.error("OS error (%s): %s" % (e.errno, e.strerror)) | ||
89 | raise Exception("Failed to sign '%s" % input_file) | ||
90 | |||
77 | 91 | ||
78 | def verify(self, sig_file): | 92 | def verify(self, sig_file): |
79 | """Verify signature""" | 93 | """Verify signature""" |