summaryrefslogtreecommitdiffstats
path: root/meta/classes/sign_rpm.bbclass
Commit message (Collapse)AuthorAgeFilesLines
* gnupg: use native version for signing, rather than one provided by hostAlexander Kanavin2018-01-111-5/+1
| | | | | | | | | | | | | | | | | | | | | | | | | Using host gpg has been problematic, and particularly this removes the need to serialize package creation, as long as --auto-expand-secmem is passed to gpg-agent, and gnupg >= 2.2.4 is in use (https://dev.gnupg.org/T3530). Sadly, gpg-agent itself is single-threaded, so in the longer run we might want to seek alternatives: https://lwn.net/Articles/742542/ (a smaller issue is that rpm itself runs the gpg fronted in a serial fashion, which slows down the build in cases of recipes with very large amount of packages, e.g. glibc-locale) Note that sstate signing and verification continues to use host gpg, as depending on native gpg would create circular dependencies. [YOCTO #12022] (From OE-Core rev: 08fef6198122fe79d4c1213f9a64b862162ed6cd) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* sign_rpm.bbclass: force rpm serial signingLeonardo Sandoval2017-09-261-0/+6
| | | | | | | | | | | | | | Newer versions of gpg (at least 2.1.5 and 2.2.1) have issues when signing occurs in parallel so (unfortunately) the signing must be done serially. Once the upstream problem is fixed, this patch must be reverted, otherwise we loose all the intrinsic parallelism from bitbake. [YOCTO #12022] (From OE-Core rev: 5301712f9735fcf8d3dec756772668de930e53fe) Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* sign_rpm: Allow pkg signing by chunks through RPM_GPG_SIGN_CHUNKLeonardo Sandoval2017-08-181-1/+6
| | | | | | | | | | | | | Commit d58b1d196 moved from chunk to serial signing, but neither of both approaches allowed the user to select the chunks size. This patch allows the user to select a chunk size through RPM_GPG_SIGN_CHUNK defaulting to BB_NUMBER_THREADS, considered a good default. Indirectly, this change reduces the number of processes spawn to number-of-packages/RPM_GPG_SIGN_CHUNK. (From OE-Core rev: f7f78e73f1cd15f4233a231364b14438af758628) Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* sign_rpm: support signing files in RPM payloadLans Zhang2017-07-171-1/+19
| | | | | | | | | | | | | | | | | | | | | Currently, RPM4 supports to sign the files in RPM payload with plugin mechanism. We introduce more definitions to make the file signing available for the users: - RPM_FILE_CHECKSUM_DIGEST Global switch to enable file signing. - RPM_FSK_PATH The file signing key. - RPM_FSK_PASSWORD The password of file signing key. - RPM_FILE_CHECKSUM_DIGEST The file checksum digest. (From OE-Core rev: 95b9ee33d5595078e90c633f6155ec9ba3d184f0) Signed-off-by: Lans Zhang <jia.zhang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* sign_rpm.bbclass: do not set/use RPM_GPG_PUBKEYAlexander Kanavin2017-03-231-7/+0
| | | | | | | | | | | | | This is entirely unnecessary (we can ask the signer backend to export the key to a file when needed), and was causing confusing selftest failures due to the variable being set from two different places. [YOCTO #11191] (From OE-Core rev: 74ea979044368dc28c24325e7e77471b70aa8fe8) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta: remove True option to getVar callsJoshua Lock2016-12-161-6/+6
| | | | | | | | | | | | | getVar() now defaults to expanding by default, thus remove the True option from getVar() calls with a regex search and replace. Search made with the following regex: getVar ?\(( ?[^,()]*), True\) (From OE-Core rev: 7c552996597faaee2fbee185b250c0ee30ea3b5f) Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gpg_sign.py: get rid of pexpectRobert Yang2016-03-251-4/+6
| | | | | | | | | | | | | The python-expect is not installed on the distro such as Ubuntu by default, and we can get rid of it. Use RPM_GPG_PASSPHRASE to replace of RPM_GPG_PASSPHRASE_FILE which is more straightforward. (From OE-Core rev: 4a8a74c62836a20610daf029d4cec0b3087758b2) Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* signing-keys: Make signing keys the only publisher of keysRandy Witt2016-02-261-4/+7
| | | | | | | | | | | | | Previously the keys were put into the os-release package. The package indexing code was also deploying the keys rather than only using the keys. This change makes signing-keys.bb the only publisher of the keys and also uses standard tasks that already have sstate. (From OE-Core rev: 1e38068ac38dfd067655dfd41464e28439179306) Signed-off-by: Randy Witt <randy.e.witt@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* sign_rpm.bbclass: do not store key details in signer instanceMarkus Lehtonen2016-02-191-5/+4
| | | | | | | | | | | | | Refactor the LocalSigner class. Do not store keyid or passphrase file in the signer object as they are only needed for some of the methods. For example, the newly added verify() method does not need any key parameters and export_pubkey only uses keyid. (From OE-Core rev: e2412294b6b1d3a80ee97a0706613349edc51d33) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta/lib: new module for handling GPG signingMarkus Lehtonen2016-01-261-36/+11
| | | | | | | | | | | | | | | | | Add a new Python module (oe.gpg_sign) for handling GPG signing operations, i.e. currently package and package feed signing. The purpose is to be able to more easily support various signing backends and to be able to centralise signing functionality into one place (e.g. package signing and sstate signing). Currently, only local signing with gpg is implemented. [YOCTO #8755] (From OE-Core rev: 9b3dc1bd4b8336423a3f8f7db0ab5fa6fa0e7257) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* sign_rpm.bbclass: fix task dependenciesMarkus Lehtonen2016-01-191-0/+1
| | | | | | | | | | | | | do_rootfs task needs to depend on signing-keys:do_export_public_keys. The rpm signing public key needs to be present in order to prevent a crash because it is imported into the rootfs rpmdb before rootfs creation starts. (From OE-Core rev: f854f4549f0b01421464032406a5275494acd818) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* populate_sdk_ext/sign_rpm/sign_package_feed: Add missing getVar parameterRichard Purdie2015-12-141-1/+1
| | | | | | | | We should always pass a parameter to getVar, add missing default value. (From OE-Core rev: 31bc0a46a97d7dc98568a218c077c31d8b11dbd9) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* package signing: automatically export public keysMarkus Lehtonen2015-10-271-3/+6
| | | | | | | | | | | | Automatically export public key(s) of the signing key(s) from the gpg keyring. Adds a new simple recipe that does the actual task of exporting the keys. This patch makes the RPM_GPG_PUBKEY and PACKAGE_FEED_GPG PUBKEY settings obsolete. (From OE-Core rev: 23b30c34581948e1ea02c25cbf7b9194d7e49fb8) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* sign_rpm.bbclass: make RPM_GPG_NAME a mandatory settingMarkus Lehtonen2015-10-271-21/+9
| | | | | | | | | | | | Simplifies the configuration. Makes way for the removal of RPM_GPG_PUBKEY setting and possible future implementation of a separate signing server support. Also, moves the configuration sanity checking into a separate function. (From OE-Core rev: 6ea062dffce3df59cc4ba88edd181dc1dac759f9) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* sign_rpm.bbclass: be more verbose in case of errorMarkus Lehtonen2015-10-271-1/+4
| | | | | | | (From OE-Core rev: 3abdd2bf886e4b3bc7dd957c77a7745498386161) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* sign_rpm.bbclass: introduce GPG_PATH variableMarkus Lehtonen2015-10-271-0/+4
| | | | | | | | | | This bitbake configuration variable can be used to define the gpg home directory. (From OE-Core rev: 7ea2f8aca832433f448a79d103c945a63ac6474b) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* package_rpm: support signing of rpm packagesMarkus Lehtonen2015-09-031-0/+75
This patch adds a new bbclass for generating rpm packages that are signed with a user defined key. The packages are signed as part of the "package_write_rpm" task. In order to enable the feature you need to 1. 'INHERIT += " sign_rpm"' in bitbake config (e.g. local or distro) 2. Create a file that contains the passphrase to your gpg secret key 3. 'RPM_GPG_PASSPHRASE_FILE = "<path_to_file>" in bitbake config, pointing to the passphrase file created in 2. 4. Define GPG key name to use by either defining 'RPM_GPG_NAME = "<key_id>" in bitbake config OR by defining %_gpg_name <key_id> in your ~/.oerpmmacros file 5. 'RPM_GPG_PUBKEY = "<path_to_pubkey>" in bitbake config pointing to the public key (in "armor" format) The user may optionally define "GPG_BIN" variable in the bitbake configuration in order to specify a specific gpg binary/wrapper to use. The sign_rpm.bbclass implements a simple scenario of locally signing the packages. It could be replaced by a more advanced class that would utilize a separate signing server for signing the packages, for example. [YOCTO #8134] (From OE-Core rev: 75f5f11b19ba1bf8743caf9ee7c99a3c67f4b266) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>