summaryrefslogtreecommitdiffstats
path: root/meta/lib/oe/gpg_sign.py
Commit message (Collapse)AuthorAgeFilesLines
* meta: remove True option to getVar callsJoshua Lock2016-12-161-2/+2
| | | | | | | | | | | | | getVar() now defaults to expanding by default, thus remove the True option from getVar() calls with a regex search and replace. Search made with the following regex: getVar ?\(( ?[^,()]*), True\) (From OE-Core rev: 7c552996597faaee2fbee185b250c0ee30ea3b5f) Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lib/oe/gpg_sign: fix output in error pathsRoss Burton2016-07-261-3/+2
| | | | | | | | | | oe.utils.getstatusoutput() is a wrapper for subprocess.getstatusoutput() which uses Universal Newlines, so the output is a str() not bytes(). (From OE-Core rev: ce24d4c3632b71939ad198268a900ee823a89b27) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* classes/lib: Update to use python3 command pipeline decodingRichard Purdie2016-06-021-5/+5
| | | | | | | | | | | In python3, strings are unicode by default. We need to encode/decode from command pipelines and other places where we interface with the real world using the correct locales. This patch updates various call sites to use the correct encoding/decodings. (From OE-Core rev: bb4685af1bffe17b3aa92a6d21398f38a44ea874) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gpg_sign.py: get rid of pexpectRobert Yang2016-03-251-18/+6
| | | | | | | | | | | | | The python-expect is not installed on the distro such as Ubuntu by default, and we can get rid of it. Use RPM_GPG_PASSPHRASE to replace of RPM_GPG_PASSPHRASE_FILE which is more straightforward. (From OE-Core rev: 4a8a74c62836a20610daf029d4cec0b3087758b2) Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gpg_sign: export_pubkey: add signature type supportIoan-Adrian Ratiu2016-03-111-2/+4
| | | | | | | | | | | Add support for multiple types of signatures (binary or ascii) in export_pubkey(). There is no change in behaviour for the function, the previous implicit default is the new parameter "armor" default. (From OE-Core rev: 95ba4a982b887444908207e3180fe4bc46281d3b) Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gpg_sign: detach_sign: fix gpg > 2.1 STDIN file descriptorIoan-Adrian Ratiu2016-03-111-0/+16
| | | | | | | | | | | | | | | | | | Starting from v2.1 passing passwords directly to gpg does not work anymore [1], instead a loopback interface must be used otherwise gpg >2.1 will error out with: "gpg: signing failed: Inappropriate ioctl for device" gpg <2.1 does not work with the new --pinentry-mode arg and gives an invalid option error, so we detect what is the running version of gpg and pass it accordingly. [1] https://wiki.archlinux.org/index.php/GnuPG#Unattended_passphrase (From OE-Core rev: 0413bd8e294ca8ac972ac68662b43a981952f5ae) Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gpg_sign: add local ipk package signing functionalityIoan-Adrian Ratiu2016-03-111-12/+26
| | | | | | | | | | | | | | | | | | | | Implement ipk signing inside the sign_ipk bbclass using the gpg_sign module and configure signing similar to how rpm does it. sign_ipk uses gpg_sign's detach_sign because its functionality is identical to package feed signing. IPK signing process is a bit different from rpm: - Signatures are stored outside ipk files; opkg connects to a feed server and downloads them to verify a package. - Signatures are of two types (both supported by opkg): binary or ascii armoured. By default we sign using ascii armoured. - Public keys are stored on targets to verify ipks using the opkg-keyrings recipe. (From OE-Core rev: a40f27aa7802e8a0bd87a5417e35adbface62d05) Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* oe/gpg_sign: add 'passphrase' argument to detach_sign methodMarkus Lehtonen2016-02-191-10/+20
| | | | | | | | | | | | | This allows directly giving the passphrase, instead of reading from a file. [YOCTO #9006] (From OE-Core rev: fd55c6e86b38b33f62006324e73678a13a534220) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* sign_rpm.bbclass: do not store key details in signer instanceMarkus Lehtonen2016-02-191-13/+11
| | | | | | | | | | | | | Refactor the LocalSigner class. Do not store keyid or passphrase file in the signer object as they are only needed for some of the methods. For example, the newly added verify() method does not need any key parameters and export_pubkey only uses keyid. (From OE-Core rev: e2412294b6b1d3a80ee97a0706613349edc51d33) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* oe/gpg_sign: add 'armor' argument to detach_sign()Markus Lehtonen2016-02-191-2/+4
| | | | | | | | | | [YOCTO #9006] (From OE-Core rev: ce653694a87fd77d79ec3d28ed3365a2c8e57ad6) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* oe/gpg_sign: add verify() methodMarkus Lehtonen2016-02-191-0/+10
| | | | | | | | | | | | A new method for verifying detached signatures. [YOCTO #9006] (From OE-Core rev: 4445c645c71151bd56ff7e133343a6f1e30cc3b3) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* oe/gpg_sign: fix incorrect variable nameMarkus Lehtonen2016-02-111-1/+1
| | | | | | | | | | Prevents crash in signing if GPG_PATH is defined. (From OE-Core rev: 0ecd748258abfe5ed9e9e2505aeb42b232389968) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta/lib: new module for handling GPG signingMarkus Lehtonen2016-01-261-0/+76
Add a new Python module (oe.gpg_sign) for handling GPG signing operations, i.e. currently package and package feed signing. The purpose is to be able to more easily support various signing backends and to be able to centralise signing functionality into one place (e.g. package signing and sstate signing). Currently, only local signing with gpg is implemented. [YOCTO #8755] (From OE-Core rev: 9b3dc1bd4b8336423a3f8f7db0ab5fa6fa0e7257) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>