From 652fdf8719ba5cf2c486bf3d19904b5140dbd0d1 Mon Sep 17 00:00:00 2001 From: Daniel McGregor Date: Tue, 12 Oct 2021 22:04:56 -0600 Subject: sstate: Allow validation of sstate singatures against list of keys Allow a user to validate sstate objects against a list of keys, instead of just any known key in the user's keychain. (From OE-Core rev: 52ba0c5e6e2e3d5d01dc3f01404f0ab1bb29b3b5) Signed-off-by: Daniel McGregor Signed-off-by: Richard Purdie --- meta/classes/sstate.bbclass | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'meta/classes/sstate.bbclass') diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass index c125286f74..7f034d746a 100644 --- a/meta/classes/sstate.bbclass +++ b/meta/classes/sstate.bbclass @@ -116,6 +116,9 @@ SSTATE_SIG_KEY ?= "" SSTATE_SIG_PASSPHRASE ?= "" # Whether to verify the GnUPG signatures when extracting sstate archives SSTATE_VERIFY_SIG ?= "0" +# List of signatures to consider valid. +SSTATE_VALID_SIGS ??= "" +SSTATE_VALID_SIGS[vardepvalue] = "" SSTATE_HASHEQUIV_METHOD ?= "oe.sstatesig.OEOuthashBasic" SSTATE_HASHEQUIV_METHOD[doc] = "The fully-qualified function used to calculate \ @@ -372,7 +375,7 @@ def sstate_installpkg(ss, d): bb.warn("No signature file for sstate package %s, skipping acceleration..." % sstatepkg) return False signer = get_signer(d, 'local') - if not signer.verify(sstatepkg + '.sig'): + if not signer.verify(sstatepkg + '.sig', d.getVar("SSTATE_VALID_SIGS")): bb.warn("Cannot verify signature on sstate package %s, skipping acceleration..." % sstatepkg) return False -- cgit v1.2.3-54-g00ecf