sstate: respect GPG_BIN and GPG_HOME

The package feed signing code supports the user providing the path to the gpg binary and an alternative gpg 'home' (usually ~/.gnupg), which are useful for both deployment and QA purposes. Factor out the gpg command line construction to a function which can fetch both of these variables, and also use pipes.quote() to sanitise the arguments when used in a shell context. [ YOCTO #8559 ] (From OE-Core rev: 6daf138822bbbc46960121d3b76b42eaf19e7c0e) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ross Burton <ross.burton@intel.com> 2015-10-24 01:02:34 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-11-24 15:50:26 +0000
commit: 59b27d558febc42e5f127a7f27f6c0de73a61e30 (patch)
tree: 2c126bdb6635b9b4ae5c3550c023b6ed86504d4c
parent: 4415dc5cdda9a9ca18e5202309c1dadcb013b1dc (diff)
download: poky-59b27d558febc42e5f127a7f27f6c0de73a61e30.tar.gz
1 files changed, 17 insertions, 3 deletions
diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass
index d09e27aee4..ba18f54428 100644
--- a/meta/classes/sstate.bbclass
+++ b/meta/classes/sstate.bbclass
@@ -268,6 +268,20 @@ def sstate_install(ss, d):
 sstate_install[vardepsexclude] += "SSTATE_DUPWHITELIST STATE_MANMACH SSTATE_MANFILEPREFIX"
 sstate_install[vardeps] += "${SSTATEPOSTINSTFUNCS}"
+def sstate_build_gpg_command(d, *args, **kwargs):
+    # Returns a list for subprocess.call() unless passed flatten=True when this
+    # returns a flattened string.
+    l = [d.getVar("GPG_BIN", True) or "gpg"]
+    if d.getVar("GPG_PATH", True):
+        l += ["--homedir", d.getVar("GPG_PATH", True)]
+    l += args
+    if kwargs.get("flatten", False):
+        import pipes
+        return " ".join(map(pipes.quote, l))
+    else:
+        return l
 def sstate_installpkg(ss, d):
    import oe.path
    import subprocess
@@ -296,7 +310,7 @@ def sstate_installpkg(ss, d):
    d.setVar('SSTATE_PKG', sstatepkg)
    if bb.utils.to_boolean(d.getVar("SSTATE_VERIFY_SIG", True), False):
-        if subprocess.call(["gpg", "--verify", sstatepkg + ".sig", sstatepkg]) != 0:
+        if subprocess.call(sstate_build_gpg_command(d, "--verify", sstatepkg + ".sig", sstatepkg)) != 0:
            bb.warn("Cannot verify signature on sstate package %s" % sstatepkg)
    for f in (d.getVar('SSTATEPREINSTFUNCS', True) or '').split() + ['sstate_unpack_package'] + (d.getVar('SSTATEPOSTUNPACKFUNCS', True) or '').split():
@@ -672,12 +686,12 @@ sstate_create_package () {
        else
                tar -cz --file=$TFILE --files-from=/dev/null
        fi
-        chmod 0664 $TFILE 
+        chmod 0664 $TFILE
        mv -f $TFILE ${SSTATE_PKG}
        if [ -n "${SSTATE_SIG_KEY}" ]; then
                rm -f ${SSTATE_PKG}.sig
-                echo ${SSTATE_SIG_PASSPHRASE} | gpg --batch --passphrase-fd 0 --detach-sign --local-user ${SSTATE_SIG_KEY} --output ${SSTATE_PKG}.sig ${SSTATE_PKG}
+                echo ${SSTATE_SIG_PASSPHRASE} | ${@sstate_build_gpg_command(d, "--batch", "--passphrase-fd", "0", "--detach-sign", "--local-user", "${SSTATE_SIG_KEY}", "--output", "${SSTATE_PKG}.sig", "${SSTATE_PKG}", flatten=True)}
        fi
        cd ${WORKDIR}
author	Ross Burton <ross.burton@intel.com>	2015-10-24 01:02:34 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-11-24 15:50:26 +0000
commit	59b27d558febc42e5f127a7f27f6c0de73a61e30 (patch)
tree	2c126bdb6635b9b4ae5c3550c023b6ed86504d4c
parent	4415dc5cdda9a9ca18e5202309c1dadcb013b1dc (diff)
download	poky-59b27d558febc42e5f127a7f27f6c0de73a61e30.tar.gz