sstate: implement basic signing/validation

To provide some element of integrity to sstate archives, allow sstate archives to be GPG signed with a specified key (detached signature to a sidecar .sig file), and verify the signatures when sstate archives are unpacked. (From OE-Core rev: 237b6c51b42b0c64434dc45685e10f757ac939c2) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ross Burton <ross.burton@intel.com> 2015-09-03 19:39:07 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-09-06 15:26:27 +0100
commit: e3feac122b6baa67a6e75a99da6e8834f0f2a7b0 (patch)
tree: 75df8bd01ccb66fc9c83c938350ce49a6c7bd2d1
parent: 3bafddbadf92dd25fb4e224d62e41e9f9c37b72f (diff)
download: poky-e3feac122b6baa67a6e75a99da6e8834f0f2a7b0.tar.gz
1 files changed, 18 insertions, 1 deletions
diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass
index 4e6afef541..77313bcfbc 100644
--- a/meta/classes/sstate.bbclass
+++ b/meta/classes/sstate.bbclass
@@ -54,6 +54,13 @@ EXTRA_STAGING_FIXMES ?= ""
 SIGGEN_LOCKEDSIGS_CHECK_LEVEL ?= 'error'
+# The GnuPG key ID and passphrase to use to sign sstate archives (or unset to
+# not sign)
+SSTATE_SIG_KEY ?= ""
+SSTATE_SIG_PASSPHRASE ?= ""
+# Whether to verify the GnUPG signatures when extracting sstate archives
+SSTATE_VERIFY_SIG ?= "0"
 # Specify dirs in which the shell function is executed and don't use ${B}
 # as default dirs to avoid possible race about ${B} with other task.
 sstate_create_package[dirs] = "${SSTATE_BUILDDIR}"
@@ -298,6 +305,10 @@ def sstate_installpkg(ss, d):
    d.setVar('SSTATE_INSTDIR', sstateinst)
    d.setVar('SSTATE_PKG', sstatepkg)
+    if bb.utils.to_boolean(d.getVar("SSTATE_VERIFY_SIG", True), False):
+        if subprocess.call(["gpg", "--verify", sstatepkg + ".sig", sstatepkg]) != 0:
+            bb.warn("Cannot verify signature on sstate package %s" % sstatepkg)
    for f in (d.getVar('SSTATEPREINSTFUNCS', True) or '').split() + ['sstate_unpack_package'] + (d.getVar('SSTATEPOSTUNPACKFUNCS', True) or '').split():
        bb.build.exec_func(f, d)
@@ -605,7 +616,8 @@ def pstaging_fetch(sstatefetch, sstatepkg, d):
    # Try a fetch from the sstate mirror, if it fails just return and
    # we will build the package
    for srcuri in ['file://{0}'.format(sstatefetch),
-                   'file://{0}.siginfo'.format(sstatefetch)]:
+                   'file://{0}.siginfo'.format(sstatefetch),
+                   'file://{0}.sig'.format(sstatefetch)]:
        localdata.setVar('SRC_URI', srcuri)
        try:
            fetcher = bb.fetch2.Fetch([srcuri], localdata, cache=False)
@@ -665,6 +677,11 @@ sstate_create_package () {
        chmod 0664 $TFILE 
        mv -f $TFILE ${SSTATE_PKG}
+        if [ -n "${SSTATE_SIG_KEY}" ]; then
+                rm -f ${SSTATE_PKG}.sig
+                echo ${SSTATE_SIG_PASSPHRASE} | gpg --batch --passphrase-fd 0 --detach-sign --local-user ${SSTATE_SIG_KEY} --output ${SSTATE_PKG}.sig ${SSTATE_PKG}
+        fi
        cd ${WORKDIR}
        rm -rf ${SSTATE_BUILDDIR}
 }
author	Ross Burton <ross.burton@intel.com>	2015-09-03 19:39:07 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-09-06 15:26:27 +0100
commit	e3feac122b6baa67a6e75a99da6e8834f0f2a7b0 (patch)
tree	75df8bd01ccb66fc9c83c938350ce49a6c7bd2d1
parent	3bafddbadf92dd25fb4e224d62e41e9f9c37b72f (diff)
download	poky-e3feac122b6baa67a6e75a99da6e8834f0f2a7b0.tar.gz