summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorTobias Hagelborn <tobias.hagelborn@axis.com>2023-03-30 17:38:09 +0200
committerSteve Sakoman <steve@sakoman.com>2023-04-14 06:30:29 -1000
commit5e4a87d6e915b2a65f3d9dd6296c1558a49ebdaf (patch)
treee2232b818a119a59ce1ff4f7333d5a3cf0fd94fb /meta
parent75d03fe4839f6f4279bf4d039083e1476e84d2f2 (diff)
downloadpoky-5e4a87d6e915b2a65f3d9dd6296c1558a49ebdaf.tar.gz
lib/oe/gpg_sign.py: Avoid race when creating .sig files in detach_sign
Move the signature file into place only after it is successfully signed. This to avoid race and corrupted .sig files in cases multiple onging builds write to a shared sstate-cache dir. (From OE-Core rev: bbb20a6d74aebff830fcb0c69739a10fd64d9cf3) Signed-off-by: Tobias Hagelborn <tobiasha@axis.com> Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit b4ec08ea9efebac262d43f47d95a356fe2829de9) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta')
-rw-r--r--meta/lib/oe/gpg_sign.py27
1 files changed, 17 insertions, 10 deletions
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index 613dab8561..ede6186c84 100644
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -5,11 +5,12 @@
5# 5#
6 6
7"""Helper module for GPG signing""" 7"""Helper module for GPG signing"""
8import os
9 8
10import bb 9import bb
11import subprocess 10import os
12import shlex 11import shlex
12import subprocess
13import tempfile
13 14
14class LocalSigner(object): 15class LocalSigner(object):
15 """Class for handling local (on the build host) signing""" 16 """Class for handling local (on the build host) signing"""
@@ -73,8 +74,6 @@ class LocalSigner(object):
73 cmd += ['--homedir', self.gpg_path] 74 cmd += ['--homedir', self.gpg_path]
74 if armor: 75 if armor:
75 cmd += ['--armor'] 76 cmd += ['--armor']
76 if output_suffix:
77 cmd += ['-o', input_file + "." + output_suffix]
78 if use_sha256: 77 if use_sha256:
79 cmd += ['--digest-algo', "SHA256"] 78 cmd += ['--digest-algo', "SHA256"]
80 79
@@ -83,19 +82,27 @@ class LocalSigner(object):
83 if self.gpg_version > (2,1,): 82 if self.gpg_version > (2,1,):
84 cmd += ['--pinentry-mode', 'loopback'] 83 cmd += ['--pinentry-mode', 'loopback']
85 84
86 cmd += [input_file]
87
88 try: 85 try:
89 if passphrase_file: 86 if passphrase_file:
90 with open(passphrase_file) as fobj: 87 with open(passphrase_file) as fobj:
91 passphrase = fobj.readline(); 88 passphrase = fobj.readline();
92 89
93 job = subprocess.Popen(cmd, stdin=subprocess.PIPE, stderr=subprocess.PIPE) 90 if not output_suffix:
94 (_, stderr) = job.communicate(passphrase.encode("utf-8")) 91 output_suffix = 'asc' if armor else 'sig'
92 output_file = input_file + "." + output_suffix
93 with tempfile.TemporaryDirectory(dir=os.path.dirname(output_file)) as tmp_dir:
94 tmp_file = os.path.join(tmp_dir, os.path.basename(output_file))
95 cmd += ['-o', tmp_file]
96
97 cmd += [input_file]
98
99 job = subprocess.Popen(cmd, stdin=subprocess.PIPE, stderr=subprocess.PIPE)
100 (_, stderr) = job.communicate(passphrase.encode("utf-8"))
95 101
96 if job.returncode: 102 if job.returncode:
97 bb.fatal("GPG exited with code %d: %s" % (job.returncode, stderr.decode("utf-8"))) 103 bb.fatal("GPG exited with code %d: %s" % (job.returncode, stderr.decode("utf-8")))
98 104
105 os.rename(tmp_file, output_file)
99 except IOError as e: 106 except IOError as e:
100 bb.error("IO error (%s): %s" % (e.errno, e.strerror)) 107 bb.error("IO error (%s): %s" % (e.errno, e.strerror))
101 raise Exception("Failed to sign '%s'" % input_file) 108 raise Exception("Failed to sign '%s'" % input_file)
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-06-09 06:15:24 +0000