summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--meta/classes/sstate.bbclass5
-rw-r--r--meta/lib/oe/gpg_sign.py27
2 files changed, 26 insertions, 6 deletions
diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass
index c125286f74..7f034d746a 100644
--- a/meta/classes/sstate.bbclass
+++ b/meta/classes/sstate.bbclass
@@ -116,6 +116,9 @@ SSTATE_SIG_KEY ?= ""
116SSTATE_SIG_PASSPHRASE ?= "" 116SSTATE_SIG_PASSPHRASE ?= ""
117# Whether to verify the GnUPG signatures when extracting sstate archives 117# Whether to verify the GnUPG signatures when extracting sstate archives
118SSTATE_VERIFY_SIG ?= "0" 118SSTATE_VERIFY_SIG ?= "0"
119# List of signatures to consider valid.
120SSTATE_VALID_SIGS ??= ""
121SSTATE_VALID_SIGS[vardepvalue] = ""
119 122
120SSTATE_HASHEQUIV_METHOD ?= "oe.sstatesig.OEOuthashBasic" 123SSTATE_HASHEQUIV_METHOD ?= "oe.sstatesig.OEOuthashBasic"
121SSTATE_HASHEQUIV_METHOD[doc] = "The fully-qualified function used to calculate \ 124SSTATE_HASHEQUIV_METHOD[doc] = "The fully-qualified function used to calculate \
@@ -372,7 +375,7 @@ def sstate_installpkg(ss, d):
372 bb.warn("No signature file for sstate package %s, skipping acceleration..." % sstatepkg) 375 bb.warn("No signature file for sstate package %s, skipping acceleration..." % sstatepkg)
373 return False 376 return False
374 signer = get_signer(d, 'local') 377 signer = get_signer(d, 'local')
375 if not signer.verify(sstatepkg + '.sig'): 378 if not signer.verify(sstatepkg + '.sig', d.getVar("SSTATE_VALID_SIGS")):
376 bb.warn("Cannot verify signature on sstate package %s, skipping acceleration..." % sstatepkg) 379 bb.warn("Cannot verify signature on sstate package %s, skipping acceleration..." % sstatepkg)
377 return False 380 return False
378 381
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index 492f096eaa..1bce6cb792 100644
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -109,16 +109,33 @@ class LocalSigner(object):
109 bb.fatal("Could not get gpg version: %s" % e) 109 bb.fatal("Could not get gpg version: %s" % e)
110 110
111 111
112 def verify(self, sig_file): 112 def verify(self, sig_file, valid_sigs = ''):
113 """Verify signature""" 113 """Verify signature"""
114 cmd = self.gpg_cmd + ["--verify", "--no-permission-warning"] 114 cmd = self.gpg_cmd + ["--verify", "--no-permission-warning", "--status-fd", "1"]
115 if self.gpg_path: 115 if self.gpg_path:
116 cmd += ["--homedir", self.gpg_path] 116 cmd += ["--homedir", self.gpg_path]
117 117
118 cmd += [sig_file] 118 cmd += [sig_file]
119 status = subprocess.call(cmd) 119 status = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
120 ret = False if status else True 120 # Valid if any key matches if unspecified
121 return ret 121 if not valid_sigs:
122 ret = False if status.returncode else True
123 return ret
124
125 import re
126 goodsigs = []
127 sigre = re.compile(r'^\[GNUPG:\] GOODSIG (\S+)\s(.*)$')
128 for l in status.stdout.decode("utf-8").splitlines():
129 s = sigre.match(l)
130 if s:
131 goodsigs += [s.group(1)]
132
133 for sig in valid_sigs.split():
134 if sig in goodsigs:
135 return True
136 if len(goodsigs):
137 bb.warn('No accepted signatures found. Good signatures found: %s.' % ' '.join(goodsigs))
138 return False
122 139
123 140
124def get_signer(d, backend): 141def get_signer(d, backend):
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-01-23 12:04:53 +0000