sysmo-bts
/
generic-poky
9
0
Fork 0
Code Pull Requests Releases Activity
generic-poky/meta/lib/oe/gpg_sign.py

87 lines
3.2 KiB
Python
Raw Normal View History

meta/lib: new module for handling GPG signing Add a new Python module (oe.gpg_sign) for handling GPG signing operations, i.e. currently package and package feed signing. The purpose is to be able to more easily support various signing backends and to be able to centralise signing functionality into one place (e.g. package signing and sstate signing). Currently, only local signing with gpg is implemented. [YOCTO #8755] (From OE-Core rev: 9b3dc1bd4b8336423a3f8f7db0ab5fa6fa0e7257) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-25 12:21:34 +00:00
"""Helper module for GPG signing"""
import os
import bb
import oe.utils
class LocalSigner(object):
"""Class for handling local (on the build host) signing"""
sign_rpm.bbclass: do not store key details in signer instance Refactor the LocalSigner class. Do not store keyid or passphrase file in the signer object as they are only needed for some of the methods. For example, the newly added verify() method does not need any key parameters and export_pubkey only uses keyid. (From OE-Core rev: e2412294b6b1d3a80ee97a0706613349edc51d33) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-02-10 14:15:57 +00:00
def __init__(self, d):
meta/lib: new module for handling GPG signing Add a new Python module (oe.gpg_sign) for handling GPG signing operations, i.e. currently package and package feed signing. The purpose is to be able to more easily support various signing backends and to be able to centralise signing functionality into one place (e.g. package signing and sstate signing). Currently, only local signing with gpg is implemented. [YOCTO #8755] (From OE-Core rev: 9b3dc1bd4b8336423a3f8f7db0ab5fa6fa0e7257) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-25 12:21:34 +00:00
self.gpg_bin = d.getVar('GPG_BIN', True) or \
bb.utils.which(os.getenv('PATH'), 'gpg')
self.gpg_path = d.getVar('GPG_PATH', True)
self.rpm_bin = bb.utils.which(os.getenv('PATH'), "rpm")
sign_rpm.bbclass: do not store key details in signer instance Refactor the LocalSigner class. Do not store keyid or passphrase file in the signer object as they are only needed for some of the methods. For example, the newly added verify() method does not need any key parameters and export_pubkey only uses keyid. (From OE-Core rev: e2412294b6b1d3a80ee97a0706613349edc51d33) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-02-10 14:15:57 +00:00
def export_pubkey(self, output_file, keyid):
meta/lib: new module for handling GPG signing Add a new Python module (oe.gpg_sign) for handling GPG signing operations, i.e. currently package and package feed signing. The purpose is to be able to more easily support various signing backends and to be able to centralise signing functionality into one place (e.g. package signing and sstate signing). Currently, only local signing with gpg is implemented. [YOCTO #8755] (From OE-Core rev: 9b3dc1bd4b8336423a3f8f7db0ab5fa6fa0e7257) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-25 12:21:34 +00:00
"""Export GPG public key to a file"""
cmd = '%s --batch --yes --export --armor -o %s ' % \
(self.gpg_bin, output_file)
if self.gpg_path:
cmd += "--homedir %s " % self.gpg_path
sign_rpm.bbclass: do not store key details in signer instance Refactor the LocalSigner class. Do not store keyid or passphrase file in the signer object as they are only needed for some of the methods. For example, the newly added verify() method does not need any key parameters and export_pubkey only uses keyid. (From OE-Core rev: e2412294b6b1d3a80ee97a0706613349edc51d33) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-02-10 14:15:57 +00:00
cmd += keyid
meta/lib: new module for handling GPG signing Add a new Python module (oe.gpg_sign) for handling GPG signing operations, i.e. currently package and package feed signing. The purpose is to be able to more easily support various signing backends and to be able to centralise signing functionality into one place (e.g. package signing and sstate signing). Currently, only local signing with gpg is implemented. [YOCTO #8755] (From OE-Core rev: 9b3dc1bd4b8336423a3f8f7db0ab5fa6fa0e7257) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-25 12:21:34 +00:00
status, output = oe.utils.getstatusoutput(cmd)
if status:
raise bb.build.FuncFailed('Failed to export gpg public key (%s): %s' %
sign_rpm.bbclass: do not store key details in signer instance Refactor the LocalSigner class. Do not store keyid or passphrase file in the signer object as they are only needed for some of the methods. For example, the newly added verify() method does not need any key parameters and export_pubkey only uses keyid. (From OE-Core rev: e2412294b6b1d3a80ee97a0706613349edc51d33) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-02-10 14:15:57 +00:00
(keyid, output))
meta/lib: new module for handling GPG signing Add a new Python module (oe.gpg_sign) for handling GPG signing operations, i.e. currently package and package feed signing. The purpose is to be able to more easily support various signing backends and to be able to centralise signing functionality into one place (e.g. package signing and sstate signing). Currently, only local signing with gpg is implemented. [YOCTO #8755] (From OE-Core rev: 9b3dc1bd4b8336423a3f8f7db0ab5fa6fa0e7257) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-25 12:21:34 +00:00
sign_rpm.bbclass: do not store key details in signer instance Refactor the LocalSigner class. Do not store keyid or passphrase file in the signer object as they are only needed for some of the methods. For example, the newly added verify() method does not need any key parameters and export_pubkey only uses keyid. (From OE-Core rev: e2412294b6b1d3a80ee97a0706613349edc51d33) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-02-10 14:15:57 +00:00
def sign_rpms(self, files, keyid, passphrase_file):
meta/lib: new module for handling GPG signing Add a new Python module (oe.gpg_sign) for handling GPG signing operations, i.e. currently package and package feed signing. The purpose is to be able to more easily support various signing backends and to be able to centralise signing functionality into one place (e.g. package signing and sstate signing). Currently, only local signing with gpg is implemented. [YOCTO #8755] (From OE-Core rev: 9b3dc1bd4b8336423a3f8f7db0ab5fa6fa0e7257) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-25 12:21:34 +00:00
"""Sign RPM files"""
import pexpect
sign_rpm.bbclass: do not store key details in signer instance Refactor the LocalSigner class. Do not store keyid or passphrase file in the signer object as they are only needed for some of the methods. For example, the newly added verify() method does not need any key parameters and export_pubkey only uses keyid. (From OE-Core rev: e2412294b6b1d3a80ee97a0706613349edc51d33) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-02-10 14:15:57 +00:00
cmd = self.rpm_bin + " --addsign --define '_gpg_name %s' " % keyid
meta/lib: new module for handling GPG signing Add a new Python module (oe.gpg_sign) for handling GPG signing operations, i.e. currently package and package feed signing. The purpose is to be able to more easily support various signing backends and to be able to centralise signing functionality into one place (e.g. package signing and sstate signing). Currently, only local signing with gpg is implemented. [YOCTO #8755] (From OE-Core rev: 9b3dc1bd4b8336423a3f8f7db0ab5fa6fa0e7257) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-25 12:21:34 +00:00
if self.gpg_bin:
cmd += "--define '%%__gpg %s' " % self.gpg_bin
if self.gpg_path:
cmd += "--define '_gpg_path %s' " % self.gpg_path
cmd += ' '.join(files)
# Need to use pexpect for feeding the passphrase
proc = pexpect.spawn(cmd)
try:
proc.expect_exact('Enter pass phrase:', timeout=15)
sign_rpm.bbclass: do not store key details in signer instance Refactor the LocalSigner class. Do not store keyid or passphrase file in the signer object as they are only needed for some of the methods. For example, the newly added verify() method does not need any key parameters and export_pubkey only uses keyid. (From OE-Core rev: e2412294b6b1d3a80ee97a0706613349edc51d33) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-02-10 14:15:57 +00:00
with open(passphrase_file) as fobj:
meta/lib: new module for handling GPG signing Add a new Python module (oe.gpg_sign) for handling GPG signing operations, i.e. currently package and package feed signing. The purpose is to be able to more easily support various signing backends and to be able to centralise signing functionality into one place (e.g. package signing and sstate signing). Currently, only local signing with gpg is implemented. [YOCTO #8755] (From OE-Core rev: 9b3dc1bd4b8336423a3f8f7db0ab5fa6fa0e7257) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-25 12:21:34 +00:00
proc.sendline(fobj.readline().rstrip('\n'))
proc.expect(pexpect.EOF, timeout=900)
proc.close()
except pexpect.TIMEOUT as err:
bb.error('rpmsign timeout: %s' % err)
proc.terminate()
if os.WEXITSTATUS(proc.status) or not os.WIFEXITED(proc.status):
bb.error('rpmsign failed: %s' % proc.before.strip())
raise bb.build.FuncFailed("Failed to sign RPM packages")
sign_rpm.bbclass: do not store key details in signer instance Refactor the LocalSigner class. Do not store keyid or passphrase file in the signer object as they are only needed for some of the methods. For example, the newly added verify() method does not need any key parameters and export_pubkey only uses keyid. (From OE-Core rev: e2412294b6b1d3a80ee97a0706613349edc51d33) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-02-10 14:15:57 +00:00
def detach_sign(self, input_file, keyid, passphrase_file, armor=True):
meta/lib: new module for handling GPG signing Add a new Python module (oe.gpg_sign) for handling GPG signing operations, i.e. currently package and package feed signing. The purpose is to be able to more easily support various signing backends and to be able to centralise signing functionality into one place (e.g. package signing and sstate signing). Currently, only local signing with gpg is implemented. [YOCTO #8755] (From OE-Core rev: 9b3dc1bd4b8336423a3f8f7db0ab5fa6fa0e7257) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-25 12:21:34 +00:00
"""Create a detached signature of a file"""
oe/gpg_sign: add 'armor' argument to detach_sign() [YOCTO #9006] (From OE-Core rev: ce653694a87fd77d79ec3d28ed3365a2c8e57ad6) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-02-10 14:15:56 +00:00
cmd = "%s --detach-sign --batch --no-tty --yes " \
meta/lib: new module for handling GPG signing Add a new Python module (oe.gpg_sign) for handling GPG signing operations, i.e. currently package and package feed signing. The purpose is to be able to more easily support various signing backends and to be able to centralise signing functionality into one place (e.g. package signing and sstate signing). Currently, only local signing with gpg is implemented. [YOCTO #8755] (From OE-Core rev: 9b3dc1bd4b8336423a3f8f7db0ab5fa6fa0e7257) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-25 12:21:34 +00:00
"--passphrase-file '%s' -u '%s' " % \
sign_rpm.bbclass: do not store key details in signer instance Refactor the LocalSigner class. Do not store keyid or passphrase file in the signer object as they are only needed for some of the methods. For example, the newly added verify() method does not need any key parameters and export_pubkey only uses keyid. (From OE-Core rev: e2412294b6b1d3a80ee97a0706613349edc51d33) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-02-10 14:15:57 +00:00
(self.gpg_bin, passphrase_file, keyid)
meta/lib: new module for handling GPG signing Add a new Python module (oe.gpg_sign) for handling GPG signing operations, i.e. currently package and package feed signing. The purpose is to be able to more easily support various signing backends and to be able to centralise signing functionality into one place (e.g. package signing and sstate signing). Currently, only local signing with gpg is implemented. [YOCTO #8755] (From OE-Core rev: 9b3dc1bd4b8336423a3f8f7db0ab5fa6fa0e7257) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-25 12:21:34 +00:00
if self.gpg_path:
oe/gpg_sign: fix incorrect variable name Prevents crash in signing if GPG_PATH is defined. (From OE-Core rev: 0ecd748258abfe5ed9e9e2505aeb42b232389968) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-02-08 15:20:05 +00:00
cmd += "--homedir %s " % self.gpg_path
oe/gpg_sign: add 'armor' argument to detach_sign() [YOCTO #9006] (From OE-Core rev: ce653694a87fd77d79ec3d28ed3365a2c8e57ad6) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-02-10 14:15:56 +00:00
if armor:
cmd += "--armor "
meta/lib: new module for handling GPG signing Add a new Python module (oe.gpg_sign) for handling GPG signing operations, i.e. currently package and package feed signing. The purpose is to be able to more easily support various signing backends and to be able to centralise signing functionality into one place (e.g. package signing and sstate signing). Currently, only local signing with gpg is implemented. [YOCTO #8755] (From OE-Core rev: 9b3dc1bd4b8336423a3f8f7db0ab5fa6fa0e7257) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-25 12:21:34 +00:00
cmd += input_file
status, output = oe.utils.getstatusoutput(cmd)
if status:
raise bb.build.FuncFailed("Failed to create signature for '%s': %s" %
(input_file, output))
oe/gpg_sign: add verify() method A new method for verifying detached signatures. [YOCTO #9006] (From OE-Core rev: 4445c645c71151bd56ff7e133343a6f1e30cc3b3) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-02-10 14:15:55 +00:00
def verify(self, sig_file):
"""Verify signature"""
cmd = self.gpg_bin + " --verify "
if self.gpg_path:
cmd += "--homedir %s " % self.gpg_path
cmd += sig_file
status, _ = oe.utils.getstatusoutput(cmd)
ret = False if status else True
return ret
meta/lib: new module for handling GPG signing Add a new Python module (oe.gpg_sign) for handling GPG signing operations, i.e. currently package and package feed signing. The purpose is to be able to more easily support various signing backends and to be able to centralise signing functionality into one place (e.g. package signing and sstate signing). Currently, only local signing with gpg is implemented. [YOCTO #8755] (From OE-Core rev: 9b3dc1bd4b8336423a3f8f7db0ab5fa6fa0e7257) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-25 12:21:34 +00:00
sign_rpm.bbclass: do not store key details in signer instance Refactor the LocalSigner class. Do not store keyid or passphrase file in the signer object as they are only needed for some of the methods. For example, the newly added verify() method does not need any key parameters and export_pubkey only uses keyid. (From OE-Core rev: e2412294b6b1d3a80ee97a0706613349edc51d33) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-02-10 14:15:57 +00:00
def get_signer(d, backend):
meta/lib: new module for handling GPG signing Add a new Python module (oe.gpg_sign) for handling GPG signing operations, i.e. currently package and package feed signing. The purpose is to be able to more easily support various signing backends and to be able to centralise signing functionality into one place (e.g. package signing and sstate signing). Currently, only local signing with gpg is implemented. [YOCTO #8755] (From OE-Core rev: 9b3dc1bd4b8336423a3f8f7db0ab5fa6fa0e7257) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-25 12:21:34 +00:00
"""Get signer object for the specified backend"""
# Use local signing by default
if backend == 'local':
sign_rpm.bbclass: do not store key details in signer instance Refactor the LocalSigner class. Do not store keyid or passphrase file in the signer object as they are only needed for some of the methods. For example, the newly added verify() method does not need any key parameters and export_pubkey only uses keyid. (From OE-Core rev: e2412294b6b1d3a80ee97a0706613349edc51d33) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-02-10 14:15:57 +00:00
return LocalSigner(d)
meta/lib: new module for handling GPG signing Add a new Python module (oe.gpg_sign) for handling GPG signing operations, i.e. currently package and package feed signing. The purpose is to be able to more easily support various signing backends and to be able to centralise signing functionality into one place (e.g. package signing and sstate signing). Currently, only local signing with gpg is implemented. [YOCTO #8755] (From OE-Core rev: 9b3dc1bd4b8336423a3f8f7db0ab5fa6fa0e7257) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-25 12:21:34 +00:00
else:
bb.fatal("Unsupported signing backend '%s'" % backend)