gpg_sign: add local ipk package signing functionality
Implement ipk signing inside the sign_ipk bbclass using the gpg_sign module and configure signing similar to how rpm does it. sign_ipk uses gpg_sign's detach_sign because its functionality is identical to package feed signing. IPK signing process is a bit different from rpm: - Signatures are stored outside ipk files; opkg connects to a feed server and downloads them to verify a package. - Signatures are of two types (both supported by opkg): binary or ascii armoured. By default we sign using ascii armoured. - Public keys are stored on targets to verify ipks using the opkg-keyrings recipe. (From OE-Core rev: a40f27aa7802e8a0bd87a5417e35adbface62d05) Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
6bd6a2b6fe
commit
2fccd8aa1c
|
@ -246,6 +246,11 @@ python do_package_ipk () {
|
|||
bb.utils.unlockfile(lf)
|
||||
raise bb.build.FuncFailed("opkg-build execution failed")
|
||||
|
||||
if d.getVar('IPK_SIGN_PACKAGES', True) == '1':
|
||||
ipkver = "%s-%s" % (d.getVar('PKGV', True), d.getVar('PKGR', True))
|
||||
ipk_to_sign = "%s/%s_%s_%s.ipk" % (pkgoutdir, pkgname, ipkver, d.getVar('PACKAGE_ARCH', True))
|
||||
sign_ipk(d, ipk_to_sign)
|
||||
|
||||
cleanupcontrol(root)
|
||||
bb.utils.unlockfile(lf)
|
||||
|
||||
|
|
|
@ -0,0 +1,52 @@
|
|||
# Class for generating signed IPK packages.
|
||||
#
|
||||
# Configuration variables used by this class:
|
||||
# IPK_GPG_PASSPHRASE_FILE
|
||||
# Path to a file containing the passphrase of the signing key.
|
||||
# IPK_GPG_NAME
|
||||
# Name of the key to sign with.
|
||||
# IPK_GPG_BACKEND
|
||||
# Optional variable for specifying the backend to use for signing.
|
||||
# Currently the only available option is 'local', i.e. local signing
|
||||
# on the build host.
|
||||
# IPK_GPG_SIGNATURE_TYPE
|
||||
# Optional variable for specifying the type of gpg signatures, can be:
|
||||
# 1. Ascii armored (ASC), default if not set
|
||||
# 2. Binary (BIN)
|
||||
# GPG_BIN
|
||||
# Optional variable for specifying the gpg binary/wrapper to use for
|
||||
# signing.
|
||||
# GPG_PATH
|
||||
# Optional variable for specifying the gnupg "home" directory:
|
||||
#
|
||||
|
||||
inherit sanity
|
||||
|
||||
IPK_SIGN_PACKAGES = '1'
|
||||
IPK_GPG_BACKEND ?= 'local'
|
||||
IPK_GPG_SIGNATURE_TYPE ?= 'ASC'
|
||||
|
||||
python () {
|
||||
# Check configuration
|
||||
for var in ('IPK_GPG_NAME', 'IPK_GPG_PASSPHRASE_FILE'):
|
||||
if not d.getVar(var, True):
|
||||
raise_sanity_error("You need to define %s in the config" % var, d)
|
||||
|
||||
sigtype = d.getVar("IPK_GPG_SIGNATURE_TYPE", True)
|
||||
if sigtype.upper() != "ASC" and sigtype.upper() != "BIN":
|
||||
raise_sanity_error("Bad value for IPK_GPG_SIGNATURE_TYPE (%s), use either ASC or BIN" % sigtype)
|
||||
}
|
||||
|
||||
def sign_ipk(d, ipk_to_sign):
|
||||
from oe.gpg_sign import get_signer
|
||||
|
||||
bb.debug(1, 'Signing ipk: %s' % ipk_to_sign)
|
||||
|
||||
signer = get_signer(d, d.getVar('IPK_GPG_BACKEND', True))
|
||||
sig_type = d.getVar('IPK_GPG_SIGNATURE_TYPE', True)
|
||||
is_ascii_sig = (sig_type.upper() != "BIN")
|
||||
|
||||
signer.detach_sign(ipk_to_sign,
|
||||
d.getVar('IPK_GPG_NAME', True),
|
||||
d.getVar('IPK_GPG_PASSPHRASE_FILE', True),
|
||||
armor=is_ascii_sig)
|
|
@ -50,6 +50,7 @@ class LocalSigner(object):
|
|||
bb.error('rpmsign failed: %s' % proc.before.strip())
|
||||
raise bb.build.FuncFailed("Failed to sign RPM packages")
|
||||
|
||||
|
||||
def detach_sign(self, input_file, keyid, passphrase_file, passphrase=None, armor=True):
|
||||
"""Create a detached signature of a file"""
|
||||
import subprocess
|
||||
|
@ -58,22 +59,35 @@ class LocalSigner(object):
|
|||
raise Exception("You should use either passphrase_file of passphrase, not both")
|
||||
|
||||
cmd = [self.gpg_bin, '--detach-sign', '--batch', '--no-tty', '--yes',
|
||||
'-u', keyid]
|
||||
if passphrase_file:
|
||||
cmd += ['--passphrase-file', passphrase_file]
|
||||
else:
|
||||
cmd += ['--passphrase-fd', '0']
|
||||
'--passphrase-fd', '0', '-u', keyid]
|
||||
|
||||
if self.gpg_path:
|
||||
cmd += ['--homedir', self.gpg_path]
|
||||
if armor:
|
||||
cmd += ['--armor']
|
||||
cmd.append(input_file)
|
||||
job = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE,
|
||||
stderr=subprocess.PIPE)
|
||||
_, stderr = job.communicate(passphrase)
|
||||
if job.returncode:
|
||||
raise bb.build.FuncFailed("Failed to create signature for '%s': %s" %
|
||||
(input_file, stderr))
|
||||
|
||||
cmd += [input_file]
|
||||
|
||||
try:
|
||||
if passphrase_file:
|
||||
with open(passphrase_file) as fobj:
|
||||
passphrase = fobj.readline();
|
||||
|
||||
job = subprocess.Popen(cmd, stdin=subprocess.PIPE, stderr=subprocess.PIPE)
|
||||
(_, stderr) = job.communicate(passphrase)
|
||||
|
||||
if job.returncode:
|
||||
raise bb.build.FuncFailed("GPG exited with code %d: %s" %
|
||||
(job.returncode, stderr))
|
||||
|
||||
except IOError as e:
|
||||
bb.error("IO error (%s): %s" % (e.errno, e.strerror))
|
||||
raise Exception("Failed to sign '%s'" % input_file)
|
||||
|
||||
except OSError as e:
|
||||
bb.error("OS error (%s): %s" % (e.errno, e.strerror))
|
||||
raise Exception("Failed to sign '%s" % input_file)
|
||||
|
||||
|
||||
def verify(self, sig_file):
|
||||
"""Verify signature"""
|
||||
|
|
Loading…
Reference in New Issue