signing-keys: Make signing keys the only publisher of keys
Previously the keys were put into the os-release package. The package indexing code was also deploying the keys rather than only using the keys. This change makes signing-keys.bb the only publisher of the keys and also uses standard tasks that already have sstate. (From OE-Core rev: 1e38068ac38dfd067655dfd41464e28439179306) Signed-off-by: Randy Witt <randy.e.witt@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
64ab17b707
commit
7bb9e8ddbf
|
@ -27,12 +27,7 @@ python () {
|
|||
for var in ('PACKAGE_FEED_GPG_NAME', 'PACKAGE_FEED_GPG_PASSPHRASE_FILE'):
|
||||
if not d.getVar(var, True):
|
||||
raise_sanity_error("You need to define %s in the config" % var, d)
|
||||
|
||||
# Set expected location of the public key
|
||||
d.setVar('PACKAGE_FEED_GPG_PUBKEY',
|
||||
os.path.join(d.getVar('STAGING_ETCDIR_NATIVE', False),
|
||||
'PACKAGE-FEED-GPG-PUBKEY'))
|
||||
}
|
||||
|
||||
do_package_index[depends] += "signing-keys:do_export_public_keys"
|
||||
do_rootfs[depends] += "signing-keys:do_export_public_keys"
|
||||
do_package_index[depends] += "signing-keys:do_deploy"
|
||||
do_rootfs[depends] += "signing-keys:do_populate_sysroot"
|
||||
|
|
|
@ -28,8 +28,11 @@ python () {
|
|||
raise_sanity_error("You need to define %s in the config" % var, d)
|
||||
|
||||
# Set the expected location of the public key
|
||||
d.setVar('RPM_GPG_PUBKEY', os.path.join(d.getVar('STAGING_ETCDIR_NATIVE', False),
|
||||
'RPM-GPG-PUBKEY'))
|
||||
d.setVar('RPM_GPG_PUBKEY', os.path.join(d.getVar('STAGING_DIR_TARGET', False),
|
||||
d.getVar('sysconfdir', False),
|
||||
'pki',
|
||||
'rpm-gpg',
|
||||
'RPM-GPG-KEY-${DISTRO_VERSION}'))
|
||||
}
|
||||
|
||||
python sign_rpm () {
|
||||
|
@ -44,5 +47,5 @@ python sign_rpm () {
|
|||
d.getVar('RPM_GPG_PASSPHRASE_FILE', True))
|
||||
}
|
||||
|
||||
do_package_index[depends] += "signing-keys:do_export_public_keys"
|
||||
do_rootfs[depends] += "signing-keys:do_export_public_keys"
|
||||
do_package_index[depends] += "signing-keys:do_deploy"
|
||||
do_rootfs[depends] += "signing-keys:do_populate_sysroot"
|
||||
|
|
|
@ -144,16 +144,6 @@ class RpmIndexer(Indexer):
|
|||
signer.detach_sign(repomd,
|
||||
self.d.getVar('PACKAGE_FEED_GPG_NAME', True),
|
||||
self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True))
|
||||
# Copy pubkey(s) to repo
|
||||
distro_version = self.d.getVar('DISTRO_VERSION', True) or "oe.0"
|
||||
if self.d.getVar('RPM_SIGN_PACKAGES', True) == '1':
|
||||
shutil.copy2(self.d.getVar('RPM_GPG_PUBKEY', True),
|
||||
os.path.join(self.deploy_dir,
|
||||
'RPM-GPG-KEY-%s' % distro_version))
|
||||
if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
|
||||
shutil.copy2(self.d.getVar('PACKAGE_FEED_GPG_PUBKEY', True),
|
||||
os.path.join(self.deploy_dir,
|
||||
'REPODATA-GPG-KEY-%s' % distro_version))
|
||||
|
||||
|
||||
class OpkgIndexer(Indexer):
|
||||
|
|
|
@ -3,37 +3,62 @@
|
|||
|
||||
DESCRIPTION = "Make public keys of the signing keys available"
|
||||
LICENSE = "MIT"
|
||||
PACKAGES = ""
|
||||
LIC_FILES_CHKSUM = "file://${COREBASE}/LICENSE;md5=4d92cd373abda3937c2bc47fbc49d690 \
|
||||
file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
|
||||
|
||||
do_fetch[noexec] = "1"
|
||||
do_unpack[noexec] = "1"
|
||||
do_patch[noexec] = "1"
|
||||
do_configure[noexec] = "1"
|
||||
do_compile[noexec] = "1"
|
||||
do_install[noexec] = "1"
|
||||
do_package[noexec] = "1"
|
||||
do_packagedata[noexec] = "1"
|
||||
do_package_write_ipk[noexec] = "1"
|
||||
do_package_write_rpm[noexec] = "1"
|
||||
do_package_write_deb[noexec] = "1"
|
||||
do_populate_sysroot[noexec] = "1"
|
||||
|
||||
inherit allarch deploy
|
||||
|
||||
EXCLUDE_FROM_WORLD = "1"
|
||||
INHIBIT_DEFAULT_DEPS = "1"
|
||||
|
||||
PACKAGES =+ "${PN}-rpm ${PN}-packagefeed"
|
||||
|
||||
python do_export_public_keys () {
|
||||
FILES_${PN}-rpm = "${sysconfdir}/pki/rpm-gpg"
|
||||
FILES_${PN}-packagefeed = "${sysconfdir}/pki/packagefeed-gpg"
|
||||
|
||||
python do_get_public_keys () {
|
||||
from oe.gpg_sign import get_signer
|
||||
|
||||
if d.getVar("RPM_SIGN_PACKAGES", True):
|
||||
# Export public key of the rpm signing key
|
||||
signer = get_signer(d, d.getVar('RPM_GPG_BACKEND', True))
|
||||
signer.export_pubkey(d.getVar('RPM_GPG_PUBKEY', True),
|
||||
signer.export_pubkey(os.path.join(d.expand('${B}'), 'rpm-key'),
|
||||
d.getVar('RPM_GPG_NAME', True))
|
||||
|
||||
if d.getVar('PACKAGE_FEED_SIGN', True) == '1':
|
||||
# Export public key of the feed signing key
|
||||
signer = get_signer(d, d.getVar('PACKAGE_FEED_GPG_BACKEND', True))
|
||||
signer.export_pubkey(d.getVar('PACKAGE_FEED_GPG_PUBKEY', True),
|
||||
signer.export_pubkey(os.path.join(d.expand('${B}'), 'pf-key'),
|
||||
d.getVar('PACKAGE_FEED_GPG_NAME', True))
|
||||
}
|
||||
addtask do_export_public_keys before do_build
|
||||
do_get_public_keys[cleandirs] = "${B}"
|
||||
addtask get_public_keys before do_install
|
||||
|
||||
do_install () {
|
||||
if [ -f "${B}/rpm-key" ]; then
|
||||
install -D -m 0644 "${B}/rpm-key" "${D}${sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-${DISTRO_VERSION}"
|
||||
fi
|
||||
if [ -f "${B}/pf-key" ]; then
|
||||
install -D -m 0644 "${B}/pf-key" "${D}${sysconfdir}/pki/packagefeed-gpg/PACKAGEFEED-GPG-KEY-${DISTRO_VERSION}"
|
||||
fi
|
||||
}
|
||||
|
||||
sysroot_stage_all_append () {
|
||||
sysroot_stage_dir ${D}${sysconfdir}/pki ${SYSROOT_DESTDIR}${sysconfdir}/pki
|
||||
}
|
||||
|
||||
do_deploy () {
|
||||
if [ -f "${B}/rpm-key" ]; then
|
||||
install -D -m 0644 "${B}/rpm-key" "${DEPLOYDIR}/RPM-GPG-KEY-${DISTRO_VERSION}"
|
||||
fi
|
||||
if [ -f "${B}/pf-key" ]; then
|
||||
install -D -m 0644 "${B}/pf-key" "${DEPLOYDIR}/PACKAGEFEED-GPG-KEY-${DISTRO_VERSION}"
|
||||
fi
|
||||
}
|
||||
do_deploy[sstate-outputdirs] = "${DEPLOY_DIR_RPM}"
|
||||
# cleandirs should possibly be in deploy.bbclass but we need it
|
||||
do_deploy[cleandirs] = "${DEPLOYDIR}"
|
||||
# clear stamp-extra-info since MACHINE is normally put there by deploy.bbclass
|
||||
do_deploy[stamp-extra-info] = ""
|
||||
addtask deploy after do_get_public_keys
|
||||
|
|
|
@ -30,21 +30,10 @@ python do_compile () {
|
|||
value = d.getVar(field, True)
|
||||
if value:
|
||||
f.write('{0}="{1}"\n'.format(field, value))
|
||||
if d.getVar('RPM_SIGN_PACKAGES', True) == '1':
|
||||
rpm_gpg_pubkey = d.getVar('RPM_GPG_PUBKEY', True)
|
||||
bb.utils.mkdirhier('${B}/rpm-gpg')
|
||||
distro_version = d.getVar('DISTRO_VERSION', True) or "oe.0"
|
||||
shutil.copy2(rpm_gpg_pubkey, d.expand('${B}/rpm-gpg/RPM-GPG-KEY-%s' % distro_version))
|
||||
}
|
||||
do_compile[vardeps] += "${OS_RELEASE_FIELDS}"
|
||||
do_compile[depends] += "signing-keys:do_export_public_keys"
|
||||
|
||||
do_install () {
|
||||
install -d ${D}${sysconfdir}
|
||||
install -m 0644 os-release ${D}${sysconfdir}/
|
||||
|
||||
if [ -d "rpm-gpg" ]; then
|
||||
install -d "${D}${sysconfdir}/pki"
|
||||
cp -r "rpm-gpg" "${D}${sysconfdir}/pki/"
|
||||
fi
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue