sstate: implement basic signing/validation
To provide some element of integrity to sstate archives, allow sstate archives to be GPG signed with a specified key (detached signature to a sidecar .sig file), and verify the signatures when sstate archives are unpacked. (From OE-Core rev: 237b6c51b42b0c64434dc45685e10f757ac939c2) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
3bafddbadf
commit
e3feac122b
|
@ -54,6 +54,13 @@ EXTRA_STAGING_FIXMES ?= ""
|
|||
|
||||
SIGGEN_LOCKEDSIGS_CHECK_LEVEL ?= 'error'
|
||||
|
||||
# The GnuPG key ID and passphrase to use to sign sstate archives (or unset to
|
||||
# not sign)
|
||||
SSTATE_SIG_KEY ?= ""
|
||||
SSTATE_SIG_PASSPHRASE ?= ""
|
||||
# Whether to verify the GnUPG signatures when extracting sstate archives
|
||||
SSTATE_VERIFY_SIG ?= "0"
|
||||
|
||||
# Specify dirs in which the shell function is executed and don't use ${B}
|
||||
# as default dirs to avoid possible race about ${B} with other task.
|
||||
sstate_create_package[dirs] = "${SSTATE_BUILDDIR}"
|
||||
|
@ -298,6 +305,10 @@ def sstate_installpkg(ss, d):
|
|||
d.setVar('SSTATE_INSTDIR', sstateinst)
|
||||
d.setVar('SSTATE_PKG', sstatepkg)
|
||||
|
||||
if bb.utils.to_boolean(d.getVar("SSTATE_VERIFY_SIG", True), False):
|
||||
if subprocess.call(["gpg", "--verify", sstatepkg + ".sig", sstatepkg]) != 0:
|
||||
bb.warn("Cannot verify signature on sstate package %s" % sstatepkg)
|
||||
|
||||
for f in (d.getVar('SSTATEPREINSTFUNCS', True) or '').split() + ['sstate_unpack_package'] + (d.getVar('SSTATEPOSTUNPACKFUNCS', True) or '').split():
|
||||
bb.build.exec_func(f, d)
|
||||
|
||||
|
@ -605,7 +616,8 @@ def pstaging_fetch(sstatefetch, sstatepkg, d):
|
|||
# Try a fetch from the sstate mirror, if it fails just return and
|
||||
# we will build the package
|
||||
for srcuri in ['file://{0}'.format(sstatefetch),
|
||||
'file://{0}.siginfo'.format(sstatefetch)]:
|
||||
'file://{0}.siginfo'.format(sstatefetch),
|
||||
'file://{0}.sig'.format(sstatefetch)]:
|
||||
localdata.setVar('SRC_URI', srcuri)
|
||||
try:
|
||||
fetcher = bb.fetch2.Fetch([srcuri], localdata, cache=False)
|
||||
|
@ -665,6 +677,11 @@ sstate_create_package () {
|
|||
chmod 0664 $TFILE
|
||||
mv -f $TFILE ${SSTATE_PKG}
|
||||
|
||||
if [ -n "${SSTATE_SIG_KEY}" ]; then
|
||||
rm -f ${SSTATE_PKG}.sig
|
||||
echo ${SSTATE_SIG_PASSPHRASE} | gpg --batch --passphrase-fd 0 --detach-sign --local-user ${SSTATE_SIG_KEY} --output ${SSTATE_PKG}.sig ${SSTATE_PKG}
|
||||
fi
|
||||
|
||||
cd ${WORKDIR}
|
||||
rm -rf ${SSTATE_BUILDDIR}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue