sysmo-bts
/
generic-poky
9
0
Fork 0
Code Pull Requests Releases Activity

sign_rpm.bbclass: do not store key details in signer instance 

Refactor the LocalSigner class. Do not store keyid or passphrase file in
the signer object as they are only needed for some of the methods. For
example, the newly added verify() method does not need any key
parameters and export_pubkey only uses keyid.

(From OE-Core rev: e2412294b6b1d3a80ee97a0706613349edc51d33)

Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Markus Lehtonen 2016-02-10 16:15:57 +02:00 committed by Richard Purdie
parent d5be8666a1
commit e845b75f8f
4 changed files with 25 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
meta/classes/sign_rpm.bbclass
View File

@ -36,13 +36,12 @@ python sign_rpm () {
import glob
from oe.gpg_sign import get_signer
signer = get_signer(d,
d.getVar('RPM_GPG_BACKEND', True),
d.getVar('RPM_GPG_NAME', True),
d.getVar('RPM_GPG_PASSPHRASE_FILE', True))
signer = get_signer(d, d.getVar('RPM_GPG_BACKEND', True))
rpms = glob.glob(d.getVar('RPM_PKGWRITEDIR', True) + '/*')
signer.sign_rpms(rpms)
signer.sign_rpms(rpms,
d.getVar('RPM_GPG_NAME', True),
d.getVar('RPM_GPG_PASSPHRASE_FILE', True))
}
do_package_index[depends] += "signing-keys:do_export_public_keys"

24
meta/lib/oe/gpg_sign.py
View File

@ -6,31 +6,29 @@ import oe.utils
class LocalSigner(object):
"""Class for handling local (on the build host) signing"""
def __init__(self, d, keyid, passphrase_file):
self.keyid = keyid
self.passphrase_file = passphrase_file
def __init__(self, d):
self.gpg_bin = d.getVar('GPG_BIN', True) or \
bb.utils.which(os.getenv('PATH'), 'gpg')
self.gpg_path = d.getVar('GPG_PATH', True)
self.rpm_bin = bb.utils.which(os.getenv('PATH'), "rpm")
def export_pubkey(self, output_file):
def export_pubkey(self, output_file, keyid):
"""Export GPG public key to a file"""
cmd = '%s --batch --yes --export --armor -o %s ' % \
(self.gpg_bin, output_file)
if self.gpg_path:
cmd += "--homedir %s " % self.gpg_path
cmd += self.keyid
cmd += keyid
status, output = oe.utils.getstatusoutput(cmd)
if status:
raise bb.build.FuncFailed('Failed to export gpg public key (%s): %s' %
(self.keyid, output))
(keyid, output))
def sign_rpms(self, files):
def sign_rpms(self, files, keyid, passphrase_file):
"""Sign RPM files"""
import pexpect
cmd = self.rpm_bin + " --addsign --define '_gpg_name %s' " % self.keyid
cmd = self.rpm_bin + " --addsign --define '_gpg_name %s' " % keyid
if self.gpg_bin:
cmd += "--define '%%__gpg %s' " % self.gpg_bin
if self.gpg_path:
@ -41,7 +39,7 @@ class LocalSigner(object):
proc = pexpect.spawn(cmd)
try:
proc.expect_exact('Enter pass phrase:', timeout=15)
with open(self.passphrase_file) as fobj:
with open(passphrase_file) as fobj:
proc.sendline(fobj.readline().rstrip('\n'))
proc.expect(pexpect.EOF, timeout=900)
proc.close()
@ -52,11 +50,11 @@ class LocalSigner(object):
bb.error('rpmsign failed: %s' % proc.before.strip())
raise bb.build.FuncFailed("Failed to sign RPM packages")
def detach_sign(self, input_file, armor=True):
def detach_sign(self, input_file, keyid, passphrase_file, armor=True):
"""Create a detached signature of a file"""
cmd = "%s --detach-sign --batch --no-tty --yes " \
"--passphrase-file '%s' -u '%s' " % \
(self.gpg_bin, self.passphrase_file, self.keyid)
(self.gpg_bin, passphrase_file, keyid)
if self.gpg_path:
cmd += "--homedir %s " % self.gpg_path
if armor:
@ -78,11 +76,11 @@ class LocalSigner(object):
return ret
def get_signer(d, backend, keyid, passphrase_file):
def get_signer(d, backend):
"""Get signer object for the specified backend"""
# Use local signing by default
if backend == 'local':
return LocalSigner(d, keyid, passphrase_file)
return LocalSigner(d)
else:
bb.fatal("Unsupported signing backend '%s'" % backend)

9
meta/lib/oe/package_manager.py
View File

@ -110,10 +110,7 @@ class RpmIndexer(Indexer):
rpm_createrepo = bb.utils.which(os.getenv('PATH'), "createrepo")
if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
signer = get_signer(self.d,
self.d.getVar('PACKAGE_FEED_GPG_BACKEND', True),
self.d.getVar('PACKAGE_FEED_GPG_NAME', True),
self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True))
signer = get_signer(self.d, self.d.getVar('PACKAGE_FEED_GPG_BACKEND', True))
else:
signer = None
index_cmds = []
@ -144,7 +141,9 @@ class RpmIndexer(Indexer):
# Sign repomd
if signer:
for repomd in repomd_files:
signer.detach_sign(repomd)
signer.detach_sign(repomd,
self.d.getVar('PACKAGE_FEED_GPG_NAME', True),
self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True))
# Copy pubkey(s) to repo
distro_version = self.d.getVar('DISTRO_VERSION', True) or "oe.0"
if self.d.getVar('RPM_SIGN_PACKAGES', True) == '1':

16
meta/recipes-core/meta/signing-keys.bb
View File

@ -26,18 +26,14 @@ python do_export_public_keys () {
if d.getVar("RPM_SIGN_PACKAGES", True):
# Export public key of the rpm signing key
signer = get_signer(d,
d.getVar('RPM_GPG_BACKEND', True),
d.getVar('RPM_GPG_NAME', True),
d.getVar('RPM_GPG_PASSPHRASE_FILE', True))
signer.export_pubkey(d.getVar('RPM_GPG_PUBKEY', True))
signer = get_signer(d, d.getVar('RPM_GPG_BACKEND', True))
signer.export_pubkey(d.getVar('RPM_GPG_PUBKEY', True),
d.getVar('RPM_GPG_NAME', True))
if d.getVar('PACKAGE_FEED_SIGN', True) == '1':
# Export public key of the feed signing key
signer = get_signer(d,
d.getVar('PACKAGE_FEED_GPG_BACKEND', True),
d.getVar('PACKAGE_FEED_GPG_NAME', True),
d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True))
signer.export_pubkey(d.getVar('PACKAGE_FEED_GPG_PUBKEY', True))
signer = get_signer(d, d.getVar('PACKAGE_FEED_GPG_BACKEND', True))
signer.export_pubkey(d.getVar('PACKAGE_FEED_GPG_PUBKEY', True),
d.getVar('PACKAGE_FEED_GPG_NAME', True))
}
addtask do_export_public_keys before do_build