sign_rpm.bbclass: do not store key details in signer instance
Refactor the LocalSigner class. Do not store keyid or passphrase file in the signer object as they are only needed for some of the methods. For example, the newly added verify() method does not need any key parameters and export_pubkey only uses keyid. (From OE-Core rev: e2412294b6b1d3a80ee97a0706613349edc51d33) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
d5be8666a1
commit
e845b75f8f
|
@ -36,13 +36,12 @@ python sign_rpm () {
|
|||
import glob
|
||||
from oe.gpg_sign import get_signer
|
||||
|
||||
signer = get_signer(d,
|
||||
d.getVar('RPM_GPG_BACKEND', True),
|
||||
d.getVar('RPM_GPG_NAME', True),
|
||||
d.getVar('RPM_GPG_PASSPHRASE_FILE', True))
|
||||
signer = get_signer(d, d.getVar('RPM_GPG_BACKEND', True))
|
||||
rpms = glob.glob(d.getVar('RPM_PKGWRITEDIR', True) + '/*')
|
||||
|
||||
signer.sign_rpms(rpms)
|
||||
signer.sign_rpms(rpms,
|
||||
d.getVar('RPM_GPG_NAME', True),
|
||||
d.getVar('RPM_GPG_PASSPHRASE_FILE', True))
|
||||
}
|
||||
|
||||
do_package_index[depends] += "signing-keys:do_export_public_keys"
|
||||
|
|
|
@ -6,31 +6,29 @@ import oe.utils
|
|||
|
||||
class LocalSigner(object):
|
||||
"""Class for handling local (on the build host) signing"""
|
||||
def __init__(self, d, keyid, passphrase_file):
|
||||
self.keyid = keyid
|
||||
self.passphrase_file = passphrase_file
|
||||
def __init__(self, d):
|
||||
self.gpg_bin = d.getVar('GPG_BIN', True) or \
|
||||
bb.utils.which(os.getenv('PATH'), 'gpg')
|
||||
self.gpg_path = d.getVar('GPG_PATH', True)
|
||||
self.rpm_bin = bb.utils.which(os.getenv('PATH'), "rpm")
|
||||
|
||||
def export_pubkey(self, output_file):
|
||||
def export_pubkey(self, output_file, keyid):
|
||||
"""Export GPG public key to a file"""
|
||||
cmd = '%s --batch --yes --export --armor -o %s ' % \
|
||||
(self.gpg_bin, output_file)
|
||||
if self.gpg_path:
|
||||
cmd += "--homedir %s " % self.gpg_path
|
||||
cmd += self.keyid
|
||||
cmd += keyid
|
||||
status, output = oe.utils.getstatusoutput(cmd)
|
||||
if status:
|
||||
raise bb.build.FuncFailed('Failed to export gpg public key (%s): %s' %
|
||||
(self.keyid, output))
|
||||
(keyid, output))
|
||||
|
||||
def sign_rpms(self, files):
|
||||
def sign_rpms(self, files, keyid, passphrase_file):
|
||||
"""Sign RPM files"""
|
||||
import pexpect
|
||||
|
||||
cmd = self.rpm_bin + " --addsign --define '_gpg_name %s' " % self.keyid
|
||||
cmd = self.rpm_bin + " --addsign --define '_gpg_name %s' " % keyid
|
||||
if self.gpg_bin:
|
||||
cmd += "--define '%%__gpg %s' " % self.gpg_bin
|
||||
if self.gpg_path:
|
||||
|
@ -41,7 +39,7 @@ class LocalSigner(object):
|
|||
proc = pexpect.spawn(cmd)
|
||||
try:
|
||||
proc.expect_exact('Enter pass phrase:', timeout=15)
|
||||
with open(self.passphrase_file) as fobj:
|
||||
with open(passphrase_file) as fobj:
|
||||
proc.sendline(fobj.readline().rstrip('\n'))
|
||||
proc.expect(pexpect.EOF, timeout=900)
|
||||
proc.close()
|
||||
|
@ -52,11 +50,11 @@ class LocalSigner(object):
|
|||
bb.error('rpmsign failed: %s' % proc.before.strip())
|
||||
raise bb.build.FuncFailed("Failed to sign RPM packages")
|
||||
|
||||
def detach_sign(self, input_file, armor=True):
|
||||
def detach_sign(self, input_file, keyid, passphrase_file, armor=True):
|
||||
"""Create a detached signature of a file"""
|
||||
cmd = "%s --detach-sign --batch --no-tty --yes " \
|
||||
"--passphrase-file '%s' -u '%s' " % \
|
||||
(self.gpg_bin, self.passphrase_file, self.keyid)
|
||||
(self.gpg_bin, passphrase_file, keyid)
|
||||
if self.gpg_path:
|
||||
cmd += "--homedir %s " % self.gpg_path
|
||||
if armor:
|
||||
|
@ -78,11 +76,11 @@ class LocalSigner(object):
|
|||
return ret
|
||||
|
||||
|
||||
def get_signer(d, backend, keyid, passphrase_file):
|
||||
def get_signer(d, backend):
|
||||
"""Get signer object for the specified backend"""
|
||||
# Use local signing by default
|
||||
if backend == 'local':
|
||||
return LocalSigner(d, keyid, passphrase_file)
|
||||
return LocalSigner(d)
|
||||
else:
|
||||
bb.fatal("Unsupported signing backend '%s'" % backend)
|
||||
|
||||
|
|
|
@ -110,10 +110,7 @@ class RpmIndexer(Indexer):
|
|||
|
||||
rpm_createrepo = bb.utils.which(os.getenv('PATH'), "createrepo")
|
||||
if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
|
||||
signer = get_signer(self.d,
|
||||
self.d.getVar('PACKAGE_FEED_GPG_BACKEND', True),
|
||||
self.d.getVar('PACKAGE_FEED_GPG_NAME', True),
|
||||
self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True))
|
||||
signer = get_signer(self.d, self.d.getVar('PACKAGE_FEED_GPG_BACKEND', True))
|
||||
else:
|
||||
signer = None
|
||||
index_cmds = []
|
||||
|
@ -144,7 +141,9 @@ class RpmIndexer(Indexer):
|
|||
# Sign repomd
|
||||
if signer:
|
||||
for repomd in repomd_files:
|
||||
signer.detach_sign(repomd)
|
||||
signer.detach_sign(repomd,
|
||||
self.d.getVar('PACKAGE_FEED_GPG_NAME', True),
|
||||
self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True))
|
||||
# Copy pubkey(s) to repo
|
||||
distro_version = self.d.getVar('DISTRO_VERSION', True) or "oe.0"
|
||||
if self.d.getVar('RPM_SIGN_PACKAGES', True) == '1':
|
||||
|
|
|
@ -26,18 +26,14 @@ python do_export_public_keys () {
|
|||
|
||||
if d.getVar("RPM_SIGN_PACKAGES", True):
|
||||
# Export public key of the rpm signing key
|
||||
signer = get_signer(d,
|
||||
d.getVar('RPM_GPG_BACKEND', True),
|
||||
d.getVar('RPM_GPG_NAME', True),
|
||||
d.getVar('RPM_GPG_PASSPHRASE_FILE', True))
|
||||
signer.export_pubkey(d.getVar('RPM_GPG_PUBKEY', True))
|
||||
signer = get_signer(d, d.getVar('RPM_GPG_BACKEND', True))
|
||||
signer.export_pubkey(d.getVar('RPM_GPG_PUBKEY', True),
|
||||
d.getVar('RPM_GPG_NAME', True))
|
||||
|
||||
if d.getVar('PACKAGE_FEED_SIGN', True) == '1':
|
||||
# Export public key of the feed signing key
|
||||
signer = get_signer(d,
|
||||
d.getVar('PACKAGE_FEED_GPG_BACKEND', True),
|
||||
d.getVar('PACKAGE_FEED_GPG_NAME', True),
|
||||
d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True))
|
||||
signer.export_pubkey(d.getVar('PACKAGE_FEED_GPG_PUBKEY', True))
|
||||
signer = get_signer(d, d.getVar('PACKAGE_FEED_GPG_BACKEND', True))
|
||||
signer.export_pubkey(d.getVar('PACKAGE_FEED_GPG_PUBKEY', True),
|
||||
d.getVar('PACKAGE_FEED_GPG_NAME', True))
|
||||
}
|
||||
addtask do_export_public_keys before do_build
|
||||
|
|
Loading…
Reference in New Issue