2fccd8aa1c
Implement ipk signing inside the sign_ipk bbclass using the gpg_sign module and configure signing similar to how rpm does it. sign_ipk uses gpg_sign's detach_sign because its functionality is identical to package feed signing. IPK signing process is a bit different from rpm: - Signatures are stored outside ipk files; opkg connects to a feed server and downloads them to verify a package. - Signatures are of two types (both supported by opkg): binary or ascii armoured. By default we sign using ascii armoured. - Public keys are stored on targets to verify ipks using the opkg-keyrings recipe. (From OE-Core rev: a40f27aa7802e8a0bd87a5417e35adbface62d05) Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
53 lines
1.8 KiB
Text
53 lines
1.8 KiB
Text
# Class for generating signed IPK packages.
|
|
#
|
|
# Configuration variables used by this class:
|
|
# IPK_GPG_PASSPHRASE_FILE
|
|
# Path to a file containing the passphrase of the signing key.
|
|
# IPK_GPG_NAME
|
|
# Name of the key to sign with.
|
|
# IPK_GPG_BACKEND
|
|
# Optional variable for specifying the backend to use for signing.
|
|
# Currently the only available option is 'local', i.e. local signing
|
|
# on the build host.
|
|
# IPK_GPG_SIGNATURE_TYPE
|
|
# Optional variable for specifying the type of gpg signatures, can be:
|
|
# 1. Ascii armored (ASC), default if not set
|
|
# 2. Binary (BIN)
|
|
# GPG_BIN
|
|
# Optional variable for specifying the gpg binary/wrapper to use for
|
|
# signing.
|
|
# GPG_PATH
|
|
# Optional variable for specifying the gnupg "home" directory:
|
|
#
|
|
|
|
inherit sanity
|
|
|
|
IPK_SIGN_PACKAGES = '1'
|
|
IPK_GPG_BACKEND ?= 'local'
|
|
IPK_GPG_SIGNATURE_TYPE ?= 'ASC'
|
|
|
|
python () {
|
|
# Check configuration
|
|
for var in ('IPK_GPG_NAME', 'IPK_GPG_PASSPHRASE_FILE'):
|
|
if not d.getVar(var, True):
|
|
raise_sanity_error("You need to define %s in the config" % var, d)
|
|
|
|
sigtype = d.getVar("IPK_GPG_SIGNATURE_TYPE", True)
|
|
if sigtype.upper() != "ASC" and sigtype.upper() != "BIN":
|
|
raise_sanity_error("Bad value for IPK_GPG_SIGNATURE_TYPE (%s), use either ASC or BIN" % sigtype)
|
|
}
|
|
|
|
def sign_ipk(d, ipk_to_sign):
|
|
from oe.gpg_sign import get_signer
|
|
|
|
bb.debug(1, 'Signing ipk: %s' % ipk_to_sign)
|
|
|
|
signer = get_signer(d, d.getVar('IPK_GPG_BACKEND', True))
|
|
sig_type = d.getVar('IPK_GPG_SIGNATURE_TYPE', True)
|
|
is_ascii_sig = (sig_type.upper() != "BIN")
|
|
|
|
signer.detach_sign(ipk_to_sign,
|
|
d.getVar('IPK_GPG_NAME', True),
|
|
d.getVar('IPK_GPG_PASSPHRASE_FILE', True),
|
|
armor=is_ascii_sig)
|