[oe-commits] Markus Lehtonen : package_manager: support for signed RPM package feeds
git at git.openembedded.org
git at git.openembedded.org
Tue Sep 1 21:21:08 UTC 2015
Module: openembedded-core.git
Branch: master-next
Commit: a576eea1eb5ed54e2f72d5f7c3e5d6a723382485
URL: http://git.openembedded.org/?p=openembedded-core.git&a=commit;h=a576eea1eb5ed54e2f72d5f7c3e5d6a723382485
Author: Markus Lehtonen <markus.lehtonen at linux.intel.com>
Date: Tue Aug 25 16:48:32 2015 +0300
package_manager: support for signed RPM package feeds
This change makes it possible to create GPG signed RPM package feeds -
i.e. package feed with GPG signed metadata (repodata). All deployed RPM
repositories will be signed and the GPG public key is copied to the rpm
deployment directory.
In order to enable the new feature one needs to define four variables in
bitbake configuration.
1. 'PACKAGE_FEED_SIGN = "1"' enabling the feature
2. 'PACKAGE_FEED_GPG_NAME = "<key_id>"' defining the GPG key to use for
signing
3. 'PACKAGE_FEED_GPG_PASSPHRASE_FILE = "<path_to_file>"' pointing to a
file containing the passphrase for the secret signing key
4. 'PACKAGE_FEED_GPG_PUBKEY = "<path_to_pubkey>"' pointing to the
corresponding public key (in "armor" format)
The user may define "GPG_BIN" in the bitbake configuration in order to
specify a specific the gpg binary/wrapper to use for signing.
[YOCTO #8134]
Signed-off-by: Markus Lehtonen <markus.lehtonen at linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
---
meta/lib/oe/package_manager.py | 25 ++++++++++++++++++++++++-
1 file changed, 24 insertions(+), 1 deletion(-)
diff --git a/meta/lib/oe/package_manager.py b/meta/lib/oe/package_manager.py
index 3632a7a..622669a 100644
--- a/meta/lib/oe/package_manager.py
+++ b/meta/lib/oe/package_manager.py
@@ -108,8 +108,17 @@ class RpmIndexer(Indexer):
archs = archs.union(set(sdk_pkg_archs))
rpm_createrepo = bb.utils.which(os.getenv('PATH'), "createrepo")
+ if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
+ pkgfeed_gpg_name = self.d.getVar('PACKAGE_FEED_GPG_NAME', True)
+ pkgfeed_gpg_pass = self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True)
+ else:
+ pkgfeed_gpg_name = None
+ pkgfeed_gpg_pass = None
+ gpg_bin = self.d.getVar('GPG_BIN', True) or \
+ bb.utils.which(os.getenv('PATH'), "gpg")
index_cmds = []
+ repo_sign_cmds = []
rpm_dirs_found = False
for arch in archs:
dbpath = os.path.join(self.d.getVar('WORKDIR', True), 'rpmdb', arch)
@@ -121,6 +130,12 @@ class RpmIndexer(Indexer):
index_cmds.append("%s --dbpath %s --update -q %s" % \
(rpm_createrepo, dbpath, arch_dir))
+ if pkgfeed_gpg_name:
+ repomd_file = os.path.join(arch_dir, 'repodata', 'repomd.xml')
+ gpg_cmd = "%s --detach-sign --armor --batch --no-tty --yes " \
+ "--passphrase-file '%s' -u '%s' %s" % (gpg_bin,
+ pkgfeed_gpg_pass, pkgfeed_gpg_name, repomd_file)
+ repo_sign_cmds.append(gpg_cmd)
rpm_dirs_found = True
@@ -132,12 +147,20 @@ class RpmIndexer(Indexer):
result = oe.utils.multiprocess_exec(index_cmds, create_index)
if result:
bb.fatal('%s' % ('\n'.join(result)))
- # Copy pubkey to repo
+ # Sign repomd
+ result = oe.utils.multiprocess_exec(repo_sign_cmds, create_index)
+ if result:
+ bb.fatal('%s' % ('\n'.join(result)))
+ # Copy pubkey(s) to repo
distro_version = self.d.getVar('DISTRO_VERSION', True) or "oe.0"
if self.d.getVar('RPM_SIGN_PACKAGES', True) == '1':
shutil.copy2(self.d.getVar('RPM_GPG_PUBKEY', True),
os.path.join(self.deploy_dir,
'RPM-GPG-KEY-%s' % distro_version))
+ if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
+ shutil.copy2(self.d.getVar('PACKAGE_FEED_GPG_PUBKEY', True),
+ os.path.join(self.deploy_dir,
+ 'REPODATA-GPG-KEY-%s' % distro_version))
class OpkgIndexer(Indexer):
More information about the Openembedded-commits
mailing list