[OE-core] [PATCH 3/3] package_manager: support for signed RPM package feeds
Markus Lehtonen
markus.lehtonen at linux.intel.com
Wed Aug 26 11:18:34 UTC 2015
This change makes it possible to create GPG signed RPM package feeds -
i.e. package feed with GPG signed metadata (repodata). All deployed RPM
repositories will be signed and the GPG public key is copied to the rpm
deployment directory.
In order to enable the new feature one needs to define four variables in
bitbake configuration.
1. 'PACKAGE_FEED_SIGN = "1"' enabling the feature
2. 'PACKAGE_FEED_GPG_NAME = "<key_id>"' defining the GPG key to use for
signing
3. 'PACKAGE_FEED_GPG_PASSPHRASE_FILE = "<path_to_file>"' pointing to a
file containing the passphrase for the secret signing key
4. 'PACKAGE_FEED_GPG_PUBKEY = "<path_to_pubkey>"' pointing to the
corresponding public key (in "armor" format)
[YOCTO #8134]
Signed-off-by: Markus Lehtonen <markus.lehtonen at linux.intel.com>
---
meta/lib/oe/package_manager.py | 24 ++++++++++++++++++++++--
1 file changed, 22 insertions(+), 2 deletions(-)
diff --git a/meta/lib/oe/package_manager.py b/meta/lib/oe/package_manager.py
index 753b3eb..5d7ef54 100644
--- a/meta/lib/oe/package_manager.py
+++ b/meta/lib/oe/package_manager.py
@@ -113,8 +113,15 @@ class RpmIndexer(Indexer):
rpm_pubkey = self.d.getVar('RPM_GPG_PUBKEY', True)
else:
rpm_pubkey = None
+ if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
+ pkgfeed_gpg_name = self.d.getVar('PACKAGE_FEED_GPG_NAME', True)
+ pkgfeed_gpg_pass = self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True)
+ else:
+ pkgfeed_gpg_name = None
+ pkgfeed_gpg_pass = None
index_cmds = []
+ repo_sign_cmds = []
key_import_cmds = []
rpm_dirs_found = False
for arch in archs:
@@ -126,10 +133,16 @@ class RpmIndexer(Indexer):
continue
if rpm_pubkey:
- key_import_cmds.append("%s --define '_dbpath %s' --import %s" %
+ key_import_cmds.append("%s --dbpath '%s' --import %s" %
(rpm_bin, dbpath, rpm_pubkey))
index_cmds.append("%s --dbpath %s --update -q %s" % \
(rpm_createrepo, dbpath, arch_dir))
+ if pkgfeed_gpg_name:
+ repomd_file = os.path.join(arch_dir, 'repodata', 'repomd.xml')
+ gpg_cmd = "gpg2 --detach-sign --armor --batch --no-tty --yes " \
+ "--passphrase-file '%s' -u '%s' %s" % \
+ (pkgfeed_gpg_pass, pkgfeed_gpg_name, repomd_file)
+ repo_sign_cmds.append(gpg_cmd)
rpm_dirs_found = True
@@ -145,10 +158,17 @@ class RpmIndexer(Indexer):
result = oe.utils.multiprocess_exec(index_cmds, create_index)
if result:
bb.fatal('%s' % ('\n'.join(result)))
- # Copy pubkey to repo
+ # Sign repomd
+ result = oe.utils.multiprocess_exec(repo_sign_cmds, create_index)
+ if result:
+ bb.fatal('%s' % ('\n'.join(result)))
+ # Copy pubkey(s) to repo
if self.d.getVar('RPM_SIGN_PACKAGES', True) == '1':
shutil.copy2(self.d.getVar('RPM_GPG_PUBKEY', True),
os.path.join(self.deploy_dir, 'RPM-GPG-KEY-oe'))
+ if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
+ shutil.copy2(self.d.getVar('PACKAGE_FEED_GPG_PUBKEY', True),
+ os.path.join(self.deploy_dir, 'REPODATA-GPG-KEY'))
class OpkgIndexer(Indexer):
--
2.1.4
More information about the Openembedded-core
mailing list