[OE-core] [PATCH 3/3] package_manager: support for signed RPM package feeds
Mark Hatle
mark.hatle at windriver.com
Wed Aug 26 15:10:46 UTC 2015
On 8/26/15 6:18 AM, Markus Lehtonen wrote:
> This change makes it possible to create GPG signed RPM package feeds -
> i.e. package feed with GPG signed metadata (repodata). All deployed RPM
> repositories will be signed and the GPG public key is copied to the rpm
> deployment directory.
>
> In order to enable the new feature one needs to define four variables in
> bitbake configuration.
> 1. 'PACKAGE_FEED_SIGN = "1"' enabling the feature
> 2. 'PACKAGE_FEED_GPG_NAME = "<key_id>"' defining the GPG key to use for
> signing
> 3. 'PACKAGE_FEED_GPG_PASSPHRASE_FILE = "<path_to_file>"' pointing to a
> file containing the passphrase for the secret signing key
> 4. 'PACKAGE_FEED_GPG_PUBKEY = "<path_to_pubkey>"' pointing to the
> corresponding public key (in "armor" format)
>
> [YOCTO #8134]
>
> Signed-off-by: Markus Lehtonen <markus.lehtonen at linux.intel.com>
> ---
> meta/lib/oe/package_manager.py | 24 ++++++++++++++++++++++--
> 1 file changed, 22 insertions(+), 2 deletions(-)
>
> diff --git a/meta/lib/oe/package_manager.py b/meta/lib/oe/package_manager.py
> index 753b3eb..5d7ef54 100644
> --- a/meta/lib/oe/package_manager.py
> +++ b/meta/lib/oe/package_manager.py
> @@ -113,8 +113,15 @@ class RpmIndexer(Indexer):
> rpm_pubkey = self.d.getVar('RPM_GPG_PUBKEY', True)
> else:
> rpm_pubkey = None
> + if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
> + pkgfeed_gpg_name = self.d.getVar('PACKAGE_FEED_GPG_NAME', True)
> + pkgfeed_gpg_pass = self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True)
> + else:
> + pkgfeed_gpg_name = None
> + pkgfeed_gpg_pass = None
>
> index_cmds = []
> + repo_sign_cmds = []
> key_import_cmds = []
> rpm_dirs_found = False
> for arch in archs:
> @@ -126,10 +133,16 @@ class RpmIndexer(Indexer):
> continue
>
> if rpm_pubkey:
> - key_import_cmds.append("%s --define '_dbpath %s' --import %s" %
> + key_import_cmds.append("%s --dbpath '%s' --import %s" %
> (rpm_bin, dbpath, rpm_pubkey))
> index_cmds.append("%s --dbpath %s --update -q %s" % \
> (rpm_createrepo, dbpath, arch_dir))
> + if pkgfeed_gpg_name:
> + repomd_file = os.path.join(arch_dir, 'repodata', 'repomd.xml')
> + gpg_cmd = "gpg2 --detach-sign --armor --batch --no-tty --yes " \
> + "--passphrase-file '%s' -u '%s' %s" % \
> + (pkgfeed_gpg_pass, pkgfeed_gpg_name, repomd_file)
> + repo_sign_cmds.append(gpg_cmd)
I've had problems in the past hard coding 'gpg' or 'gpg2' as the name to use.
Can we get this to be dynamic.. even if it's a system level define for what
GPG/PGP program to use?
Also I'd forgotten about it until there. RPM has a similar variable to define
the GPG program to use. So using that variable (_signature) and defaulting to
the same item would be a good idea.
(One such reason to do this is to write a wrapper that uses an alternative
keychain for these keys....)
>
> rpm_dirs_found = True
>
> @@ -145,10 +158,17 @@ class RpmIndexer(Indexer):
> result = oe.utils.multiprocess_exec(index_cmds, create_index)
> if result:
> bb.fatal('%s' % ('\n'.join(result)))
> - # Copy pubkey to repo
> + # Sign repomd
> + result = oe.utils.multiprocess_exec(repo_sign_cmds, create_index)
> + if result:
> + bb.fatal('%s' % ('\n'.join(result)))
> + # Copy pubkey(s) to repo
> if self.d.getVar('RPM_SIGN_PACKAGES', True) == '1':
> shutil.copy2(self.d.getVar('RPM_GPG_PUBKEY', True),
> os.path.join(self.deploy_dir, 'RPM-GPG-KEY-oe'))
> + if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
> + shutil.copy2(self.d.getVar('PACKAGE_FEED_GPG_PUBKEY', True),
> + os.path.join(self.deploy_dir, 'REPODATA-GPG-KEY'))
I didn't notice this before.. but we shouldn't hardcode RPM-GPG-KEY-oe, it
should use a value such as 'DISTRO' to allow different distributions to have
non-conflicting keys. The repository keys I would think would be similar as
well.. since you may have multiple repositories from different sources. So
naming the key ending in -${DISTRO} might be a good idea there as well.
(Extending it to ${DISTRO_VERSION} might be make sense... since these will be
used for long-term upgradable systems.)
--Mark
>
>
> class OpkgIndexer(Indexer):
>
More information about the Openembedded-core
mailing list