[OE-core] [PATCH 3/3] package_manager: support for signed RPM package feeds

Mark Hatle mark.hatle at windriver.com
Wed Aug 26 15:10:46 UTC 2015 

On 8/26/15 6:18 AM, Markus Lehtonen wrote:
> This change makes it possible to create GPG signed RPM package feeds -
> i.e. package feed with GPG signed metadata (repodata). All deployed RPM
> repositories will be signed and the GPG public key is copied to the rpm
> deployment directory.
> 
> In order to enable the new feature one needs to define four variables in
> bitbake configuration.
> 1. 'PACKAGE_FEED_SIGN = "1"' enabling the feature
> 2. 'PACKAGE_FEED_GPG_NAME = "<key_id>"' defining the GPG key to use for
>    signing
> 3. 'PACKAGE_FEED_GPG_PASSPHRASE_FILE = "<path_to_file>"' pointing to a
>    file containing the passphrase for the secret signing key
> 4. 'PACKAGE_FEED_GPG_PUBKEY = "<path_to_pubkey>"' pointing to the
>    corresponding public key (in "armor" format)
> 
> [YOCTO #8134]
> 
> Signed-off-by: Markus Lehtonen <markus.lehtonen at linux.intel.com>
> ---
>  meta/lib/oe/package_manager.py | 24 ++++++++++++++++++++++--
>  1 file changed, 22 insertions(+), 2 deletions(-)
> 
> diff --git a/meta/lib/oe/package_manager.py b/meta/lib/oe/package_manager.py
> index 753b3eb..5d7ef54 100644
> --- a/meta/lib/oe/package_manager.py
> +++ b/meta/lib/oe/package_manager.py
> @@ -113,8 +113,15 @@ class RpmIndexer(Indexer):
>              rpm_pubkey = self.d.getVar('RPM_GPG_PUBKEY', True)
>          else:
>              rpm_pubkey = None
> +        if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
> +            pkgfeed_gpg_name = self.d.getVar('PACKAGE_FEED_GPG_NAME', True)
> +            pkgfeed_gpg_pass = self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True)
> +        else:
> +            pkgfeed_gpg_name = None
> +            pkgfeed_gpg_pass = None
>  
>          index_cmds = []
> +        repo_sign_cmds = []
>          key_import_cmds = []
>          rpm_dirs_found = False
>          for arch in archs:
> @@ -126,10 +133,16 @@ class RpmIndexer(Indexer):
>                  continue
>  
>              if rpm_pubkey:
> -                key_import_cmds.append("%s --define '_dbpath %s' --import %s" %
> +                key_import_cmds.append("%s --dbpath '%s' --import %s" %
>                                     (rpm_bin, dbpath, rpm_pubkey))
>              index_cmds.append("%s --dbpath %s --update -q %s" % \
>                               (rpm_createrepo, dbpath, arch_dir))
> +            if pkgfeed_gpg_name:
> +                repomd_file = os.path.join(arch_dir, 'repodata', 'repomd.xml')
> +                gpg_cmd = "gpg2 --detach-sign --armor --batch --no-tty --yes " \
> +                          "--passphrase-file '%s' -u '%s' %s" % \
> +                          (pkgfeed_gpg_pass, pkgfeed_gpg_name, repomd_file)
> +                repo_sign_cmds.append(gpg_cmd)

I've had problems in the past hard coding 'gpg' or 'gpg2' as the name to use.

Can we get this to be dynamic.. even if it's a system level define for what
GPG/PGP program to use?

Also I'd forgotten about it until there.  RPM has a similar variable to define
the GPG program to use.  So using that variable (_signature) and defaulting to
the same item would be a good idea.

(One such reason to do this is to write a wrapper that uses an alternative
keychain for these keys....)

>  
>              rpm_dirs_found = True
>  
> @@ -145,10 +158,17 @@ class RpmIndexer(Indexer):
>          result = oe.utils.multiprocess_exec(index_cmds, create_index)
>          if result:
>              bb.fatal('%s' % ('\n'.join(result)))
> -        # Copy pubkey to repo
> +        # Sign repomd
> +        result = oe.utils.multiprocess_exec(repo_sign_cmds, create_index)
> +        if result:
> +            bb.fatal('%s' % ('\n'.join(result)))
> +        # Copy pubkey(s) to repo
>          if self.d.getVar('RPM_SIGN_PACKAGES', True) == '1':
>              shutil.copy2(self.d.getVar('RPM_GPG_PUBKEY', True),
>                           os.path.join(self.deploy_dir, 'RPM-GPG-KEY-oe'))
> +        if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
> +            shutil.copy2(self.d.getVar('PACKAGE_FEED_GPG_PUBKEY', True),
> +                         os.path.join(self.deploy_dir, 'REPODATA-GPG-KEY'))

I didn't notice this before..  but we shouldn't hardcode RPM-GPG-KEY-oe, it
should use a value such as 'DISTRO' to allow different distributions to have
non-conflicting keys.  The repository keys I would think would be similar as
well.. since you may have multiple repositories from different sources.  So
naming the key ending in -${DISTRO} might be a good idea there as well.
(Extending it to ${DISTRO_VERSION} might be make sense... since these will be
used for long-term upgradable systems.)

--Mark

>  
>  
>  class OpkgIndexer(Indexer):
>

More information about the Openembedded-core mailing list