[OE-core] [PATCH 3/3] package_manager: support for signed RPM package feeds
Markus Lehtonen
markus.lehtonen at linux.intel.com
Thu Aug 27 04:27:14 UTC 2015
Hi Mark,
On 26/08/15 18:10, "Mark Hatle" <mark.hatle at windriver.com> wrote:
>On 8/26/15 6:18 AM, Markus Lehtonen wrote:
>> This change makes it possible to create GPG signed RPM package feeds -
>> i.e. package feed with GPG signed metadata (repodata). All deployed RPM
>> repositories will be signed and the GPG public key is copied to the rpm
>> deployment directory.
>>
>> In order to enable the new feature one needs to define four variables in
>> bitbake configuration.
>> 1. 'PACKAGE_FEED_SIGN = "1"' enabling the feature
>> 2. 'PACKAGE_FEED_GPG_NAME = "<key_id>"' defining the GPG key to use for
>> signing
>> 3. 'PACKAGE_FEED_GPG_PASSPHRASE_FILE = "<path_to_file>"' pointing to a
>> file containing the passphrase for the secret signing key
>> 4. 'PACKAGE_FEED_GPG_PUBKEY = "<path_to_pubkey>"' pointing to the
>> corresponding public key (in "armor" format)
>>
>> [YOCTO #8134]
>>
>> Signed-off-by: Markus Lehtonen <markus.lehtonen at linux.intel.com>
>> ---
>> meta/lib/oe/package_manager.py | 24 ++++++++++++++++++++++--
>> 1 file changed, 22 insertions(+), 2 deletions(-)
>>
>> diff --git a/meta/lib/oe/package_manager.py
>>b/meta/lib/oe/package_manager.py
>> index 753b3eb..5d7ef54 100644
>> --- a/meta/lib/oe/package_manager.py
>> +++ b/meta/lib/oe/package_manager.py
>> @@ -113,8 +113,15 @@ class RpmIndexer(Indexer):
>> rpm_pubkey = self.d.getVar('RPM_GPG_PUBKEY', True)
>> else:
>> rpm_pubkey = None
>> + if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
>> + pkgfeed_gpg_name = self.d.getVar('PACKAGE_FEED_GPG_NAME',
>>True)
>> + pkgfeed_gpg_pass =
>>self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True)
>> + else:
>> + pkgfeed_gpg_name = None
>> + pkgfeed_gpg_pass = None
>>
>> index_cmds = []
>> + repo_sign_cmds = []
>> key_import_cmds = []
>> rpm_dirs_found = False
>> for arch in archs:
>> @@ -126,10 +133,16 @@ class RpmIndexer(Indexer):
>> continue
>>
>> if rpm_pubkey:
>> - key_import_cmds.append("%s --define '_dbpath %s'
>>--import %s" %
>> + key_import_cmds.append("%s --dbpath '%s' --import %s" %
>> (rpm_bin, dbpath, rpm_pubkey))
>> index_cmds.append("%s --dbpath %s --update -q %s" % \
>> (rpm_createrepo, dbpath, arch_dir))
>> + if pkgfeed_gpg_name:
>> + repomd_file = os.path.join(arch_dir, 'repodata',
>>'repomd.xml')
>> + gpg_cmd = "gpg2 --detach-sign --armor --batch --no-tty
>>--yes " \
>> + "--passphrase-file '%s' -u '%s' %s" % \
>> + (pkgfeed_gpg_pass, pkgfeed_gpg_name,
>>repomd_file)
>> + repo_sign_cmds.append(gpg_cmd)
>
>I've had problems in the past hard coding 'gpg' or 'gpg2' as the name to
>use.
>
>Can we get this to be dynamic.. even if it's a system level define for
>what
>GPG/PGP program to use?
OK, I can introduce a new variable for defining this.
>Also I'd forgotten about it until there. RPM has a similar variable to
>define
>the GPG program to use. So using that variable (_signature) and
>defaulting to
>the same item would be a good idea.
I think this is not feasible as we're actually using the host's gpg(2)
here and rpm might not even be available.
Thanks,
Markus
>(One such reason to do this is to write a wrapper that uses an alternative
>keychain for these keys....)
>
>>
>> rpm_dirs_found = True
>>
>> @@ -145,10 +158,17 @@ class RpmIndexer(Indexer):
>> result = oe.utils.multiprocess_exec(index_cmds, create_index)
>> if result:
>> bb.fatal('%s' % ('\n'.join(result)))
>> - # Copy pubkey to repo
>> + # Sign repomd
>> + result = oe.utils.multiprocess_exec(repo_sign_cmds,
>>create_index)
>> + if result:
>> + bb.fatal('%s' % ('\n'.join(result)))
>> + # Copy pubkey(s) to repo
>> if self.d.getVar('RPM_SIGN_PACKAGES', True) == '1':
>> shutil.copy2(self.d.getVar('RPM_GPG_PUBKEY', True),
>> os.path.join(self.deploy_dir,
>>'RPM-GPG-KEY-oe'))
>> + if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
>> + shutil.copy2(self.d.getVar('PACKAGE_FEED_GPG_PUBKEY',
>>True),
>> + os.path.join(self.deploy_dir,
>>'REPODATA-GPG-KEY'))
>
>I didn't notice this before.. but we shouldn't hardcode RPM-GPG-KEY-oe,
>it
>should use a value such as 'DISTRO' to allow different distributions to
>have
>non-conflicting keys. The repository keys I would think would be similar
>as
>well.. since you may have multiple repositories from different sources.
>So
>naming the key ending in -${DISTRO} might be a good idea there as well.
>(Extending it to ${DISTRO_VERSION} might be make sense... since these
>will be
>used for long-term upgradable systems.)
>
>--Mark
>
>>
>>
>> class OpkgIndexer(Indexer):
>>
>
More information about the Openembedded-core
mailing list