[OE-core] [PATCH] sstate: respect GPG_BIN and GPG_HOME

Ross Burton ross.burton at intel.com
Sat Oct 24 00:05:23 UTC 2015 

The package feed signing code supports the user providing the path to the gpg
binary and an alternative gpg 'home' (usually ~/.gnupg), which are useful for
both deployment and QA purposes.

Factor out the gpg command line construction to a function which can fetch both
of these variables, and also use pipes.quote() to sanitise the arguments when
used in a shell context.

[ YOCTO #8559 ]

Signed-off-by: Ross Burton <ross.burton at intel.com>
---
 meta/classes/sstate.bbclass | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass
index d09e27a..ba18f54 100644
--- a/meta/classes/sstate.bbclass
+++ b/meta/classes/sstate.bbclass
@@ -268,6 +268,20 @@ def sstate_install(ss, d):
 sstate_install[vardepsexclude] += "SSTATE_DUPWHITELIST STATE_MANMACH SSTATE_MANFILEPREFIX"
 sstate_install[vardeps] += "${SSTATEPOSTINSTFUNCS}"
 
+def sstate_build_gpg_command(d, *args, **kwargs):
+    # Returns a list for subprocess.call() unless passed flatten=True when this
+    # returns a flattened string.
+    l = [d.getVar("GPG_BIN", True) or "gpg"]
+    if d.getVar("GPG_PATH", True):
+        l += ["--homedir", d.getVar("GPG_PATH", True)]
+    l += args
+
+    if kwargs.get("flatten", False):
+        import pipes
+        return " ".join(map(pipes.quote, l))
+    else:
+        return l
+
 def sstate_installpkg(ss, d):
     import oe.path
     import subprocess
@@ -296,7 +310,7 @@ def sstate_installpkg(ss, d):
     d.setVar('SSTATE_PKG', sstatepkg)
 
     if bb.utils.to_boolean(d.getVar("SSTATE_VERIFY_SIG", True), False):
-        if subprocess.call(["gpg", "--verify", sstatepkg + ".sig", sstatepkg]) != 0:
+        if subprocess.call(sstate_build_gpg_command(d, "--verify", sstatepkg + ".sig", sstatepkg)) != 0:
             bb.warn("Cannot verify signature on sstate package %s" % sstatepkg)
 
     for f in (d.getVar('SSTATEPREINSTFUNCS', True) or '').split() + ['sstate_unpack_package'] + (d.getVar('SSTATEPOSTUNPACKFUNCS', True) or '').split():
@@ -672,12 +686,12 @@ sstate_create_package () {
 	else
 		tar -cz --file=$TFILE --files-from=/dev/null
 	fi
-	chmod 0664 $TFILE 
+	chmod 0664 $TFILE
 	mv -f $TFILE ${SSTATE_PKG}
 
 	if [ -n "${SSTATE_SIG_KEY}" ]; then
 		rm -f ${SSTATE_PKG}.sig
-		echo ${SSTATE_SIG_PASSPHRASE} | gpg --batch --passphrase-fd 0 --detach-sign --local-user ${SSTATE_SIG_KEY} --output ${SSTATE_PKG}.sig ${SSTATE_PKG}
+		echo ${SSTATE_SIG_PASSPHRASE} | ${@sstate_build_gpg_command(d, "--batch", "--passphrase-fd", "0", "--detach-sign", "--local-user", "${SSTATE_SIG_KEY}", "--output", "${SSTATE_PKG}.sig", "${SSTATE_PKG}", flatten=True)}
 	fi
 
 	cd ${WORKDIR}
-- 
2.1.4

More information about the Openembedded-core mailing list