[OE-core] [PATCH v4 1/3] gpg_sign: add support for gpg signature types
Burton, Ross
ross.burton at intel.com
Tue Feb 16 11:54:29 UTC 2016
Hi,
This is an awesome patch, but sadly it conflicts with Markus's refactor of
related code. Can you rebase this on top of Markus's work? If you can't
find it on the list, then it's also staging in my poky-contrib:ross/mut
branch.
Thanks,
Ross
On 9 February 2016 at 14:22, Ioan-Adrian Ratiu <adrian.ratiu at ni.com> wrote:
> ASC = ascii armoured, BIN = binary
>
> Create new variables + parameters to the gpg signer module to specify
> which type of gpg signature to generate (ASC or BIN).
>
> The rpm backend has already implemented signatures which default to
> binary, so its behaviour is unchanged by this.
>
> Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu at ni.com>
> ---
> meta/classes/sign_package_feed.bbclass | 10 +++++++++-
> meta/classes/sign_rpm.bbclass | 12 +++++++++++-
> meta/lib/oe/gpg_sign.py | 13 +++++++++----
> meta/lib/oe/package_manager.py | 3 ++-
> meta/recipes-core/meta/signing-keys.bb | 6 ++++--
> 5 files changed, 35 insertions(+), 9 deletions(-)
>
> diff --git a/meta/classes/sign_package_feed.bbclass
> b/meta/classes/sign_package_feed.bbclass
> index d5df8af..4e703f2 100644
> --- a/meta/classes/sign_package_feed.bbclass
> +++ b/meta/classes/sign_package_feed.bbclass
> @@ -10,6 +10,10 @@
> # Optional variable for specifying the backend to use for
> signing.
> # Currently the only available option is 'local', i.e. local
> signing
> # on the build host.
> +# PACKAGE_FEED_GPG_SIGNATURE_TYPE
> +# Optional variable for specifying the type of gpg signature,
> can be:
> +# 1. Ascii armored (ASC), default if not set
> +# 2. Binary (BIN)
> # GPG_BIN
> # Optional variable for specifying the gpg binary/wrapper to
> use for
> # signing.
> @@ -20,7 +24,7 @@ inherit sanity
>
> PACKAGE_FEED_SIGN = '1'
> PACKAGE_FEED_GPG_BACKEND ?= 'local'
> -
> +PACKAGE_FEED_GPG_SIGNATURE_TYPE ?= 'ASC'
>
> python () {
> # Check sanity of configuration
> @@ -28,6 +32,10 @@ python () {
> if not d.getVar(var, True):
> raise_sanity_error("You need to define %s in the config" %
> var, d)
>
> + sigtype = d.getVar("PACKAGE_FEED_GPG_SIGNATURE_TYPE", True)
> + if sigtype.upper() != "ASC" and sigtype.upper() != "BIN":
> + raise_sanity_error("Bad value for PACKAGE_FEED_GPG_SIGNATURE_TYPE
> (%s), use either ASC or BIN" % sigtype)
> +
> # Set expected location of the public key
> d.setVar('PACKAGE_FEED_GPG_PUBKEY',
> os.path.join(d.getVar('STAGING_ETCDIR_NATIVE', False),
> diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass
> index 8bcabee..840b6ca 100644
> --- a/meta/classes/sign_rpm.bbclass
> +++ b/meta/classes/sign_rpm.bbclass
> @@ -9,6 +9,10 @@
> # Optional variable for specifying the backend to use for
> signing.
> # Currently the only available option is 'local', i.e. local
> signing
> # on the build host.
> +# RPM_GPG_SIGNATURE_TYPE
> +# Optional variable for specifying the type of gpg signatures,
> can be:
> +# 1. Ascii armored (ASC), default if not set
> +# 2. Binary (BIN)
> # GPG_BIN
> # Optional variable for specifying the gpg binary/wrapper to
> use for
> # signing.
> @@ -19,6 +23,7 @@ inherit sanity
>
> RPM_SIGN_PACKAGES='1'
> RPM_GPG_BACKEND ?= 'local'
> +RPM_GPG_SIGNATURE_TYPE ?= 'BIN'
>
>
> python () {
> @@ -27,6 +32,10 @@ python () {
> if not d.getVar(var, True):
> raise_sanity_error("You need to define %s in the config" %
> var, d)
>
> + sigtype = d.getVar("RPM_GPG_SIGNATURE_TYPE", True)
> + if sigtype.upper() != "ASC" and sigtype.upper() != "BIN":
> + raise_sanity_error("Bad value for RPM_GPG_SIGNATURE_TYPE (%s),
> use either ASC or BIN" % sigtype)
> +
> # Set the expected location of the public key
> d.setVar('RPM_GPG_PUBKEY',
> os.path.join(d.getVar('STAGING_ETCDIR_NATIVE', False),
> 'RPM-GPG-PUBKEY'))
> @@ -39,7 +48,8 @@ python sign_rpm () {
> signer = get_signer(d,
> d.getVar('RPM_GPG_BACKEND', True),
> d.getVar('RPM_GPG_NAME', True),
> - d.getVar('RPM_GPG_PASSPHRASE_FILE', True))
> + d.getVar('RPM_GPG_PASSPHRASE_FILE', True),
> + d.getVar('RPM_GPG_SIGNATURE_TYPE', True))
> rpms = glob.glob(d.getVar('RPM_PKGWRITEDIR', True) + '/*')
>
> signer.sign_rpms(rpms)
> diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
> index 55abad8..d971d32 100644
> --- a/meta/lib/oe/gpg_sign.py
> +++ b/meta/lib/oe/gpg_sign.py
> @@ -6,9 +6,10 @@ import oe.utils
>
> class LocalSigner(object):
> """Class for handling local (on the build host) signing"""
> - def __init__(self, d, keyid, passphrase_file):
> + def __init__(self, d, keyid, passphrase_file, signature_type):
> self.keyid = keyid
> self.passphrase_file = passphrase_file
> + self.gpg_sig_type = signature_type
> self.gpg_bin = d.getVar('GPG_BIN', True) or \
> bb.utils.which(os.getenv('PATH'), 'gpg')
> self.gpg_path = d.getVar('GPG_PATH', True)
> @@ -16,10 +17,12 @@ class LocalSigner(object):
>
> def export_pubkey(self, output_file):
> """Export GPG public key to a file"""
> - cmd = '%s --batch --yes --export --armor -o %s ' % \
> + cmd = '%s --batch --yes --export -o %s ' % \
> (self.gpg_bin, output_file)
> if self.gpg_path:
> cmd += "--homedir %s " % self.gpg_path
> + if self.gpg_sig_type == "ASC":
> + cmd += "-a "
> cmd += self.keyid
> status, output = oe.utils.getstatusoutput(cmd)
> if status:
> @@ -59,6 +62,8 @@ class LocalSigner(object):
> (self.gpg_bin, self.passphrase_file, self.keyid)
> if self.gpg_path:
> gpg_cmd += "--homedir %s " % self.gpg_path
> + if self.gpg_sig_type == "ASC":
> + cmd += "-a "
> cmd += input_file
> status, output = oe.utils.getstatusoutput(cmd)
> if status:
> @@ -66,11 +71,11 @@ class LocalSigner(object):
> (input_file, output))
>
>
> -def get_signer(d, backend, keyid, passphrase_file):
> +def get_signer(d, backend, keyid, passphrase_file, signature_type):
> """Get signer object for the specified backend"""
> # Use local signing by default
> if backend == 'local':
> - return LocalSigner(d, keyid, passphrase_file)
> + return LocalSigner(d, keyid, passphrase_file, signature_type)
> else:
> bb.fatal("Unsupported signing backend '%s'" % backend)
>
> diff --git a/meta/lib/oe/package_manager.py
> b/meta/lib/oe/package_manager.py
> index 26f6466..7ea523a 100644
> --- a/meta/lib/oe/package_manager.py
> +++ b/meta/lib/oe/package_manager.py
> @@ -113,7 +113,8 @@ class RpmIndexer(Indexer):
> signer = get_signer(self.d,
> self.d.getVar('PACKAGE_FEED_GPG_BACKEND',
> True),
> self.d.getVar('PACKAGE_FEED_GPG_NAME',
> True),
> -
> self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True))
> +
> self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True),
> +
> self.d.getVar('PACKAGE_FEED_GPG_SIGNATURE_TYPE', True))
> else:
> signer = None
> index_cmds = []
> diff --git a/meta/recipes-core/meta/signing-keys.bb
> b/meta/recipes-core/meta/signing-keys.bb
> index d7aa79d..82c8c59 100644
> --- a/meta/recipes-core/meta/signing-keys.bb
> +++ b/meta/recipes-core/meta/signing-keys.bb
> @@ -29,7 +29,8 @@ python do_export_public_keys () {
> signer = get_signer(d,
> d.getVar('RPM_GPG_BACKEND', True),
> d.getVar('RPM_GPG_NAME', True),
> - d.getVar('RPM_GPG_PASSPHRASE_FILE', True))
> + d.getVar('RPM_GPG_PASSPHRASE_FILE', True),
> + d.getVar('PACKAGE_FEED_GPG_SIGNATURE_TYPE',
> True))
> signer.export_pubkey(d.getVar('RPM_GPG_PUBKEY', True))
>
> if d.getVar('PACKAGE_FEED_SIGN', True) == '1':
> @@ -37,7 +38,8 @@ python do_export_public_keys () {
> signer = get_signer(d,
> d.getVar('PACKAGE_FEED_GPG_BACKEND', True),
> d.getVar('PACKAGE_FEED_GPG_NAME', True),
> - d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE',
> True))
> + d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE',
> True),
> + d.getVar('PACKAGE_FEED_GPG_SIGNATURE_TYPE',
> True))
> signer.export_pubkey(d.getVar('PACKAGE_FEED_GPG_PUBKEY', True))
> }
> addtask do_export_public_keys before do_build
> --
> 2.7.0
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20160216/f219db8f/attachment-0002.html>
More information about the Openembedded-core
mailing list