[OE-core] [PATCH v4 1/3] gpg_sign: add support for gpg signature types
Ioan-Adrian Ratiu
adrian.ratiu at ni.com
Tue Feb 16 14:03:18 UTC 2016
Hi
On Tue, 16 Feb 2016 11:54:29 +0000
"Burton, Ross" <ross.burton at intel.com> wrote:
> Hi,
>
>
> This is an awesome patch, but sadly it conflicts with Markus's refactor of
> related code. Can you rebase this on top of Markus's work? If you can't
> find it on the list, then it's also staging in my poky-contrib:ross/mut
> branch.
Yes, sure, I'll rewrite and send the v5 patches by tomorrow. I'll use your staging branch.
>
> Thanks,
> Ross
>
> On 9 February 2016 at 14:22, Ioan-Adrian Ratiu <adrian.ratiu at ni.com> wrote:
>
> > ASC = ascii armoured, BIN = binary
> >
> > Create new variables + parameters to the gpg signer module to specify
> > which type of gpg signature to generate (ASC or BIN).
> >
> > The rpm backend has already implemented signatures which default to
> > binary, so its behaviour is unchanged by this.
> >
> > Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu at ni.com>
> > ---
> > meta/classes/sign_package_feed.bbclass | 10 +++++++++-
> > meta/classes/sign_rpm.bbclass | 12 +++++++++++-
> > meta/lib/oe/gpg_sign.py | 13 +++++++++----
> > meta/lib/oe/package_manager.py | 3 ++-
> > meta/recipes-core/meta/signing-keys.bb | 6 ++++--
> > 5 files changed, 35 insertions(+), 9 deletions(-)
> >
> > diff --git a/meta/classes/sign_package_feed.bbclass
> > b/meta/classes/sign_package_feed.bbclass
> > index d5df8af..4e703f2 100644
> > --- a/meta/classes/sign_package_feed.bbclass
> > +++ b/meta/classes/sign_package_feed.bbclass
> > @@ -10,6 +10,10 @@
> > # Optional variable for specifying the backend to use for
> > signing.
> > # Currently the only available option is 'local', i.e. local
> > signing
> > # on the build host.
> > +# PACKAGE_FEED_GPG_SIGNATURE_TYPE
> > +# Optional variable for specifying the type of gpg signature,
> > can be:
> > +# 1. Ascii armored (ASC), default if not set
> > +# 2. Binary (BIN)
> > # GPG_BIN
> > # Optional variable for specifying the gpg binary/wrapper to
> > use for
> > # signing.
> > @@ -20,7 +24,7 @@ inherit sanity
> >
> > PACKAGE_FEED_SIGN = '1'
> > PACKAGE_FEED_GPG_BACKEND ?= 'local'
> > -
> > +PACKAGE_FEED_GPG_SIGNATURE_TYPE ?= 'ASC'
> >
> > python () {
> > # Check sanity of configuration
> > @@ -28,6 +32,10 @@ python () {
> > if not d.getVar(var, True):
> > raise_sanity_error("You need to define %s in the config" %
> > var, d)
> >
> > + sigtype = d.getVar("PACKAGE_FEED_GPG_SIGNATURE_TYPE", True)
> > + if sigtype.upper() != "ASC" and sigtype.upper() != "BIN":
> > + raise_sanity_error("Bad value for PACKAGE_FEED_GPG_SIGNATURE_TYPE
> > (%s), use either ASC or BIN" % sigtype)
> > +
> > # Set expected location of the public key
> > d.setVar('PACKAGE_FEED_GPG_PUBKEY',
> > os.path.join(d.getVar('STAGING_ETCDIR_NATIVE', False),
> > diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass
> > index 8bcabee..840b6ca 100644
> > --- a/meta/classes/sign_rpm.bbclass
> > +++ b/meta/classes/sign_rpm.bbclass
> > @@ -9,6 +9,10 @@
> > # Optional variable for specifying the backend to use for
> > signing.
> > # Currently the only available option is 'local', i.e. local
> > signing
> > # on the build host.
> > +# RPM_GPG_SIGNATURE_TYPE
> > +# Optional variable for specifying the type of gpg signatures,
> > can be:
> > +# 1. Ascii armored (ASC), default if not set
> > +# 2. Binary (BIN)
> > # GPG_BIN
> > # Optional variable for specifying the gpg binary/wrapper to
> > use for
> > # signing.
> > @@ -19,6 +23,7 @@ inherit sanity
> >
> > RPM_SIGN_PACKAGES='1'
> > RPM_GPG_BACKEND ?= 'local'
> > +RPM_GPG_SIGNATURE_TYPE ?= 'BIN'
> >
> >
> > python () {
> > @@ -27,6 +32,10 @@ python () {
> > if not d.getVar(var, True):
> > raise_sanity_error("You need to define %s in the config" %
> > var, d)
> >
> > + sigtype = d.getVar("RPM_GPG_SIGNATURE_TYPE", True)
> > + if sigtype.upper() != "ASC" and sigtype.upper() != "BIN":
> > + raise_sanity_error("Bad value for RPM_GPG_SIGNATURE_TYPE (%s),
> > use either ASC or BIN" % sigtype)
> > +
> > # Set the expected location of the public key
> > d.setVar('RPM_GPG_PUBKEY',
> > os.path.join(d.getVar('STAGING_ETCDIR_NATIVE', False),
> > 'RPM-GPG-PUBKEY'))
> > @@ -39,7 +48,8 @@ python sign_rpm () {
> > signer = get_signer(d,
> > d.getVar('RPM_GPG_BACKEND', True),
> > d.getVar('RPM_GPG_NAME', True),
> > - d.getVar('RPM_GPG_PASSPHRASE_FILE', True))
> > + d.getVar('RPM_GPG_PASSPHRASE_FILE', True),
> > + d.getVar('RPM_GPG_SIGNATURE_TYPE', True))
> > rpms = glob.glob(d.getVar('RPM_PKGWRITEDIR', True) + '/*')
> >
> > signer.sign_rpms(rpms)
> > diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
> > index 55abad8..d971d32 100644
> > --- a/meta/lib/oe/gpg_sign.py
> > +++ b/meta/lib/oe/gpg_sign.py
> > @@ -6,9 +6,10 @@ import oe.utils
> >
> > class LocalSigner(object):
> > """Class for handling local (on the build host) signing"""
> > - def __init__(self, d, keyid, passphrase_file):
> > + def __init__(self, d, keyid, passphrase_file, signature_type):
> > self.keyid = keyid
> > self.passphrase_file = passphrase_file
> > + self.gpg_sig_type = signature_type
> > self.gpg_bin = d.getVar('GPG_BIN', True) or \
> > bb.utils.which(os.getenv('PATH'), 'gpg')
> > self.gpg_path = d.getVar('GPG_PATH', True)
> > @@ -16,10 +17,12 @@ class LocalSigner(object):
> >
> > def export_pubkey(self, output_file):
> > """Export GPG public key to a file"""
> > - cmd = '%s --batch --yes --export --armor -o %s ' % \
> > + cmd = '%s --batch --yes --export -o %s ' % \
> > (self.gpg_bin, output_file)
> > if self.gpg_path:
> > cmd += "--homedir %s " % self.gpg_path
> > + if self.gpg_sig_type == "ASC":
> > + cmd += "-a "
> > cmd += self.keyid
> > status, output = oe.utils.getstatusoutput(cmd)
> > if status:
> > @@ -59,6 +62,8 @@ class LocalSigner(object):
> > (self.gpg_bin, self.passphrase_file, self.keyid)
> > if self.gpg_path:
> > gpg_cmd += "--homedir %s " % self.gpg_path
> > + if self.gpg_sig_type == "ASC":
> > + cmd += "-a "
> > cmd += input_file
> > status, output = oe.utils.getstatusoutput(cmd)
> > if status:
> > @@ -66,11 +71,11 @@ class LocalSigner(object):
> > (input_file, output))
> >
> >
> > -def get_signer(d, backend, keyid, passphrase_file):
> > +def get_signer(d, backend, keyid, passphrase_file, signature_type):
> > """Get signer object for the specified backend"""
> > # Use local signing by default
> > if backend == 'local':
> > - return LocalSigner(d, keyid, passphrase_file)
> > + return LocalSigner(d, keyid, passphrase_file, signature_type)
> > else:
> > bb.fatal("Unsupported signing backend '%s'" % backend)
> >
> > diff --git a/meta/lib/oe/package_manager.py
> > b/meta/lib/oe/package_manager.py
> > index 26f6466..7ea523a 100644
> > --- a/meta/lib/oe/package_manager.py
> > +++ b/meta/lib/oe/package_manager.py
> > @@ -113,7 +113,8 @@ class RpmIndexer(Indexer):
> > signer = get_signer(self.d,
> > self.d.getVar('PACKAGE_FEED_GPG_BACKEND',
> > True),
> > self.d.getVar('PACKAGE_FEED_GPG_NAME',
> > True),
> > -
> > self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True))
> > +
> > self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True),
> > +
> > self.d.getVar('PACKAGE_FEED_GPG_SIGNATURE_TYPE', True))
> > else:
> > signer = None
> > index_cmds = []
> > diff --git a/meta/recipes-core/meta/signing-keys.bb
> > b/meta/recipes-core/meta/signing-keys.bb
> > index d7aa79d..82c8c59 100644
> > --- a/meta/recipes-core/meta/signing-keys.bb
> > +++ b/meta/recipes-core/meta/signing-keys.bb
> > @@ -29,7 +29,8 @@ python do_export_public_keys () {
> > signer = get_signer(d,
> > d.getVar('RPM_GPG_BACKEND', True),
> > d.getVar('RPM_GPG_NAME', True),
> > - d.getVar('RPM_GPG_PASSPHRASE_FILE', True))
> > + d.getVar('RPM_GPG_PASSPHRASE_FILE', True),
> > + d.getVar('PACKAGE_FEED_GPG_SIGNATURE_TYPE',
> > True))
> > signer.export_pubkey(d.getVar('RPM_GPG_PUBKEY', True))
> >
> > if d.getVar('PACKAGE_FEED_SIGN', True) == '1':
> > @@ -37,7 +38,8 @@ python do_export_public_keys () {
> > signer = get_signer(d,
> > d.getVar('PACKAGE_FEED_GPG_BACKEND', True),
> > d.getVar('PACKAGE_FEED_GPG_NAME', True),
> > - d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE',
> > True))
> > + d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE',
> > True),
> > + d.getVar('PACKAGE_FEED_GPG_SIGNATURE_TYPE',
> > True))
> > signer.export_pubkey(d.getVar('PACKAGE_FEED_GPG_PUBKEY', True))
> > }
> > addtask do_export_public_keys before do_build
> > --
> > 2.7.0
> >
> > --
> > _______________________________________________
> > Openembedded-core mailing list
> > Openembedded-core at lists.openembedded.org
> > http://lists.openembedded.org/mailman/listinfo/openembedded-core
> >
More information about the Openembedded-core
mailing list