[OE-core] [PATCH v5 1/3] gpg_sign: add local ipk package signing functionality
Markus Lehtonen
markus.lehtonen at linux.intel.com
Thu Feb 18 15:26:42 UTC 2016
On 18/02/16 11:28, "Ioan-Adrian Ratiu" <adrian.ratiu at ni.com> wrote:
>Hello
>
>On Thu, 18 Feb 2016 11:04:22 +0200
>Markus Lehtonen <markus.lehtonen at linux.intel.com> wrote:
>
>> Hi,
>>
>>
>>
>> On 17/02/16 17:41, "Ioan-Adrian Ratiu" <openembedded-core-bounces at lists.openembedded.org on behalf of adrian.ratiu at ni.com> wrote:
>>
>> >Implement local ipk signing logic inside the gpg backend and add a new
>> >bbclass which configures signing similar to how rpm does it.
>> >
>> >The ipk signing process is a bit different from rpm:
>> > - Signatures are stored outside ipk files; opkg connects to a feed
>> >server and downloads them to verify a package.
>> > - Signatures are of two types (both supported by opkg): binary or
>> >ascii armoured. By default we sign using ascii armoured.
>> > - Public keys are stored on targets to verify ipks using the
>> >opkg-keyrings recipe.
>> >
>> >Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu at ni.com>
>> >---
>> > meta/classes/package_ipk.bbclass | 6 +++++
>> > meta/classes/sign_ipk.bbclass | 55 ++++++++++++++++++++++++++++++++++++++++
>> > meta/lib/oe/gpg_sign.py | 39 ++++++++++++++++++++++++++++
>> > 3 files changed, 100 insertions(+)
>> > create mode 100644 meta/classes/sign_ipk.bbclass
>> >
>> >diff --git a/meta/classes/package_ipk.bbclass b/meta/classes/package_ipk.bbclass
>> >index 51bee28..4f5bbd0 100644
>> >--- a/meta/classes/package_ipk.bbclass
>> >+++ b/meta/classes/package_ipk.bbclass
>> >@@ -246,6 +246,12 @@ python do_package_ipk () {
>> > bb.utils.unlockfile(lf)
>> > raise bb.build.FuncFailed("opkg-build execution failed")
>> >
>> >+ if d.getVar('IPK_SIGN_PACKAGES', True) == '1':
>> >+ ipkver = "%s-%s" % (d.getVar('PKGV'), d.getVar('PKGR'))
>> >+ ipk_to_sign = "%s/%s_%s_%s.ipk" % (pkgoutdir, pkgname, ipkver, d.getVar('PACKAGE_ARCH', True))
>> >+ d.setVar('IPK_TO_SIGN', ipk_to_sign)
>> >+ bb.build.exec_func("sign_ipk", d)
>> >+
>> > cleanupcontrol(root)
>> > bb.utils.unlockfile(lf)
>> >
>> >diff --git a/meta/classes/sign_ipk.bbclass b/meta/classes/sign_ipk.bbclass
>> >new file mode 100644
>> >index 0000000..cb22bb4
>> >--- /dev/null
>> >+++ b/meta/classes/sign_ipk.bbclass
>> >@@ -0,0 +1,55 @@
>> >+# Class for generating signed IPK packages.
>> >+#
>> >+# Configuration variables used by this class:
>> >+# IPK_GPG_PASSPHRASE_FILE
>> >+# Path to a file containing the passphrase of the signing key.
>> >+# IPK_GPG_NAME
>> >+# Name of the key to sign with.
>> >+# IPK_GPG_BACKEND
>> >+# Optional variable for specifying the backend to use for signing.
>> >+# Currently the only available option is 'local', i.e. local signing
>> >+# on the build host.
>> >+# IPK_GPG_SIGNATURE_TYPE
>> >+# Optional variable for specifying the type of gpg signatures, can be:
>> >+# 1. Ascii armored (ASC), default if not set
>> >+# 2. Binary (BIN)
>> >+# GPG_BIN
>> >+# Optional variable for specifying the gpg binary/wrapper to use for
>> >+# signing.
>> >+# GPG_PATH
>> >+# Optional variable for specifying the gnupg "home" directory:
>> >+#
>> >+
>> >+inherit sanity
>> >+
>> >+IPK_SIGN_PACKAGES = '1'
>> >+IPK_GPG_BACKEND ?= 'local'
>> >+IPK_GPG_SIGNATURE_TYPE ?= 'ASC'
>> >+
>> >+python () {
>> >+ # Check configuration
>> >+ for var in ('IPK_GPG_NAME', 'IPK_GPG_PASSPHRASE_FILE'):
>> >+ if not d.getVar(var, True):
>> >+ raise_sanity_error("You need to define %s in the config" % var, d)
>> >+
>> >+ sigtype = d.getVar("IPK_GPG_SIGNATURE_TYPE", True)
>> >+ if sigtype.upper() != "ASC" and sigtype.upper() != "BIN":
>> >+ raise_sanity_error("Bad value for IPK_GPG_SIGNATURE_TYPE (%s), use either ASC or BIN" % sigtype)
>> >+}
>> >+
>> >+python sign_ipk () {
>> >+ from oe.gpg_sign import get_signer
>> >+
>> >+ ipk_file = d.getVar('IPK_TO_SIGN')
>> >+ bb.debug(1, 'Signing ipk: %s' % ipk_file)
>> >+
>> >+ signer = get_signer(d, d.getVar('IPK_GPG_BACKEND', True))
>> >+
>> >+ sig_type = d.getVar('IPK_GPG_SIGNATURE_TYPE', True)
>> >+ is_ascii_sig = (sig_type.upper() != "BIN")
>> >+
>> >+ signer.sign_ipk(ipk_file,
>> >+ d.getVar('IPK_GPG_NAME', True),
>> >+ d.getVar('IPK_GPG_PASSPHRASE_FILE', True),
>> >+ is_ascii_sig)
>> >+}
>>
>> To me, it would be seem more straightforward to not circulate ipk_to_sign through 'd'. Just define a regular python function like
>> def sign_ipk(d, ipk_to_sign):
>> ...
>>
>> And then in package_ipk.bbclass just do "sign_ipk(d, ipk_to_sign)" instead of bb.build.exec_func("sign_ipk", d)"
>>
>>
>>
>>
>> >diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
>> >index ada1b2f..138499b 100644
>> >--- a/meta/lib/oe/gpg_sign.py
>> >+++ b/meta/lib/oe/gpg_sign.py
>> >@@ -1,5 +1,6 @@
>> > """Helper module for GPG signing"""
>> > import os
>> >+import sys
>> >
>> > import bb
>> > import oe.utils
>> >@@ -50,6 +51,44 @@ class LocalSigner(object):
>> > bb.error('rpmsign failed: %s' % proc.before.strip())
>> > raise bb.build.FuncFailed("Failed to sign RPM packages")
>> >
>> >+ def sign_ipk(self, ipkfile, keyid, passphrase_file, armor=True):
>> >+ """Sign IPK files"""
>> >+ import subprocess
>> >+ from subprocess import Popen
>> >+
>> >+ cmd = [self.gpg_bin, "-q", "--batch", "--yes", "-b", "-u", keyid]
>> >+ if self.gpg_path:
>> >+ cmd += ["--homedir", self.gpg_path]
>> >+ if armor:
>> >+ cmd += ["--armor"]
>> >+
>> >+ try:
>> >+ keypipe = os.pipe()
>> >+
>> >+ # Need to add '\n' in case the passfile does not have it
>> >+ with open(passphrase_file) as fobj:
>> >+ os.write(keypipe[1], fobj.readline() + '\n')
>> >+
>> >+ cmd += ["--passphrase-fd", str(keypipe[0])]
>> >+ cmd += [ipkfile]
>> >+
>> >+ gpg_proc = Popen(cmd, stdin=subprocess.PIPE)
>> >+ gpg_proc.wait()
>> >+
>> >+ os.close(keypipe[1]);
>> >+ os.close(keypipe[0]);
>> >+
>> >+ except IOError as e:
>> >+ bb.error("IO error ({0}): {1}".format(e.errno, e.strerror))
>> >+ raise bb.build.FuncFailed("Failed to sign IPK packages")
>> >+ except OSError as e:
>> >+ bb.error("OS error ({0}): {1}".format(e.errno, e.strerror))
>> >+ raise bb.build.FuncFailed("Failed to sign IPK packages")
>> >+ except:
>> >+ bb.error("Unexpected error: {1}".format(sys.exc_info()[0]))
>> >+ raise bb.build.FuncFailed("Failed to sign IPK packages")
>> >+
>> >+
>> > def detach_sign(self, input_file, keyid, passphrase_file, passphrase=None, armor=True):
>> > """Create a detached signature of a file"""
>> > import subprocess
>>
>> Couldn't you just use detach_sign() instead of introducing sign_ipk(). To me the functionality seems identical.
>
>The functionality is almost identical, yes, and consolidating it into one function is a very good idea. I'll do it but I have one question.
>
>The only diference between them is the usage in detach-sign of gpg's "--with-passphrase" arg, and that arg seems to cause some errors on my system:
>"gpg: signing failed: Inappropriate ioctl for device"
You mean the "--passphrase-file" option? I don't see any "--with-passphrase" option anywhere.
The problem sounds really strange. What host OS and gpg version do you have? I'd like to understand what is happening there.
>I have not managed to reliably reproduce and find the cause of this issue. However, if we always open the file in python and read directly in a pipe which
>we always pass to gpg using "--passphrase-fd", the error goes away.
>
>Is using something like the following in detach_sign() ok with you?
>
>with open(passphrase_file) as fobj:
> os.write(keypipe[1], fobj.readline() + '\n')
>
>cmd += ["--passphrase-fd", str(keypipe[0])]
If we need to do this, why do you want to use pipes? Why not just something like
with open(passphrase_file) as fobj:
job.communicate(fobj.readline() + '\n')
Thanks,
Markus
More information about the Openembedded-core
mailing list