[OE-core] [PATCH] signing-keys: Make signing keys the only publisher of keys
Markus Lehtonen
markus.lehtonen at linux.intel.com
Fri Feb 19 09:49:24 UTC 2016
Hi Randy,
On Thu, 2016-02-18 at 07:38 -0800, Randy Witt wrote:
> Previously the keys were put into the os-release package. The package
> indexing code was also deploying the keys rather than only using the
> keys.
>
> This change makes signing-keys.bb the only publisher of the keys and
> also
> uses standard tasks that already have sstate.
>
> Signed-off-by: Randy Witt <randy.e.witt at linux.intel.com>
> ---
> meta/classes/sign_package_feed.bbclass | 11 ++++--
> meta/classes/sign_rpm.bbclass | 11 ++++--
> meta/lib/oe/package_manager.py | 10 -----
> meta/recipes-core/meta/signing-keys.bb | 61
> +++++++++++++++++++++---------
> meta/recipes-core/os-release/os-release.bb | 11 ------
> 5 files changed, 57 insertions(+), 47 deletions(-)
>
> diff --git a/meta/classes/sign_package_feed.bbclass
> b/meta/classes/sign_package_feed.bbclass
> index 63ca02f..d6d1603 100644
> --- a/meta/classes/sign_package_feed.bbclass
> +++ b/meta/classes/sign_package_feed.bbclass
> @@ -30,9 +30,12 @@ python () {
>
> # Set expected location of the public key
> d.setVar('PACKAGE_FEED_GPG_PUBKEY',
> - os.path.join(d.getVar('STAGING_ETCDIR_NATIVE', False),
> - 'PACKAGE-FEED-GPG-PUBKEY'))
> + os.path.join(d.getVar('STAGING_DIR_TARGET', False),
> + d.getVar('sysconfdir', False),
> + 'pki',
> + 'packagefeed-gpg',
> + 'PACKAGEFEED-GPG-KEY-${DISTRO_VERSION}'))
> }
>
> -do_package_index[depends] += "signing-keys:do_export_public_keys"
> -do_rootfs[depends] += "signing-keys:do_export_public_keys"
> +do_package_index[depends] += "signing-keys:do_deploy"
> +do_rootfs[depends] += "signing-keys:do_populate_sysroot"
> diff --git a/meta/classes/sign_rpm.bbclass
> b/meta/classes/sign_rpm.bbclass
> index 8bcabee..d3e2b38 100644
> --- a/meta/classes/sign_rpm.bbclass
> +++ b/meta/classes/sign_rpm.bbclass
> @@ -28,8 +28,11 @@ python () {
> raise_sanity_error("You need to define %s in the config"
> % var, d)
>
> # Set the expected location of the public key
> - d.setVar('RPM_GPG_PUBKEY',
> os.path.join(d.getVar('STAGING_ETCDIR_NATIVE', False),
> - 'RPM-GPG-PUBKEY'))
> + d.setVar('RPM_GPG_PUBKEY',
> os.path.join(d.getVar('STAGING_DIR_TARGET', False),
> + d.getVar('sysconfdir',
> False),
> + 'pki',
> + 'rpm-gpg',
> + 'RPM-GPG-KEY
> -${DISTRO_VERSION}'))
> }
>
> python sign_rpm () {
> @@ -45,5 +48,5 @@ python sign_rpm () {
> signer.sign_rpms(rpms)
> }
>
> -do_package_index[depends] += "signing-keys:do_export_public_keys"
> -do_rootfs[depends] += "signing-keys:do_export_public_keys"
> +do_package_index[depends] += "signing-keys:do_deploy"
> +do_rootfs[depends] += "signing-keys:do_populate_sysroot"
> diff --git a/meta/lib/oe/package_manager.py
> b/meta/lib/oe/package_manager.py
> index 26f6466..340f104 100644
> --- a/meta/lib/oe/package_manager.py
> +++ b/meta/lib/oe/package_manager.py
> @@ -145,16 +145,6 @@ class RpmIndexer(Indexer):
> if signer:
> for repomd in repomd_files:
> signer.detach_sign(repomd)
> - # Copy pubkey(s) to repo
> - distro_version = self.d.getVar('DISTRO_VERSION', True) or
> "oe.0"
> - if self.d.getVar('RPM_SIGN_PACKAGES', True) == '1':
> - shutil.copy2(self.d.getVar('RPM_GPG_PUBKEY', True),
> - os.path.join(self.deploy_dir,
> - 'RPM-GPG-KEY-%s' %
> distro_version))
> - if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
> - shutil.copy2(self.d.getVar('PACKAGE_FEED_GPG_PUBKEY',
> True),
> - os.path.join(self.deploy_dir,
> - 'REPODATA-GPG-KEY-%s' %
> distro_version))
>
>
> class OpkgIndexer(Indexer):
> diff --git a/meta/recipes-core/meta/signing-keys.bb b/meta/recipes
> -core/meta/signing-keys.bb
> index d7aa79d..2f190c3 100644
> --- a/meta/recipes-core/meta/signing-keys.bb
> +++ b/meta/recipes-core/meta/signing-keys.bb
> @@ -3,25 +3,21 @@
>
> DESCRIPTION = "Make public keys of the signing keys available"
> LICENSE = "MIT"
> -PACKAGES = ""
> -
> -do_fetch[noexec] = "1"
> -do_unpack[noexec] = "1"
> -do_patch[noexec] = "1"
> -do_configure[noexec] = "1"
> -do_compile[noexec] = "1"
> -do_install[noexec] = "1"
> -do_package[noexec] = "1"
> -do_packagedata[noexec] = "1"
> -do_package_write_ipk[noexec] = "1"
> -do_package_write_rpm[noexec] = "1"
> -do_package_write_deb[noexec] = "1"
> -do_populate_sysroot[noexec] = "1"
> +LIC_FILES_CHKSUM =
> "file://${COREBASE}/LICENSE;md5=4d92cd373abda3937c2bc47fbc49d690 \
> +
> file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de2
> 0420"
> +
> +
> +inherit allarch deploy
>
> EXCLUDE_FROM_WORLD = "1"
> +INHIBIT_DEFAULT_DEPS = "1"
> +
> +PACKAGES =+ "${PN}-rpm ${PN}-packagefeed"
>
> +FILES_${PN}-rpm = "${sysconfdir}/pki/rpm-gpg"
> +FILES_${PN}-packagefeed = "${sysconfdir}/pki/packagefeed-gpg"
>
> -python do_export_public_keys () {
> +python do_get_public_keys () {
> from oe.gpg_sign import get_signer
>
> if d.getVar("RPM_SIGN_PACKAGES", True):
> @@ -30,7 +26,7 @@ python do_export_public_keys () {
> d.getVar('RPM_GPG_BACKEND', True),
> d.getVar('RPM_GPG_NAME', True),
> d.getVar('RPM_GPG_PASSPHRASE_FILE',
> True))
> - signer.export_pubkey(d.getVar('RPM_GPG_PUBKEY', True))
> + signer.export_pubkey(os.path.join(d.expand('${B}'), 'rpm
> -key'))
>
> if d.getVar('PACKAGE_FEED_SIGN', True) == '1':
> # Export public key of the feed signing key
> @@ -38,6 +34,35 @@ python do_export_public_keys () {
> d.getVar('PACKAGE_FEED_GPG_BACKEND',
> True),
> d.getVar('PACKAGE_FEED_GPG_NAME', True),
>
> d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True))
> - signer.export_pubkey(d.getVar('PACKAGE_FEED_GPG_PUBKEY',
> True))
> + signer.export_pubkey(os.path.join(d.expand('${B}'), 'pf
> -key'))
> +}
> +do_get_public_keys[cleandirs] = "${B}"
> +addtask get_public_keys before do_install
> +
> +do_install () {
> + if [ -f "${B}/rpm-key" ]; then
> + install -D -m 0644 "${B}/rpm-key" "${D}${sysconfdir}/pki/rpm
> -gpg/RPM-GPG-KEY-${DISTRO_VERSION}"
> + fi
> + if [ -f "${B}/pf-key" ]; then
> + install -D -m 0644 "${B}/pf-key"
> "${D}${sysconfdir}/pki/packagefeed-gpg/PACKAGEFEED-GPG-KEY
> -${DISTRO_VERSION}"
> + fi
> +}
> +
> +sysroot_stage_all_append () {
> + sysroot_stage_dir ${D}${sysconfdir}/pki
> ${SYSROOT_DESTDIR}${sysconfdir}/pki
> +}
> +
> +do_deploy () {
> + if [ -f "${B}/rpm-key" ]; then
> + install -D -m 0644 "${B}/rpm-key" "${DEPLOYDIR}/RPM-GPG-KEY
> -${DISTRO_VERSION}"
> + fi
> + if [ -f "${B}/pf-key" ]; then
> + install -D -m 0644 "${B}/pf-key" "${DEPLOYDIR}/PACKAGEFEED
> -GPG-KEY-${DISTRO_VERSION}"
> + fi
> }
> -addtask do_export_public_keys before do_build
> +do_deploy[sstate-outputdirs] = "${DEPLOY_DIR_RPM}"
> +# cleandirs should possibly be in deploy.bbclass but we need it
> +do_deploy[cleandirs] = "${DEPLOYDIR}"
> +# clear stamp-extra-info since MACHINE is normally put there by
> deploy.bbclass
> +do_deploy[stamp-extra-info] = ""
> +addtask deploy after do_get_public_keys
> diff --git a/meta/recipes-core/os-release/os-release.bb
> b/meta/recipes-core/os-release/os-release.bb
> index df19ca2..58364ea 100644
> --- a/meta/recipes-core/os-release/os-release.bb
> +++ b/meta/recipes-core/os-release/os-release.bb
> @@ -30,21 +30,10 @@ python do_compile () {
> value = d.getVar(field, True)
> if value:
> f.write('{0}="{1}"\n'.format(field, value))
> - if d.getVar('RPM_SIGN_PACKAGES', True) == '1':
> - rpm_gpg_pubkey = d.getVar('RPM_GPG_PUBKEY', True)
> - bb.utils.mkdirhier('${B}/rpm-gpg')
> - distro_version = d.getVar('DISTRO_VERSION', True) or "oe.0"
> - shutil.copy2(rpm_gpg_pubkey, d.expand('${B}/rpm-gpg/RPM-GPG
> -KEY-%s' % distro_version))
> }
> do_compile[vardeps] += "${OS_RELEASE_FIELDS}"
> -do_compile[depends] += "signing-keys:do_export_public_keys"
>
> do_install () {
> install -d ${D}${sysconfdir}
> install -m 0644 os-release ${D}${sysconfdir}/
> -
> - if [ -d "rpm-gpg" ]; then
> - install -d "${D}${sysconfdir}/pki"
> - cp -r "rpm-gpg" "${D}${sysconfdir}/pki/"
> - fi
> }
This looks very good to me! But, it doesn't apply cleanly on top of the
latest master.
Also, you could ditch the PACKAGE_FEED_GPG_PUBKEY variable as it's not
used anywhere anymore.
It would be nice to get rid of RPM_GPG_PUBKEY, too. But, it would need
minor further changes in oe.package_manager that can be done later in a
separate patch.
Thanks,
Markus
More information about the Openembedded-core
mailing list