[OE-core] [PATCH v5 1/3] gpg_sign: add local ipk package signing functionality
Ioan-Adrian Ratiu
adrian.ratiu at ni.com
Fri Feb 19 13:42:25 UTC 2016
On Fri, 19 Feb 2016 13:18:12 +0200
Ioan-Adrian Ratiu <adrian.ratiu at ni.com> wrote:
> On Thu, 18 Feb 2016 11:28:58 +0200
> Ioan-Adrian Ratiu <adrian.ratiu at ni.com> wrote:
>
> > Hello
> >
> > On Thu, 18 Feb 2016 11:04:22 +0200
> > Markus Lehtonen <markus.lehtonen at linux.intel.com> wrote:
> >
> > > Hi,
> > >
> > >
> > >
> > > On 17/02/16 17:41, "Ioan-Adrian Ratiu" <openembedded-core-bounces at lists.openembedded.org on behalf of adrian.ratiu at ni.com> wrote:
> > >
> > > >Implement local ipk signing logic inside the gpg backend and add a new
> > > >bbclass which configures signing similar to how rpm does it.
> > > >
> > > >The ipk signing process is a bit different from rpm:
> > > > - Signatures are stored outside ipk files; opkg connects to a feed
> > > >server and downloads them to verify a package.
> > > > - Signatures are of two types (both supported by opkg): binary or
> > > >ascii armoured. By default we sign using ascii armoured.
> > > > - Public keys are stored on targets to verify ipks using the
> > > >opkg-keyrings recipe.
> > > >
> > > >Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu at ni.com>
> > > >---
> > > > meta/classes/package_ipk.bbclass | 6 +++++
> > > > meta/classes/sign_ipk.bbclass | 55 ++++++++++++++++++++++++++++++++++++++++
> > > > meta/lib/oe/gpg_sign.py | 39 ++++++++++++++++++++++++++++
> > > > 3 files changed, 100 insertions(+)
> > > > create mode 100644 meta/classes/sign_ipk.bbclass
> > > >
> > > >diff --git a/meta/classes/package_ipk.bbclass b/meta/classes/package_ipk.bbclass
> > > >index 51bee28..4f5bbd0 100644
> > > >--- a/meta/classes/package_ipk.bbclass
> > > >+++ b/meta/classes/package_ipk.bbclass
> > > >@@ -246,6 +246,12 @@ python do_package_ipk () {
> > > > bb.utils.unlockfile(lf)
> > > > raise bb.build.FuncFailed("opkg-build execution failed")
> > > >
> > > >+ if d.getVar('IPK_SIGN_PACKAGES', True) == '1':
> > > >+ ipkver = "%s-%s" % (d.getVar('PKGV'), d.getVar('PKGR'))
> > > >+ ipk_to_sign = "%s/%s_%s_%s.ipk" % (pkgoutdir, pkgname, ipkver, d.getVar('PACKAGE_ARCH', True))
> > > >+ d.setVar('IPK_TO_SIGN', ipk_to_sign)
> > > >+ bb.build.exec_func("sign_ipk", d)
> > > >+
> > > > cleanupcontrol(root)
> > > > bb.utils.unlockfile(lf)
> > > >
> > > >diff --git a/meta/classes/sign_ipk.bbclass b/meta/classes/sign_ipk.bbclass
> > > >new file mode 100644
> > > >index 0000000..cb22bb4
> > > >--- /dev/null
> > > >+++ b/meta/classes/sign_ipk.bbclass
> > > >@@ -0,0 +1,55 @@
> > > >+# Class for generating signed IPK packages.
> > > >+#
> > > >+# Configuration variables used by this class:
> > > >+# IPK_GPG_PASSPHRASE_FILE
> > > >+# Path to a file containing the passphrase of the signing key.
> > > >+# IPK_GPG_NAME
> > > >+# Name of the key to sign with.
> > > >+# IPK_GPG_BACKEND
> > > >+# Optional variable for specifying the backend to use for signing.
> > > >+# Currently the only available option is 'local', i.e. local signing
> > > >+# on the build host.
> > > >+# IPK_GPG_SIGNATURE_TYPE
> > > >+# Optional variable for specifying the type of gpg signatures, can be:
> > > >+# 1. Ascii armored (ASC), default if not set
> > > >+# 2. Binary (BIN)
> > > >+# GPG_BIN
> > > >+# Optional variable for specifying the gpg binary/wrapper to use for
> > > >+# signing.
> > > >+# GPG_PATH
> > > >+# Optional variable for specifying the gnupg "home" directory:
> > > >+#
> > > >+
> > > >+inherit sanity
> > > >+
> > > >+IPK_SIGN_PACKAGES = '1'
> > > >+IPK_GPG_BACKEND ?= 'local'
> > > >+IPK_GPG_SIGNATURE_TYPE ?= 'ASC'
> > > >+
> > > >+python () {
> > > >+ # Check configuration
> > > >+ for var in ('IPK_GPG_NAME', 'IPK_GPG_PASSPHRASE_FILE'):
> > > >+ if not d.getVar(var, True):
> > > >+ raise_sanity_error("You need to define %s in the config" % var, d)
> > > >+
> > > >+ sigtype = d.getVar("IPK_GPG_SIGNATURE_TYPE", True)
> > > >+ if sigtype.upper() != "ASC" and sigtype.upper() != "BIN":
> > > >+ raise_sanity_error("Bad value for IPK_GPG_SIGNATURE_TYPE (%s), use either ASC or BIN" % sigtype)
> > > >+}
> > > >+
> > > >+python sign_ipk () {
> > > >+ from oe.gpg_sign import get_signer
> > > >+
> > > >+ ipk_file = d.getVar('IPK_TO_SIGN')
> > > >+ bb.debug(1, 'Signing ipk: %s' % ipk_file)
> > > >+
> > > >+ signer = get_signer(d, d.getVar('IPK_GPG_BACKEND', True))
> > > >+
> > > >+ sig_type = d.getVar('IPK_GPG_SIGNATURE_TYPE', True)
> > > >+ is_ascii_sig = (sig_type.upper() != "BIN")
> > > >+
> > > >+ signer.sign_ipk(ipk_file,
> > > >+ d.getVar('IPK_GPG_NAME', True),
> > > >+ d.getVar('IPK_GPG_PASSPHRASE_FILE', True),
> > > >+ is_ascii_sig)
> > > >+}
> > >
> > > To me, it would be seem more straightforward to not circulate ipk_to_sign through 'd'. Just define a regular python function like
> > > def sign_ipk(d, ipk_to_sign):
> > > ...
> > >
> > > And then in package_ipk.bbclass just do "sign_ipk(d, ipk_to_sign)" instead of bb.build.exec_func("sign_ipk", d)"
> > >
> > >
> > >
> > >
> > > >diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
> > > >index ada1b2f..138499b 100644
> > > >--- a/meta/lib/oe/gpg_sign.py
> > > >+++ b/meta/lib/oe/gpg_sign.py
> > > >@@ -1,5 +1,6 @@
> > > > """Helper module for GPG signing"""
> > > > import os
> > > >+import sys
> > > >
> > > > import bb
> > > > import oe.utils
> > > >@@ -50,6 +51,44 @@ class LocalSigner(object):
> > > > bb.error('rpmsign failed: %s' % proc.before.strip())
> > > > raise bb.build.FuncFailed("Failed to sign RPM packages")
> > > >
> > > >+ def sign_ipk(self, ipkfile, keyid, passphrase_file, armor=True):
> > > >+ """Sign IPK files"""
> > > >+ import subprocess
> > > >+ from subprocess import Popen
> > > >+
> > > >+ cmd = [self.gpg_bin, "-q", "--batch", "--yes", "-b", "-u", keyid]
> > > >+ if self.gpg_path:
> > > >+ cmd += ["--homedir", self.gpg_path]
> > > >+ if armor:
> > > >+ cmd += ["--armor"]
> > > >+
> > > >+ try:
> > > >+ keypipe = os.pipe()
> > > >+
> > > >+ # Need to add '\n' in case the passfile does not have it
> > > >+ with open(passphrase_file) as fobj:
> > > >+ os.write(keypipe[1], fobj.readline() + '\n')
> > > >+
> > > >+ cmd += ["--passphrase-fd", str(keypipe[0])]
> > > >+ cmd += [ipkfile]
> > > >+
> > > >+ gpg_proc = Popen(cmd, stdin=subprocess.PIPE)
> > > >+ gpg_proc.wait()
> > > >+
> > > >+ os.close(keypipe[1]);
> > > >+ os.close(keypipe[0]);
> > > >+
> > > >+ except IOError as e:
> > > >+ bb.error("IO error ({0}): {1}".format(e.errno, e.strerror))
> > > >+ raise bb.build.FuncFailed("Failed to sign IPK packages")
> > > >+ except OSError as e:
> > > >+ bb.error("OS error ({0}): {1}".format(e.errno, e.strerror))
> > > >+ raise bb.build.FuncFailed("Failed to sign IPK packages")
> > > >+ except:
> > > >+ bb.error("Unexpected error: {1}".format(sys.exc_info()[0]))
> > > >+ raise bb.build.FuncFailed("Failed to sign IPK packages")
> > > >+
> > > >+
> > > > def detach_sign(self, input_file, keyid, passphrase_file, passphrase=None, armor=True):
> > > > """Create a detached signature of a file"""
> > > > import subprocess
> > >
> > > Couldn't you just use detach_sign() instead of introducing sign_ipk(). To me the functionality seems identical.
> >
> > The functionality is almost identical, yes, and consolidating it into one function is a very good idea. I'll do it but I have one question.
> >
> > The only diference between them is the usage in detach-sign of gpg's "--with-passphrase" arg, and that arg seems to cause some errors on my system:
> > "gpg: signing failed: Inappropriate ioctl for device"
> >
> > I have not managed to reliably reproduce and find the cause of this issue. However, if we always open the file in python and read directly in a pipe which
> > we always pass to gpg using "--passphrase-fd", the error goes away.
> >
> > Is using something like the following in detach_sign() ok with you?
> >
> > with open(passphrase_file) as fobj:
> > os.write(keypipe[1], fobj.readline() + '\n')
> >
> > cmd += ["--passphrase-fd", str(keypipe[0])]
>
> Good news: I managed to reproduce and find the cause of the problem: pinentry mode.
> Gpg has a parameter "--pinentry-mode" which by default is set to ask, but when doing
> batch singing and sending the passphrases through pipes it needs to be set to cancel.
>
> So now both methods work! :) I'll go with your method of using --passphrase-file and
> --passphrase-fd 0 because it is more clearer.
*facepalm*
I mistyped the value of the pinentry-mode parameter it's loopback not cancel.
More info at https://wiki.archlinux.org/index.php/GnuPG#Unattended_passphrase
>
> >
> > >
> > >
> > > Thanks,
> > > Markus
> > >
> > >
> >
>
More information about the Openembedded-core
mailing list