[OE-core] [PATCH 3/7 v4] rpm: Enable specific crypto and digest settings via variables
Mark Hatle
mark.hatle at windriver.com
Mon Mar 7 17:59:08 UTC 2016
Allow the user to set the specific digest and non-repudiable signature
algorithms. This should be done on a distribution wide basis.
See recipe for exact instructions, but values are now set using:
RPM_FILE_DIGEST_ALGO (default 1 - md5)
RPM_SELF_SIGN_ALGO (default DSA)
Also, change the PACKAGECONFIG to define the default crypto engine for
RPM5. Not just the available crypto engines. If a crypto engine is not
selected, the system will default to the internal beecrypt version.
Signed-off-by: Mark Hatle <mark.hatle at windriver.com>
---
meta/recipes-devtools/rpm/rpm_5.4+cvs.bb | 81 ++++++++++++++++++++++++++++++--
meta/recipes-devtools/rpm/rpm_5.4.16.bb | 81 ++++++++++++++++++++++++++++++--
2 files changed, 152 insertions(+), 10 deletions(-)
diff --git a/meta/recipes-devtools/rpm/rpm_5.4+cvs.bb b/meta/recipes-devtools/rpm/rpm_5.4+cvs.bb
index 62526fd..e35ddbe 100644
--- a/meta/recipes-devtools/rpm/rpm_5.4+cvs.bb
+++ b/meta/recipes-devtools/rpm/rpm_5.4+cvs.bb
@@ -168,6 +168,68 @@ rpm_macros_class-nativesdk = "%{_usrlibrpm}/macros:%{_usrlibrpm}/${DISTRO}/macro
# sqlite lua tcl augeas nss gcrypt neon xz xar keyutils perl selinux
+# Set the digest algorithm used for verifying file integrity
+# If this value changes, and two different packages have different values
+# the "same file" validation (two packages have a non-conflict file)
+# will fail. This may lead to upgrade problems. You should treat this
+# value as a distribution wide setting, and only change it when you intend
+# a full system upgrade!
+#
+# Defined file digest algorithm values (note: not all are available!):
+# 1 MD5 (legacy RPM default)
+# 2 SHA1
+# 3 RIPEMD-160
+# 5 MD2
+# 6 TIGER-192
+# 8 SHA256
+# 9 SHA384
+# 10 SHA512
+# 11 SHA224
+# 104 MD4
+# 105 RIPEMD-128
+# 106 CRC-32
+# 107 ADLER-32
+# 108 CRC-64 (ECMA-182 polynomial, untested uint64_t problems)
+# 109 Jenkins lookup3.c hashlittle()
+# 111 RIPEMD-256
+# 112 RIPEMD-320
+# 188 BLAKE2B
+# 189 BLAKE2BP
+# 190 BLAKE2S
+# 191 BLAKE2SP
+RPM_FILE_DIGEST_ALGO ?= "1"
+
+# All packages build with RPM5 contain a non-repudiable signature.
+# The purpose of this signature is not to show authenticity of a package,
+# but instead act as a secondary package wide validation that shows it
+# wasn't damaged by accident in transport. (When later you sign the package,
+# this signature may or may not be replaced as there are three signature
+# slots, one for DSA/RSA, one for ECSDA, and one reserved.)
+#
+# There is a known issue w/ RSA signatures that if they start with an 0x00
+# the signing and validation may fail.
+#
+# The following is the list of choices for the non-rpudiable signature
+# (note: not all of these are implemented):
+# DSA (default)
+# RSA (implies SHA1)
+# ECDSA (implies SHA256)
+# DSA/SHA1
+# DSA/SHA224
+# DSA/SHA256
+# DSA/SHA384
+# DSA/SHA512
+# RSA/SHA1
+# RSA/SHA224
+# RSA/SHA256
+# RSA/SHA384
+# RSA/SHA512
+# ECDSA/SHA224 (using NIST P-224)
+# ECDSA/SHA256 (using NIST P-256)
+# ECDSA/SHA384 (using NIST P-384)
+# ECDSA/SHA512 (using NIST P-521)
+RPM_SELF_SIGN_ALGO ?= "DSA"
+
# Note: perl and sqlite w/o db specified does not currently work.
# tcl, augeas, nss, gcrypt, xar and keyutils support is untested.
PACKAGECONFIG ??= "db bzip2 zlib popt openssl libelf python"
@@ -203,10 +265,17 @@ PACKAGECONFIG[db] = "${WITH_DB},--without-db,db,"
PACKAGECONFIG[sqlite] = "--with-sqlite,--without-sqlite,sqlite3,"
+# This switch simply disables external beecrypt, RPM5 always uses beecrypt
+# for base64 processing and various digest algorithms.
+# Beecrypt is only the preferred crypto engine if it's the only engine enabled.
PACKAGECONFIG[beecrypt] = "--with-beecrypt=external,--with-beecrypt=internal,beecrypt,"
-PACKAGECONFIG[openssl] = "--with-openssl,--without-openssl,openssl,"
-PACKAGECONFIG[nss] = "--with-nss,--without-nss,nss,"
-PACKAGECONFIG[gcrypt] = "--with-gcrypt,--without-gcrypt,gcrypt,"
+
+# --with-usecrypto= setting defined the item as the preferred system
+# crypto engine, which will take priority over the included beecrypt
+PACKAGECONFIG[openssl] = "--with-openssl --with-usecrypto=openssl,--without-openssl,openssl,"
+PACKAGECONFIG[nss] = "--with-nss --with-usecrypto=nss,--without-nss,nss,"
+PACKAGECONFIG[gcrypt] = "--with-gcrypt --with-usecrypto=gcrypt,--without-gcrypt,gcrypt,"
+
PACKAGECONFIG[keyutils] = "--with-keyutils,--without-keyutils,keyutils,"
PACKAGECONFIG[libelf] = "--with-libelf,--without-libelf,elfutils,"
@@ -450,8 +519,10 @@ do_configure() {
}
do_install_append() {
- # Preserve the previous default of DSA self-signed pkgs
- sed -i -e 's,%_build_sign.*,%_build_sign DSA,' ${D}/${libdir}/rpm/macros.rpmbuild
+ # Configure -distribution wide- package crypto settings
+ # If these change, effectively all packages have to be upgraded!
+ sed -i -e 's,%_build_file_digest_algo.*,%_build_sign ${RPM_FILE_DIGEST_ALGO},' ${D}/${libdir}/rpm/macros.rpmbuild
+ sed -i -e 's,%_build_sign.*,%_build_sign ${RPM_SELF_SIGN_ALGO},' ${D}/${libdir}/rpm/macros.rpmbuild
sed -i -e 's,%__scriptlet_requires,#%%__scriptlet_requires,' ${D}/${libdir}/rpm/macros
sed -i -e 's,%__perl_provides,#%%__perl_provides,' ${D}/${libdir}/rpm/macros ${D}/${libdir}/rpm/macros.d/*
diff --git a/meta/recipes-devtools/rpm/rpm_5.4.16.bb b/meta/recipes-devtools/rpm/rpm_5.4.16.bb
index 02de22c..cf2c600 100644
--- a/meta/recipes-devtools/rpm/rpm_5.4.16.bb
+++ b/meta/recipes-devtools/rpm/rpm_5.4.16.bb
@@ -161,6 +161,68 @@ rpm_macros_class-nativesdk = "%{_usrlibrpm}/macros:%{_usrlibrpm}/${DISTRO}/macro
# sqlite lua tcl augeas nss gcrypt neon xz xar keyutils perl selinux
+# Set the digest algorithm used for verifying file integrity
+# If this value changes, and two different packages have different values
+# the "same file" validation (two packages have a non-conflict file)
+# will fail. This may lead to upgrade problems. You should treat this
+# value as a distribution wide setting, and only change it when you intend
+# a full system upgrade!
+#
+# Defined file digest algorithm values (note: not all are available!):
+# 1 MD5 (legacy RPM default)
+# 2 SHA1
+# 3 RIPEMD-160
+# 5 MD2
+# 6 TIGER-192
+# 8 SHA256
+# 9 SHA384
+# 10 SHA512
+# 11 SHA224
+# 104 MD4
+# 105 RIPEMD-128
+# 106 CRC-32
+# 107 ADLER-32
+# 108 CRC-64 (ECMA-182 polynomial, untested uint64_t problems)
+# 109 Jenkins lookup3.c hashlittle()
+# 111 RIPEMD-256
+# 112 RIPEMD-320
+# 188 BLAKE2B
+# 189 BLAKE2BP
+# 190 BLAKE2S
+# 191 BLAKE2SP
+RPM_FILE_DIGEST_ALGO ?= "1"
+
+# All packages build with RPM5 contain a non-repudiable signature.
+# The purpose of this signature is not to show authenticity of a package,
+# but instead act as a secondary package wide validation that shows it
+# wasn't damaged by accident in transport. (When later you sign the package,
+# this signature may or may not be replaced as there are three signature
+# slots, one for DSA/RSA, one for ECSDA, and one reserved.)
+#
+# There is a known issue w/ RSA signatures that if they start with an 0x00
+# the signing and validation may fail.
+#
+# The following is the list of choices for the non-rpudiable signature
+# (note: not all of these are implemented):
+# DSA (default)
+# RSA (implies SHA1)
+# ECDSA (implies SHA256)
+# DSA/SHA1
+# DSA/SHA224
+# DSA/SHA256
+# DSA/SHA384
+# DSA/SHA512
+# RSA/SHA1
+# RSA/SHA224
+# RSA/SHA256
+# RSA/SHA384
+# RSA/SHA512
+# ECDSA/SHA224 (using NIST P-224)
+# ECDSA/SHA256 (using NIST P-256)
+# ECDSA/SHA384 (using NIST P-384)
+# ECDSA/SHA512 (using NIST P-521)
+RPM_SELF_SIGN_ALGO ?= "DSA"
+
# Note: perl and sqlite w/o db specified does not currently work.
# tcl, augeas, nss, gcrypt, xar and keyutils support is untested.
PACKAGECONFIG ??= "db bzip2 zlib popt openssl libelf python"
@@ -196,10 +258,17 @@ PACKAGECONFIG[db] = "${WITH_DB},--without-db,db,"
PACKAGECONFIG[sqlite] = "--with-sqlite,--without-sqlite,sqlite3,"
+# This switch simply disables external beecrypt, RPM5 always uses beecrypt
+# for base64 processing and various digest algorithms.
+# Beecrypt is only the preferred crypto engine if it's the only engine enabled.
PACKAGECONFIG[beecrypt] = "--with-beecrypt=external,--with-beecrypt=internal,beecrypt,"
-PACKAGECONFIG[openssl] = "--with-openssl,--without-openssl,openssl,"
-PACKAGECONFIG[nss] = "--with-nss,--without-nss,nss,"
-PACKAGECONFIG[gcrypt] = "--with-gcrypt,--without-gcrypt,gcrypt,"
+
+# --with-usecrypto= setting defined the item as the preferred system
+# crypto engine, which will take priority over the included beecrypt
+PACKAGECONFIG[openssl] = "--with-openssl --with-usecrypto=openssl,--without-openssl,openssl,"
+PACKAGECONFIG[nss] = "--with-nss --with-usecrypto=nss,--without-nss,nss,"
+PACKAGECONFIG[gcrypt] = "--with-gcrypt --with-usecrypto=gcrypt,--without-gcrypt,gcrypt,"
+
PACKAGECONFIG[keyutils] = "--with-keyutils,--without-keyutils,keyutils,"
PACKAGECONFIG[libelf] = "--with-libelf,--without-libelf,elfutils,"
@@ -443,8 +512,10 @@ do_configure() {
}
do_install_append() {
- # Preserve the previous default of DSA self-signed pkgs
- sed -i -e 's,%_build_sign.*,%_build_sign DSA,' ${D}/${libdir}/rpm/macros.rpmbuild
+ # Configure -distribution wide- package crypto settings
+ # If these change, effectively all packages have to be upgraded!
+ sed -i -e 's,%_build_file_digest_algo.*,%_build_sign ${RPM_FILE_DIGEST_ALGO},' ${D}/${libdir}/rpm/macros.rpmbuild
+ sed -i -e 's,%_build_sign.*,%_build_sign ${RPM_SELF_SIGN_ALGO},' ${D}/${libdir}/rpm/macros.rpmbuild
sed -i -e 's,%__scriptlet_requires,#%%__scriptlet_requires,' ${D}/${libdir}/rpm/macros
sed -i -e 's,%__perl_provides,#%%__perl_provides,' ${D}/${libdir}/rpm/macros ${D}/${libdir}/rpm/macros.d/*
--
2.5.0
More information about the Openembedded-core
mailing list