summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMarkus Lehtonen <markus.lehtonen@linux.intel.com>2016-01-13 12:42:05 +0200
committerMarkus Lehtonen <markus.lehtonen@linux.intel.com>2017-01-20 11:42:18 +0200
commit5f6ee59cab058d944cd3c76670f6b61106d3ec08 (patch)
tree134f46f8bc8da45e34c26a93d97eae5f36a7f8a9
parente138696a3c7bd356412dd19bfbd1d7d92510be1f (diff)
downloadopenembedded-core-contrib-marquiz/obssignd.tar.gz
openembedded-core-contrib-marquiz/obssignd.tar.bz2
openembedded-core-contrib-marquiz/obssignd.zip
WIP: implement OBSSIGN_DELSIGN optionmarquiz/obssignd
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
-rw-r--r--meta/classes/sign_package_feed.bbclass4
-rw-r--r--meta/classes/sign_rpm.bbclass4
-rw-r--r--meta/lib/oe/gpg_sign.py22
3 files changed, 21 insertions, 9 deletions
diff --git a/meta/classes/sign_package_feed.bbclass b/meta/classes/sign_package_feed.bbclass
index 953fa85053..cf91750ec7 100644
--- a/meta/classes/sign_package_feed.bbclass
+++ b/meta/classes/sign_package_feed.bbclass
@@ -15,6 +15,10 @@
# signing.
# GPG_PATH
# Optional variable for specifying the gnupg "home" directory:
+# OBSSIGN_DELSIGN
+# Optional variable, effective only when 'obssign' backend is enabled.
+# Set to "1" to remove existing signatures from the RPM packages
+# before signing with obs-sign.
#
inherit sanity
diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass
index 8be1c35935..d247baad74 100644
--- a/meta/classes/sign_rpm.bbclass
+++ b/meta/classes/sign_rpm.bbclass
@@ -14,6 +14,10 @@
# signing.
# GPG_PATH
# Optional variable for specifying the gnupg "home" directory:
+# OBSSIGN_DELSIGN
+# Optional variable, effective only when 'obssign' backend is enabled.
+# Set to "1" to remove existing signatures from the RPM packages
+# before signing with obs-sign.
#
inherit sanity
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index d8ab816a84..447c23be29 100644
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -68,9 +68,10 @@ class LocalSigner(object):
class ObsSigner(object):
"""Class for handling signing with obs-signd"""
- def __init__(self, keyid):
+ def __init__(self, d, keyid):
self.keyid = keyid
self.rpm_bin = bb.utils.which(os.getenv('PATH'), "rpm")
+ self.del_old_sign = d.getVar('OBSSIGN_DELSIGN', True) == "1"
def export_pubkey(self, output_file):
"""Export GPG public key to a file"""
@@ -87,16 +88,19 @@ class ObsSigner(object):
"""Sign RPM files"""
import pexpect
- # Remove existing signatures
- cmd = "%s --delsign %s" % (self.rpm_bin, ' '.join(files))
- status, output = oe.utils.getstatusoutput(cmd)
- if status:
- raise bb.build.FuncFailed("Failed to remove RPM signatures: %s" %
- output)
+ # Remove existing signatures. This is a workaround for a limitation
+ # of obs-signd: sign is not able to add additional signatures and fails
+ # if existing signatures are found in the RPM package.
+ if self.del_old_sign:
+ cmd = "%s --delsign %s" % (self.rpm_bin, ' '.join(files))
+ status, output = oe.utils.getstatusoutput(cmd)
+ if status:
+ raise bb.build.FuncFailed("Failed to remove RPM signatures: %s" %
+ output)
# Sign packages
cmd = "sign -u '%s' -r %s" % (self.keyid, ' '.join(files))
status, output = oe.utils.getstatusoutput(cmd)
- if status:
+ if status or [line for line in output.splitlines() if line.endswith('already signed')]:
raise bb.build.FuncFailed("Failed to sign RPM packages: %s" %
output)
@@ -118,7 +122,7 @@ def get_signer(d, backend, keyid, passphrase_file):
if passphrase_file:
bb.note("GPG passphrase file setting not used when 'obssign' "
"backend is used.")
- return ObsSigner(keyid)
+ return ObsSigner(d, keyid)
else:
bb.fatal("Unsupported signing backend '%s'" % backend)