aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMarkus Lehtonen <markus.lehtonen@linux.intel.com>2016-02-10 16:15:57 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-02-18 22:55:11 +0000
commite2412294b6b1d3a80ee97a0706613349edc51d33 (patch)
tree39a06af3040d1dee21c55de1c9f0572324d39bf4
parentce653694a87fd77d79ec3d28ed3365a2c8e57ad6 (diff)
downloadopenembedded-core-contrib-e2412294b6b1d3a80ee97a0706613349edc51d33.tar.gz
openembedded-core-contrib-e2412294b6b1d3a80ee97a0706613349edc51d33.tar.bz2
openembedded-core-contrib-e2412294b6b1d3a80ee97a0706613349edc51d33.zip
sign_rpm.bbclass: do not store key details in signer instance
Refactor the LocalSigner class. Do not store keyid or passphrase file in the signer object as they are only needed for some of the methods. For example, the newly added verify() method does not need any key parameters and export_pubkey only uses keyid. Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/classes/sign_rpm.bbclass9
-rw-r--r--meta/lib/oe/gpg_sign.py24
-rw-r--r--meta/lib/oe/package_manager.py9
-rw-r--r--meta/recipes-core/meta/signing-keys.bb16
4 files changed, 25 insertions, 33 deletions
diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass
index 8bcabeec91c..8b59bacd451 100644
--- a/meta/classes/sign_rpm.bbclass
+++ b/meta/classes/sign_rpm.bbclass
@@ -36,13 +36,12 @@ python sign_rpm () {
import glob
from oe.gpg_sign import get_signer
- signer = get_signer(d,
- d.getVar('RPM_GPG_BACKEND', True),
- d.getVar('RPM_GPG_NAME', True),
- d.getVar('RPM_GPG_PASSPHRASE_FILE', True))
+ signer = get_signer(d, d.getVar('RPM_GPG_BACKEND', True))
rpms = glob.glob(d.getVar('RPM_PKGWRITEDIR', True) + '/*')
- signer.sign_rpms(rpms)
+ signer.sign_rpms(rpms,
+ d.getVar('RPM_GPG_NAME', True),
+ d.getVar('RPM_GPG_PASSPHRASE_FILE', True))
}
do_package_index[depends] += "signing-keys:do_export_public_keys"
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index 16a23645b66..c4cadd6a24c 100644
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -6,31 +6,29 @@ import oe.utils
class LocalSigner(object):
"""Class for handling local (on the build host) signing"""
- def __init__(self, d, keyid, passphrase_file):
- self.keyid = keyid
- self.passphrase_file = passphrase_file
+ def __init__(self, d):
self.gpg_bin = d.getVar('GPG_BIN', True) or \
bb.utils.which(os.getenv('PATH'), 'gpg')
self.gpg_path = d.getVar('GPG_PATH', True)
self.rpm_bin = bb.utils.which(os.getenv('PATH'), "rpm")
- def export_pubkey(self, output_file):
+ def export_pubkey(self, output_file, keyid):
"""Export GPG public key to a file"""
cmd = '%s --batch --yes --export --armor -o %s ' % \
(self.gpg_bin, output_file)
if self.gpg_path:
cmd += "--homedir %s " % self.gpg_path
- cmd += self.keyid
+ cmd += keyid
status, output = oe.utils.getstatusoutput(cmd)
if status:
raise bb.build.FuncFailed('Failed to export gpg public key (%s): %s' %
- (self.keyid, output))
+ (keyid, output))
- def sign_rpms(self, files):
+ def sign_rpms(self, files, keyid, passphrase_file):
"""Sign RPM files"""
import pexpect
- cmd = self.rpm_bin + " --addsign --define '_gpg_name %s' " % self.keyid
+ cmd = self.rpm_bin + " --addsign --define '_gpg_name %s' " % keyid
if self.gpg_bin:
cmd += "--define '%%__gpg %s' " % self.gpg_bin
if self.gpg_path:
@@ -41,7 +39,7 @@ class LocalSigner(object):
proc = pexpect.spawn(cmd)
try:
proc.expect_exact('Enter pass phrase:', timeout=15)
- with open(self.passphrase_file) as fobj:
+ with open(passphrase_file) as fobj:
proc.sendline(fobj.readline().rstrip('\n'))
proc.expect(pexpect.EOF, timeout=900)
proc.close()
@@ -52,11 +50,11 @@ class LocalSigner(object):
bb.error('rpmsign failed: %s' % proc.before.strip())
raise bb.build.FuncFailed("Failed to sign RPM packages")
- def detach_sign(self, input_file, armor=True):
+ def detach_sign(self, input_file, keyid, passphrase_file, armor=True):
"""Create a detached signature of a file"""
cmd = "%s --detach-sign --batch --no-tty --yes " \
"--passphrase-file '%s' -u '%s' " % \
- (self.gpg_bin, self.passphrase_file, self.keyid)
+ (self.gpg_bin, passphrase_file, keyid)
if self.gpg_path:
cmd += "--homedir %s " % self.gpg_path
if armor:
@@ -78,11 +76,11 @@ class LocalSigner(object):
return ret
-def get_signer(d, backend, keyid, passphrase_file):
+def get_signer(d, backend):
"""Get signer object for the specified backend"""
# Use local signing by default
if backend == 'local':
- return LocalSigner(d, keyid, passphrase_file)
+ return LocalSigner(d)
else:
bb.fatal("Unsupported signing backend '%s'" % backend)
diff --git a/meta/lib/oe/package_manager.py b/meta/lib/oe/package_manager.py
index 26f6466ed10..b30a4da0578 100644
--- a/meta/lib/oe/package_manager.py
+++ b/meta/lib/oe/package_manager.py
@@ -110,10 +110,7 @@ class RpmIndexer(Indexer):
rpm_createrepo = bb.utils.which(os.getenv('PATH'), "createrepo")
if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
- signer = get_signer(self.d,
- self.d.getVar('PACKAGE_FEED_GPG_BACKEND', True),
- self.d.getVar('PACKAGE_FEED_GPG_NAME', True),
- self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True))
+ signer = get_signer(self.d, self.d.getVar('PACKAGE_FEED_GPG_BACKEND', True))
else:
signer = None
index_cmds = []
@@ -144,7 +141,9 @@ class RpmIndexer(Indexer):
# Sign repomd
if signer:
for repomd in repomd_files:
- signer.detach_sign(repomd)
+ signer.detach_sign(repomd,
+ self.d.getVar('PACKAGE_FEED_GPG_NAME', True),
+ self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True))
# Copy pubkey(s) to repo
distro_version = self.d.getVar('DISTRO_VERSION', True) or "oe.0"
if self.d.getVar('RPM_SIGN_PACKAGES', True) == '1':
diff --git a/meta/recipes-core/meta/signing-keys.bb b/meta/recipes-core/meta/signing-keys.bb
index d7aa79d49f3..d7763c664ec 100644
--- a/meta/recipes-core/meta/signing-keys.bb
+++ b/meta/recipes-core/meta/signing-keys.bb
@@ -26,18 +26,14 @@ python do_export_public_keys () {
if d.getVar("RPM_SIGN_PACKAGES", True):
# Export public key of the rpm signing key
- signer = get_signer(d,
- d.getVar('RPM_GPG_BACKEND', True),
- d.getVar('RPM_GPG_NAME', True),
- d.getVar('RPM_GPG_PASSPHRASE_FILE', True))
- signer.export_pubkey(d.getVar('RPM_GPG_PUBKEY', True))
+ signer = get_signer(d, d.getVar('RPM_GPG_BACKEND', True))
+ signer.export_pubkey(d.getVar('RPM_GPG_PUBKEY', True),
+ d.getVar('RPM_GPG_NAME', True))
if d.getVar('PACKAGE_FEED_SIGN', True) == '1':
# Export public key of the feed signing key
- signer = get_signer(d,
- d.getVar('PACKAGE_FEED_GPG_BACKEND', True),
- d.getVar('PACKAGE_FEED_GPG_NAME', True),
- d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True))
- signer.export_pubkey(d.getVar('PACKAGE_FEED_GPG_PUBKEY', True))
+ signer = get_signer(d, d.getVar('PACKAGE_FEED_GPG_BACKEND', True))
+ signer.export_pubkey(d.getVar('PACKAGE_FEED_GPG_PUBKEY', True),
+ d.getVar('PACKAGE_FEED_GPG_NAME', True))
}
addtask do_export_public_keys before do_build