summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoss Burton <ross.burton@intel.com>2015-09-03 19:39:07 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-09-06 15:24:28 +0100
commit237b6c51b42b0c64434dc45685e10f757ac939c2 (patch)
treeb45e912b392f4dd2de036a61b8d5162bae603dee
parentd80babce1ed23f647d118ad4ce3860c0e9f6fec2 (diff)
downloadopenembedded-core-contrib-237b6c51b42b0c64434dc45685e10f757ac939c2.tar.gz
openembedded-core-contrib-237b6c51b42b0c64434dc45685e10f757ac939c2.tar.bz2
openembedded-core-contrib-237b6c51b42b0c64434dc45685e10f757ac939c2.zip
sstate: implement basic signing/validation
To provide some element of integrity to sstate archives, allow sstate archives to be GPG signed with a specified key (detached signature to a sidecar .sig file), and verify the signatures when sstate archives are unpacked. Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/classes/sstate.bbclass19
1 files changed, 18 insertions, 1 deletions
diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass
index 4e6afef541..77313bcfbc 100644
--- a/meta/classes/sstate.bbclass
+++ b/meta/classes/sstate.bbclass
@@ -54,6 +54,13 @@ EXTRA_STAGING_FIXMES ?= ""
SIGGEN_LOCKEDSIGS_CHECK_LEVEL ?= 'error'
+# The GnuPG key ID and passphrase to use to sign sstate archives (or unset to
+# not sign)
+SSTATE_SIG_KEY ?= ""
+SSTATE_SIG_PASSPHRASE ?= ""
+# Whether to verify the GnUPG signatures when extracting sstate archives
+SSTATE_VERIFY_SIG ?= "0"
+
# Specify dirs in which the shell function is executed and don't use ${B}
# as default dirs to avoid possible race about ${B} with other task.
sstate_create_package[dirs] = "${SSTATE_BUILDDIR}"
@@ -298,6 +305,10 @@ def sstate_installpkg(ss, d):
d.setVar('SSTATE_INSTDIR', sstateinst)
d.setVar('SSTATE_PKG', sstatepkg)
+ if bb.utils.to_boolean(d.getVar("SSTATE_VERIFY_SIG", True), False):
+ if subprocess.call(["gpg", "--verify", sstatepkg + ".sig", sstatepkg]) != 0:
+ bb.warn("Cannot verify signature on sstate package %s" % sstatepkg)
+
for f in (d.getVar('SSTATEPREINSTFUNCS', True) or '').split() + ['sstate_unpack_package'] + (d.getVar('SSTATEPOSTUNPACKFUNCS', True) or '').split():
bb.build.exec_func(f, d)
@@ -605,7 +616,8 @@ def pstaging_fetch(sstatefetch, sstatepkg, d):
# Try a fetch from the sstate mirror, if it fails just return and
# we will build the package
for srcuri in ['file://{0}'.format(sstatefetch),
- 'file://{0}.siginfo'.format(sstatefetch)]:
+ 'file://{0}.siginfo'.format(sstatefetch),
+ 'file://{0}.sig'.format(sstatefetch)]:
localdata.setVar('SRC_URI', srcuri)
try:
fetcher = bb.fetch2.Fetch([srcuri], localdata, cache=False)
@@ -665,6 +677,11 @@ sstate_create_package () {
chmod 0664 $TFILE
mv -f $TFILE ${SSTATE_PKG}
+ if [ -n "${SSTATE_SIG_KEY}" ]; then
+ rm -f ${SSTATE_PKG}.sig
+ echo ${SSTATE_SIG_PASSPHRASE} | gpg --batch --passphrase-fd 0 --detach-sign --local-user ${SSTATE_SIG_KEY} --output ${SSTATE_PKG}.sig ${SSTATE_PKG}
+ fi
+
cd ${WORKDIR}
rm -rf ${SSTATE_BUILDDIR}
}