From 5f6ee59cab058d944cd3c76670f6b61106d3ec08 Mon Sep 17 00:00:00 2001 From: Markus Lehtonen Date: Wed, 13 Jan 2016 12:42:05 +0200 Subject: WIP: implement OBSSIGN_DELSIGN option Signed-off-by: Markus Lehtonen --- meta/classes/sign_package_feed.bbclass | 4 ++++ meta/classes/sign_rpm.bbclass | 4 ++++ meta/lib/oe/gpg_sign.py | 22 +++++++++++++--------- 3 files changed, 21 insertions(+), 9 deletions(-) diff --git a/meta/classes/sign_package_feed.bbclass b/meta/classes/sign_package_feed.bbclass index 953fa85053..cf91750ec7 100644 --- a/meta/classes/sign_package_feed.bbclass +++ b/meta/classes/sign_package_feed.bbclass @@ -15,6 +15,10 @@ # signing. # GPG_PATH # Optional variable for specifying the gnupg "home" directory: +# OBSSIGN_DELSIGN +# Optional variable, effective only when 'obssign' backend is enabled. +# Set to "1" to remove existing signatures from the RPM packages +# before signing with obs-sign. # inherit sanity diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass index 8be1c35935..d247baad74 100644 --- a/meta/classes/sign_rpm.bbclass +++ b/meta/classes/sign_rpm.bbclass @@ -14,6 +14,10 @@ # signing. # GPG_PATH # Optional variable for specifying the gnupg "home" directory: +# OBSSIGN_DELSIGN +# Optional variable, effective only when 'obssign' backend is enabled. +# Set to "1" to remove existing signatures from the RPM packages +# before signing with obs-sign. # inherit sanity diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py index d8ab816a84..447c23be29 100644 --- a/meta/lib/oe/gpg_sign.py +++ b/meta/lib/oe/gpg_sign.py @@ -68,9 +68,10 @@ class LocalSigner(object): class ObsSigner(object): """Class for handling signing with obs-signd""" - def __init__(self, keyid): + def __init__(self, d, keyid): self.keyid = keyid self.rpm_bin = bb.utils.which(os.getenv('PATH'), "rpm") + self.del_old_sign = d.getVar('OBSSIGN_DELSIGN', True) == "1" def export_pubkey(self, output_file): """Export GPG public key to a file""" @@ -87,16 +88,19 @@ class ObsSigner(object): """Sign RPM files""" import pexpect - # Remove existing signatures - cmd = "%s --delsign %s" % (self.rpm_bin, ' '.join(files)) - status, output = oe.utils.getstatusoutput(cmd) - if status: - raise bb.build.FuncFailed("Failed to remove RPM signatures: %s" % - output) + # Remove existing signatures. This is a workaround for a limitation + # of obs-signd: sign is not able to add additional signatures and fails + # if existing signatures are found in the RPM package. + if self.del_old_sign: + cmd = "%s --delsign %s" % (self.rpm_bin, ' '.join(files)) + status, output = oe.utils.getstatusoutput(cmd) + if status: + raise bb.build.FuncFailed("Failed to remove RPM signatures: %s" % + output) # Sign packages cmd = "sign -u '%s' -r %s" % (self.keyid, ' '.join(files)) status, output = oe.utils.getstatusoutput(cmd) - if status: + if status or [line for line in output.splitlines() if line.endswith('already signed')]: raise bb.build.FuncFailed("Failed to sign RPM packages: %s" % output) @@ -118,7 +122,7 @@ def get_signer(d, backend, keyid, passphrase_file): if passphrase_file: bb.note("GPG passphrase file setting not used when 'obssign' " "backend is used.") - return ObsSigner(keyid) + return ObsSigner(d, keyid) else: bb.fatal("Unsupported signing backend '%s'" % backend) -- cgit 1.2.3-korg