diff options
author | Daniel McGregor <daniel.mcgregor@vecima.com> | 2021-10-12 22:04:56 -0600 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-10-14 22:52:09 +0100 |
commit | 52ba0c5e6e2e3d5d01dc3f01404f0ab1bb29b3b5 (patch) | |
tree | 336fca89828a45fc956e30e2483a71b59646b893 /meta/lib/oe/gpg_sign.py | |
parent | c46a6ec91bd40a458cb0ef5ec84bc0cc274d9cef (diff) | |
download | openembedded-core-52ba0c5e6e2e3d5d01dc3f01404f0ab1bb29b3b5.tar.gz |
sstate: Allow validation of sstate singatures against list of keys
Allow a user to validate sstate objects against a list of keys, instead
of just any known key in the user's keychain.
Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/lib/oe/gpg_sign.py')
-rw-r--r-- | meta/lib/oe/gpg_sign.py | 27 |
1 files changed, 22 insertions, 5 deletions
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py index 492f096eaa..1bce6cb792 100644 --- a/meta/lib/oe/gpg_sign.py +++ b/meta/lib/oe/gpg_sign.py @@ -109,16 +109,33 @@ class LocalSigner(object): bb.fatal("Could not get gpg version: %s" % e) - def verify(self, sig_file): + def verify(self, sig_file, valid_sigs = ''): """Verify signature""" - cmd = self.gpg_cmd + ["--verify", "--no-permission-warning"] + cmd = self.gpg_cmd + ["--verify", "--no-permission-warning", "--status-fd", "1"] if self.gpg_path: cmd += ["--homedir", self.gpg_path] cmd += [sig_file] - status = subprocess.call(cmd) - ret = False if status else True - return ret + status = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + # Valid if any key matches if unspecified + if not valid_sigs: + ret = False if status.returncode else True + return ret + + import re + goodsigs = [] + sigre = re.compile(r'^\[GNUPG:\] GOODSIG (\S+)\s(.*)$') + for l in status.stdout.decode("utf-8").splitlines(): + s = sigre.match(l) + if s: + goodsigs += [s.group(1)] + + for sig in valid_sigs.split(): + if sig in goodsigs: + return True + if len(goodsigs): + bb.warn('No accepted signatures found. Good signatures found: %s.' % ' '.join(goodsigs)) + return False def get_signer(d, backend): |