diff options
| -rw-r--r-- | meta/classes/sign_package_feed.bbclass | 2 | ||||
| -rw-r--r-- | meta/classes/sign_rpm.bbclass | 6 | ||||
| -rw-r--r-- | meta/lib/oe/gpg_sign.py | 8 | ||||
| -rw-r--r-- | meta/lib/oeqa/selftest/cases/runtime_test.py | 4 | ||||
| -rw-r--r-- | meta/recipes-core/meta/signing-keys.bb | 1 | ||||
| -rw-r--r-- | meta/recipes-devtools/python/python-3.5-manifest.inc | 2 | ||||
| -rw-r--r-- | meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch | 28 | ||||
| -rw-r--r-- | meta/recipes-support/gnupg/gnupg/relocate.patch | 81 | ||||
| -rw-r--r-- | meta/recipes-support/gnupg/gnupg_2.2.9.bb (renamed from meta/recipes-support/gnupg/gnupg_2.2.0.bb) | 13 | ||||
| -rw-r--r-- | meta/recipes-support/libksba/libksba_1.3.5.bb | 2 | ||||
| -rw-r--r-- | meta/recipes-support/npth/npth_1.5.bb | 2 | ||||
| -rw-r--r-- | meta/recipes-support/pinentry/pinentry_1.0.0.bb | 2 | ||||
| -rwxr-xr-x | scripts/contrib/python/generate-manifest-3.5.py | 2 |
13 files changed, 140 insertions, 13 deletions
diff --git a/meta/classes/sign_package_feed.bbclass b/meta/classes/sign_package_feed.bbclass index f03c4802d0..7ff3a35a2f 100644 --- a/meta/classes/sign_package_feed.bbclass +++ b/meta/classes/sign_package_feed.bbclass @@ -43,4 +43,4 @@ python () { } do_package_index[depends] += "signing-keys:do_deploy" -do_rootfs[depends] += "signing-keys:do_populate_sysroot" +do_rootfs[depends] += "signing-keys:do_populate_sysroot gnupg-native:do_populate_sysroot" diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass index 4961b03618..64ae7ce30e 100644 --- a/meta/classes/sign_rpm.bbclass +++ b/meta/classes/sign_rpm.bbclass @@ -68,8 +68,4 @@ python sign_rpm () { do_package_index[depends] += "signing-keys:do_deploy" do_rootfs[depends] += "signing-keys:do_populate_sysroot" -# Newer versions of gpg (at least 2.1.5 and 2.2.1) have issues when signing occurs in parallel -# so unfortunately the signing must be done serially. Once the upstream problem is fixed, -# the following line must be removed otherwise we loose all the intrinsic parallelism from -# bitbake. For more information, check https://bugzilla.yoctoproject.org/show_bug.cgi?id=12022. -do_package_write_rpm[lockfiles] += "${TMPDIR}/gpg.lock" +PACKAGE_WRITE_DEPS += "gnupg-native" diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py index 9cc88f020c..b17272928f 100644 --- a/meta/lib/oe/gpg_sign.py +++ b/meta/lib/oe/gpg_sign.py @@ -12,6 +12,7 @@ class LocalSigner(object): self.gpg_path = d.getVar('GPG_PATH') self.gpg_version = self.get_gpg_version() self.rpm_bin = bb.utils.which(os.getenv('PATH'), "rpmsign") + self.gpg_agent_bin = bb.utils.which(os.getenv('PATH'), "gpg-agent") def export_pubkey(self, output_file, keyid, armor=True): """Export GPG public key to a file""" @@ -31,7 +32,7 @@ class LocalSigner(object): """Sign RPM files""" cmd = self.rpm_bin + " --addsign --define '_gpg_name %s' " % keyid - gpg_args = '--no-permission-warning --batch --passphrase=%s' % passphrase + gpg_args = '--no-permission-warning --batch --passphrase=%s --agent-program=%s|--auto-expand-secmem' % (passphrase, self.gpg_agent_bin) if self.gpg_version > (2,1,): gpg_args += ' --pinentry-mode=loopback' cmd += "--define '_gpg_sign_cmd_extra_args %s' " % gpg_args @@ -71,6 +72,9 @@ class LocalSigner(object): if self.gpg_version > (2,1,): cmd += ['--pinentry-mode', 'loopback'] + if self.gpg_agent_bin: + cmd += ["--agent-program=%s|--auto-expand-secmem" % (self.gpg_agent_bin)] + cmd += [input_file] try: @@ -99,7 +103,7 @@ class LocalSigner(object): import subprocess try: ver_str = subprocess.check_output((self.gpg_bin, "--version", "--no-permission-warning")).split()[2].decode("utf-8") - return tuple([int(i) for i in ver_str.split('.')]) + return tuple([int(i) for i in ver_str.split("-")[0].split('.')]) except subprocess.CalledProcessError as e: raise bb.build.FuncFailed("Could not get gpg version: %s" % e) diff --git a/meta/lib/oeqa/selftest/cases/runtime_test.py b/meta/lib/oeqa/selftest/cases/runtime_test.py index 25270b7535..cf3a4151f1 100644 --- a/meta/lib/oeqa/selftest/cases/runtime_test.py +++ b/meta/lib/oeqa/selftest/cases/runtime_test.py @@ -148,10 +148,12 @@ class TestImage(OESelftestTestCase): features += 'EXTRA_IMAGE_FEATURES += "package-management"\n' features += 'PACKAGE_CLASSES = "package_rpm"\n' + bitbake('gnupg-native -c addto_recipe_sysroot') + # Enable package feed signing self.gpg_home = tempfile.mkdtemp(prefix="oeqa-feed-sign-") signing_key_dir = os.path.join(self.testlayer_path, 'files', 'signing') - runCmd('gpg --batch --homedir %s --import %s' % (self.gpg_home, os.path.join(signing_key_dir, 'key.secret'))) + runCmd('gpg --batch --homedir %s --import %s' % (self.gpg_home, os.path.join(signing_key_dir, 'key.secret')), native_sysroot=get_bb_var("RECIPE_SYSROOT_NATIVE", "gnupg-native")) features += 'INHERIT += "sign_package_feed"\n' features += 'PACKAGE_FEED_GPG_NAME = "testuser"\n' features += 'PACKAGE_FEED_GPG_PASSPHRASE_FILE = "%s"\n' % os.path.join(signing_key_dir, 'key.passphrase') diff --git a/meta/recipes-core/meta/signing-keys.bb b/meta/recipes-core/meta/signing-keys.bb index 2c1cc3845e..6387d90d47 100644 --- a/meta/recipes-core/meta/signing-keys.bb +++ b/meta/recipes-core/meta/signing-keys.bb @@ -41,6 +41,7 @@ python do_get_public_keys () { } do_get_public_keys[cleandirs] = "${B}" addtask get_public_keys before do_install +do_get_public_keys[depends] += "gnupg-native:do_populate_sysroot" do_install () { if [ -f "${B}/rpm-key" ]; then diff --git a/meta/recipes-devtools/python/python-3.5-manifest.inc b/meta/recipes-devtools/python/python-3.5-manifest.inc index 0260e87e75..710b22eaa3 100644 --- a/meta/recipes-devtools/python/python-3.5-manifest.inc +++ b/meta/recipes-devtools/python/python-3.5-manifest.inc @@ -194,7 +194,7 @@ FILES_${PN}-readline="${libdir}/python3.5/lib-dynload/readline.*.so ${libdir}/py SUMMARY_${PN}-reprlib="Python alternate repr() implementation" RDEPENDS_${PN}-reprlib="${PN}-core" -FILES_${PN}-reprlib="${libdir}/python3.5/reprlib.py ${libdir}/python3.5/__pycache__/reprlib.py " +FILES_${PN}-reprlib="${libdir}/python3.5/reprlib.* ${libdir}/python3.5/__pycache__/reprlib.* " SUMMARY_${PN}-resource="Python resource control interface" RDEPENDS_${PN}-resource="${PN}-core" diff --git a/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch b/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch new file mode 100644 index 0000000000..5f1dd30f87 --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch @@ -0,0 +1,28 @@ +From 7eb7efb9ce89c66e14c194773c4dcf6478a6ca4d Mon Sep 17 00:00:00 2001 +From: Alexander Kanavin <alex.kanavin@gmail.com> +Date: Mon, 22 Jan 2018 18:00:21 +0200 +Subject: [PATCH] configure.ac: use a custom value for the location of + gpg-agent socket in the filesystem + +This should avoid clashes with the host gpg-agent observed on autobuilders. + +Upstream-Status: Inappropriate [oe-core specific, and only for -native] +Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> + +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 59a2e60..12d390b 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1841,7 +1841,7 @@ AC_DEFINE_UNQUOTED(GPGCONF_DISP_NAME, "GPGConf", + + AC_DEFINE_UNQUOTED(GPGTAR_NAME, "gpgtar", [The name of the gpgtar tool]) + +-AC_DEFINE_UNQUOTED(GPG_AGENT_SOCK_NAME, "S.gpg-agent", ++AC_DEFINE_UNQUOTED(GPG_AGENT_SOCK_NAME, "S.gpg-agent.yocto-native", + [The name of the agent socket]) + AC_DEFINE_UNQUOTED(GPG_AGENT_EXTRA_SOCK_NAME, "S.gpg-agent.extra", + [The name of the agent socket for remote access]) diff --git a/meta/recipes-support/gnupg/gnupg/relocate.patch b/meta/recipes-support/gnupg/gnupg/relocate.patch new file mode 100644 index 0000000000..87ec409ca3 --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg/relocate.patch @@ -0,0 +1,81 @@ +Allow the environment to override where gnupg looks for its own files. Useful in native builds. + +Upstream-Status: Inappropriate [OE-specific] +Signed-off-by: Ross Burton <ross.burton@intel.com> + +diff --git a/common/homedir.c b/common/homedir.c +index e9e75d01e..19140aa0d 100644 +--- a/common/homedir.c ++++ b/common/homedir.c +@@ -760,7 +760,7 @@ gnupg_socketdir (void) + if (!name) + { + unsigned int dummy; +- name = _gnupg_socketdir_internal (0, &dummy); ++ name = getenv("GNUPG_SOCKETDIR") ?: _gnupg_socketdir_internal (0, &dummy); + } + + return name; +@@ -786,7 +786,7 @@ gnupg_sysconfdir (void) + } + return name; + #else /*!HAVE_W32_SYSTEM*/ +- return GNUPG_SYSCONFDIR; ++ return getenv("GNUPG_SYSCONFDIR") ?: GNUPG_SYSCONFDIR; + #endif /*!HAVE_W32_SYSTEM*/ + } + +@@ -815,7 +815,7 @@ gnupg_bindir (void) + else + return rdir; + #else /*!HAVE_W32_SYSTEM*/ +- return GNUPG_BINDIR; ++ return getenv("GNUPG_BINDIR") ?: GNUPG_BINDIR; + #endif /*!HAVE_W32_SYSTEM*/ + } + +@@ -828,7 +828,7 @@ gnupg_libexecdir (void) + #ifdef HAVE_W32_SYSTEM + return gnupg_bindir (); + #else /*!HAVE_W32_SYSTEM*/ +- return GNUPG_LIBEXECDIR; ++ return getenv("GNUPG_LIBEXECDIR") ?: GNUPG_LIBEXECDIR; + #endif /*!HAVE_W32_SYSTEM*/ + } + +@@ -842,7 +842,7 @@ gnupg_libdir (void) + name = xstrconcat (w32_rootdir (), DIRSEP_S "lib" DIRSEP_S "gnupg", NULL); + return name; + #else /*!HAVE_W32_SYSTEM*/ +- return GNUPG_LIBDIR; ++ return getenv("GNUPG_LIBDIR") ?: GNUPG_LIBDIR; + #endif /*!HAVE_W32_SYSTEM*/ + } + +@@ -856,7 +856,7 @@ gnupg_datadir (void) + name = xstrconcat (w32_rootdir (), DIRSEP_S "share" DIRSEP_S "gnupg", NULL); + return name; + #else /*!HAVE_W32_SYSTEM*/ +- return GNUPG_DATADIR; ++ return getenv("GNUPG_DATADIR") ?: GNUPG_DATADIR; + #endif /*!HAVE_W32_SYSTEM*/ + } + +@@ -872,7 +872,7 @@ gnupg_localedir (void) + NULL); + return name; + #else /*!HAVE_W32_SYSTEM*/ +- return LOCALEDIR; ++ return getenv("LOCALEDIR") ?: LOCALEDIR; + #endif /*!HAVE_W32_SYSTEM*/ + } + +@@ -940,7 +940,7 @@ gnupg_cachedir (void) + } + return dir; + #else /*!HAVE_W32_SYSTEM*/ +- return GNUPG_LOCALSTATEDIR "/cache/" PACKAGE_NAME; ++ return getenv("GNUPG_LOCALSTATEDIR") ?: GNUPG_LOCALSTATEDIR "/cache/" PACKAGE_NAME; + #endif /*!HAVE_W32_SYSTEM*/ + } + diff --git a/meta/recipes-support/gnupg/gnupg_2.2.0.bb b/meta/recipes-support/gnupg/gnupg_2.2.9.bb index 0176dddad2..b7d23b8d39 100644 --- a/meta/recipes-support/gnupg/gnupg_2.2.0.bb +++ b/meta/recipes-support/gnupg/gnupg_2.2.9.bb @@ -15,9 +15,12 @@ SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ file://0003-dirmngr-uses-libgpg-error.patch \ file://0004-autogen.sh-fix-find-version-for-beta-checking.patch \ " +SRC_URI_append_class-native = " file://0001-configure.ac-use-a-custom-value-for-the-location-of-.patch \ + file://relocate.patch" -SRC_URI[md5sum] = "789f16949fae2d003d387f49e9da4b74" -SRC_URI[sha256sum] = "d4514a0be0f7a1ff263193330019eb4b53c82f0f5e230af3c14df371271a45e6" + +SRC_URI[md5sum] = "52c895a81f514a65e08923736c38654a" +SRC_URI[sha256sum] = "6278eaabffa1ebc9fa2ceb3dc53eea9a1505ab02a668a86dd6fec06951af2164" EXTRA_OECONF = "--disable-ldap \ --disable-ccid-driver \ @@ -41,6 +44,12 @@ do_install_append() { ln -sf gpgv2 ${D}${bindir}/gpgv } +do_install_append_class-native() { + create_wrapper ${D}${bindir}/gpg2 GNUPG_BINDIR=${STAGING_BINDIR_NATIVE} +} + PACKAGECONFIG ??= "gnutls" PACKAGECONFIG[gnutls] = "--enable-gnutls, --disable-gnutls, gnutls" PACKAGECONFIG[sqlite3] = "--enable-sqlite, --disable-sqlite, sqlite3" + +BBCLASSEXTEND = "native" diff --git a/meta/recipes-support/libksba/libksba_1.3.5.bb b/meta/recipes-support/libksba/libksba_1.3.5.bb index 36b6670563..a7ea53fed0 100644 --- a/meta/recipes-support/libksba/libksba_1.3.5.bb +++ b/meta/recipes-support/libksba/libksba_1.3.5.bb @@ -24,3 +24,5 @@ do_configure_prepend () { # Else these could be used in preference to those in aclocal-copy rm -f ${S}/m4/gpg-error.m4 } + +BBCLASSEXTEND = "native" diff --git a/meta/recipes-support/npth/npth_1.5.bb b/meta/recipes-support/npth/npth_1.5.bb index 54de70c5c0..e7db6ae1b4 100644 --- a/meta/recipes-support/npth/npth_1.5.bb +++ b/meta/recipes-support/npth/npth_1.5.bb @@ -19,3 +19,5 @@ inherit autotools binconfig-disabled FILES_${PN} = "${libdir}/libnpth.so.*" FILES_${PN}-dev += "${bindir}/npth-config" + +BBCLASSEXTEND = "native" diff --git a/meta/recipes-support/pinentry/pinentry_1.0.0.bb b/meta/recipes-support/pinentry/pinentry_1.0.0.bb index 319acd3b4e..634638da02 100644 --- a/meta/recipes-support/pinentry/pinentry_1.0.0.bb +++ b/meta/recipes-support/pinentry/pinentry_1.0.0.bb @@ -34,3 +34,5 @@ PACKAGECONFIG[gtk2] = "--enable-pinentry-gtk2, --disable-pinentry-gtk2, gtk+ gli #To use libsecret, add meta-gnome PACKAGECONFIG[secret] = "--enable-libsecret, --disable-libsecret, libsecret" + +BBCLASSEXTEND = "native" diff --git a/scripts/contrib/python/generate-manifest-3.5.py b/scripts/contrib/python/generate-manifest-3.5.py index 6352f8f120..750d4fc754 100755 --- a/scripts/contrib/python/generate-manifest-3.5.py +++ b/scripts/contrib/python/generate-manifest-3.5.py @@ -371,7 +371,7 @@ if __name__ == "__main__": "lib-dynload/readline.*.so rlcompleter.*" ) m.addPackage( "${PN}-reprlib", "Python alternate repr() implementation", "${PN}-core", - "reprlib.py" ) + "reprlib.*" ) m.addPackage( "${PN}-resource", "Python resource control interface", "${PN}-core", "lib-dynload/resource.*.so" ) |