diff options
author | Markus Lehtonen <markus.lehtonen@linux.intel.com> | 2015-08-21 17:21:57 +0300 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-09-01 21:57:48 +0100 |
commit | 75f5f11b19ba1bf8743caf9ee7c99a3c67f4b266 (patch) | |
tree | a1ade42bd3947433a507b6abd3e3748f535d131a /meta/classes/sign_rpm.bbclass | |
parent | c419c64c30736ecc7b496161b4f9d9f3cc88102f (diff) | |
download | openembedded-core-contrib-75f5f11b19ba1bf8743caf9ee7c99a3c67f4b266.tar.gz |
package_rpm: support signing of rpm packages
This patch adds a new bbclass for generating rpm packages that are
signed with a user defined key. The packages are signed as part of the
"package_write_rpm" task.
In order to enable the feature you need to
1. 'INHERIT += " sign_rpm"' in bitbake config (e.g. local or
distro)
2. Create a file that contains the passphrase to your gpg secret key
3. 'RPM_GPG_PASSPHRASE_FILE = "<path_to_file>" in bitbake config,
pointing to the passphrase file created in 2.
4. Define GPG key name to use by either defining
'RPM_GPG_NAME = "<key_id>" in bitbake config OR by defining
%_gpg_name <key_id> in your ~/.oerpmmacros file
5. 'RPM_GPG_PUBKEY = "<path_to_pubkey>" in bitbake config pointing to
the public key (in "armor" format)
The user may optionally define "GPG_BIN" variable in the bitbake
configuration in order to specify a specific gpg binary/wrapper to use.
The sign_rpm.bbclass implements a simple scenario of locally signing the
packages. It could be replaced by a more advanced class that would
utilize a separate signing server for signing the packages, for example.
[YOCTO #8134]
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/classes/sign_rpm.bbclass')
-rw-r--r-- | meta/classes/sign_rpm.bbclass | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass new file mode 100644 index 0000000000..0aa4cd841c --- /dev/null +++ b/meta/classes/sign_rpm.bbclass @@ -0,0 +1,75 @@ +# Class for generating signed RPM packages. +# +# Configuration variables used by this class: +# RPM_GPG_PASSPHRASE_FILE +# Path to a file containing the passphrase of the signing key. +# RPM_GPG_NAME +# Name of the key to sign with. Alternatively you can define +# %_gpg_name macro in your ~/.oerpmmacros file. +# RPM_GPG_PUBKEY +# Path to a file containing the public key (in "armor" format) +# corresponding the signing key. +# GPG_BIN +# Optional variable for specifying the gpg binary/wrapper to use for +# signing. +# +inherit sanity + +RPM_SIGN_PACKAGES='1' + + +_check_gpg_name () { + macrodef=`rpm -E '%_gpg_name'` + [ "$macrodef" == "%_gpg_name" ] && return 1 || return 0 +} + + +def rpmsign_wrapper(d, files, passphrase, gpg_name=None): + import pexpect + + # Find the correct rpm binary + rpm_bin_path = d.getVar('STAGING_BINDIR_NATIVE', True) + '/rpm' + cmd = rpm_bin_path + " --addsign " + if gpg_name: + cmd += "--define '%%_gpg_name %s' " % gpg_name + else: + try: + bb.build.exec_func('_check_gpg_name', d) + except bb.build.FuncFailed: + raise_sanity_error("You need to define RPM_GPG_NAME in bitbake " + "config or the %_gpg_name RPM macro defined " + "(e.g. in ~/.oerpmmacros", d) + if d.getVar('GPG_BIN', True): + cmd += "--define '%%__gpg %s' " % d.getVar('GPG_BIN', True) + cmd += ' '.join(files) + + # Need to use pexpect for feeding the passphrase + proc = pexpect.spawn(cmd) + try: + proc.expect_exact('Enter pass phrase:', timeout=15) + proc.sendline(passphrase) + proc.expect(pexpect.EOF, timeout=900) + proc.close() + except pexpect.TIMEOUT as err: + bb.debug('rpmsign timeout: %s' % err) + proc.terminate() + return proc.exitstatus + + +python sign_rpm () { + import glob + + rpm_gpg_pass_file = (d.getVar("RPM_GPG_PASSPHRASE_FILE", True) or "") + if rpm_gpg_pass_file: + with open(rpm_gpg_pass_file) as fobj: + rpm_gpg_passphrase = fobj.readlines()[0].rstrip('\n') + else: + raise_sanity_error("You need to define RPM_GPG_PASSPHRASE_FILE in the config", d) + + rpm_gpg_name = (d.getVar("RPM_GPG_NAME", True) or "") + + rpms = glob.glob(d.getVar('RPM_PKGWRITEDIR', True) + '/*') + + if rpmsign_wrapper(d, rpms, rpm_gpg_passphrase, rpm_gpg_name) != 0: + raise bb.build.FuncFailed("RPM signing failed") +} |