diff options
author | Alexander Kanavin <alexander.kanavin@linux.intel.com> | 2018-01-10 14:27:42 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-01-10 22:14:53 +0000 |
commit | 08fef6198122fe79d4c1213f9a64b862162ed6cd (patch) | |
tree | 98fe4b6a61ffb911abd1a7235194258d324b9c39 /meta/lib/oe/gpg_sign.py | |
parent | 3945ddd6eea9d84f7b0f82c66e6d4512bc239bb2 (diff) | |
download | openembedded-core-contrib-08fef6198122fe79d4c1213f9a64b862162ed6cd.tar.gz |
gnupg: use native version for signing, rather than one provided by host
Using host gpg has been problematic, and particularly this removes
the need to serialize package creation, as long as --auto-expand-secmem
is passed to gpg-agent, and gnupg >= 2.2.4 is in use
(https://dev.gnupg.org/T3530).
Sadly, gpg-agent itself is single-threaded, so in the longer run
we might want to seek alternatives:
https://lwn.net/Articles/742542/
(a smaller issue is that rpm itself runs the gpg fronted in a serial
fashion, which slows down the build in cases of recipes with very
large amount of packages, e.g. glibc-locale)
Note that sstate signing and verification continues to use host
gpg, as depending on native gpg would create circular dependencies.
[YOCTO #12022]
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/lib/oe/gpg_sign.py')
-rw-r--r-- | meta/lib/oe/gpg_sign.py | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py index 9cc88f020c..b17272928f 100644 --- a/meta/lib/oe/gpg_sign.py +++ b/meta/lib/oe/gpg_sign.py @@ -12,6 +12,7 @@ class LocalSigner(object): self.gpg_path = d.getVar('GPG_PATH') self.gpg_version = self.get_gpg_version() self.rpm_bin = bb.utils.which(os.getenv('PATH'), "rpmsign") + self.gpg_agent_bin = bb.utils.which(os.getenv('PATH'), "gpg-agent") def export_pubkey(self, output_file, keyid, armor=True): """Export GPG public key to a file""" @@ -31,7 +32,7 @@ class LocalSigner(object): """Sign RPM files""" cmd = self.rpm_bin + " --addsign --define '_gpg_name %s' " % keyid - gpg_args = '--no-permission-warning --batch --passphrase=%s' % passphrase + gpg_args = '--no-permission-warning --batch --passphrase=%s --agent-program=%s|--auto-expand-secmem' % (passphrase, self.gpg_agent_bin) if self.gpg_version > (2,1,): gpg_args += ' --pinentry-mode=loopback' cmd += "--define '_gpg_sign_cmd_extra_args %s' " % gpg_args @@ -71,6 +72,9 @@ class LocalSigner(object): if self.gpg_version > (2,1,): cmd += ['--pinentry-mode', 'loopback'] + if self.gpg_agent_bin: + cmd += ["--agent-program=%s|--auto-expand-secmem" % (self.gpg_agent_bin)] + cmd += [input_file] try: @@ -99,7 +103,7 @@ class LocalSigner(object): import subprocess try: ver_str = subprocess.check_output((self.gpg_bin, "--version", "--no-permission-warning")).split()[2].decode("utf-8") - return tuple([int(i) for i in ver_str.split('.')]) + return tuple([int(i) for i in ver_str.split("-")[0].split('.')]) except subprocess.CalledProcessError as e: raise bb.build.FuncFailed("Could not get gpg version: %s" % e) |