meta/lib: new module for handling GPG signing

Add a new Python module (oe.gpg_sign) for handling GPG signing operations, i.e. currently package and package feed signing. The purpose is to be able to more easily support various signing backends and to be able to centralise signing functionality into one place (e.g. package signing and sstate signing). Currently, only local signing with gpg is implemented. [YOCTO #8755] (From OE-Core rev: 9b3dc1bd4b8336423a3f8f7db0ab5fa6fa0e7257) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Markus Lehtonen <markus.lehtonen@linux.intel.com> 2016-01-25 14:21:34 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-01-26 22:31:58 +0000
commit: bb971577ab308caf7177d4bda290d1fe5ab842db (patch)
tree: 49c1811106a9b58717dcfd3c6fe4e4810341c1b3 /meta/recipes-core/meta
parent: aadb879e5b302e405e05443f56611c17868d10b6 (diff)
download: openembedded-core-contrib-bb971577ab308caf7177d4bda290d1fe5ab842db.tar.gz
1 files changed, 12 insertions, 14 deletions
diff --git a/meta/recipes-core/meta/signing-keys.bb b/meta/recipes-core/meta/signing-keys.bb
index cc401f3b6c..d7aa79d49f 100644
--- a/meta/recipes-core/meta/signing-keys.bb
+++ b/meta/recipes-core/meta/signing-keys.bb
@@ -20,26 +20,24 @@ do_populate_sysroot[noexec] = "1"
 
 EXCLUDE_FROM_WORLD = "1"
 
-def export_gpg_pubkey(d, keyid, path):
-    import bb
-    gpg_bin = d.getVar('GPG_BIN', True) or \
-              bb.utils.which(os.getenv('PATH'), "gpg")
-    cmd = '%s --batch --yes --export --armor -o %s %s' % \
-          (gpg_bin, path, keyid)
-    status, output = oe.utils.getstatusoutput(cmd)
-    if status:
-        raise bb.build.FuncFailed('Failed to export gpg public key (%s): %s' %
-                                  (keyid, output))
 
 python do_export_public_keys () {
+    from oe.gpg_sign import get_signer
+
     if d.getVar("RPM_SIGN_PACKAGES", True):
         # Export public key of the rpm signing key
-        export_gpg_pubkey(d, d.getVar("RPM_GPG_NAME", True),
-                          d.getVar('RPM_GPG_PUBKEY', True))
+        signer = get_signer(d,
+                            d.getVar('RPM_GPG_BACKEND', True),
+                            d.getVar('RPM_GPG_NAME', True),
+                            d.getVar('RPM_GPG_PASSPHRASE_FILE', True))
+        signer.export_pubkey(d.getVar('RPM_GPG_PUBKEY', True))
 
     if d.getVar('PACKAGE_FEED_SIGN', True) == '1':
         # Export public key of the feed signing key
-        export_gpg_pubkey(d, d.getVar("PACKAGE_FEED_GPG_NAME", True),
-                          d.getVar('PACKAGE_FEED_GPG_PUBKEY', True))
+        signer = get_signer(d,
+                            d.getVar('PACKAGE_FEED_GPG_BACKEND', True),
+                            d.getVar('PACKAGE_FEED_GPG_NAME', True),
+                            d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True))
+        signer.export_pubkey(d.getVar('PACKAGE_FEED_GPG_PUBKEY', True))
 }
 addtask do_export_public_keys before do_build
author	Markus Lehtonen <markus.lehtonen@linux.intel.com>	2016-01-25 14:21:34 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-01-26 22:31:58 +0000
commit	bb971577ab308caf7177d4bda290d1fe5ab842db (patch)
tree	49c1811106a9b58717dcfd3c6fe4e4810341c1b3 /meta/recipes-core/meta
parent	aadb879e5b302e405e05443f56611c17868d10b6 (diff)
download	openembedded-core-contrib-bb971577ab308caf7177d4bda290d1fe5ab842db.tar.gz