diff options
-rw-r--r-- | meta/classes/sign_rpm.bbclass | 20 | ||||
-rw-r--r-- | meta/lib/oe/gpg_sign.py | 7 |
2 files changed, 25 insertions, 2 deletions
diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass index bc2e947107..c49406c74d 100644 --- a/meta/classes/sign_rpm.bbclass +++ b/meta/classes/sign_rpm.bbclass @@ -9,6 +9,13 @@ # Optional variable for specifying the backend to use for signing. # Currently the only available option is 'local', i.e. local signing # on the build host. +# RPM_FILE_CHECKSUM_DIGEST +# Optional variable for specifying the algorithm for generating file +# checksum digest. +# RPM_FSK_PATH +# Optional variable for the file signing key. +# RPM_FSK_PASSWORD +# Optional variable for the file signing key password. # GPG_BIN # Optional variable for specifying the gpg binary/wrapper to use for # signing. @@ -18,7 +25,10 @@ inherit sanity RPM_SIGN_PACKAGES='1' +RPM_SIGN_FILES ?= '0' RPM_GPG_BACKEND ?= 'local' +# SHA-256 is used by default +RPM_FILE_CHECKSUM_DIGEST ?= '8' python () { @@ -28,6 +38,11 @@ python () { for var in ('RPM_GPG_NAME', 'RPM_GPG_PASSPHRASE'): if not d.getVar(var): raise_sanity_error("You need to define %s in the config" % var, d) + + if d.getVar('RPM_SIGN_FILES') == '1': + for var in ('RPM_FSK_PATH', 'RPM_FSK_PASSWORD'): + if not d.getVar(var): + raise_sanity_error("You need to define %s in the config" % var, d) } python sign_rpm () { @@ -39,7 +54,10 @@ python sign_rpm () { signer.sign_rpms(rpms, d.getVar('RPM_GPG_NAME'), - d.getVar('RPM_GPG_PASSPHRASE')) + d.getVar('RPM_GPG_PASSPHRASE'), + d.getVar('RPM_FILE_CHECKSUM_DIGEST'), + d.getVar('RPM_FSK_PATH'), + d.getVar('RPM_FSK_PASSWORD')) } do_package_index[depends] += "signing-keys:do_deploy" diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py index c53df54a5b..f4d8b10e4b 100644 --- a/meta/lib/oe/gpg_sign.py +++ b/meta/lib/oe/gpg_sign.py @@ -27,7 +27,7 @@ class LocalSigner(object): raise bb.build.FuncFailed('Failed to export gpg public key (%s): %s' % (keyid, output)) - def sign_rpms(self, files, keyid, passphrase): + def sign_rpms(self, files, keyid, passphrase, digest, fsk=None, fsk_password=None): """Sign RPM files""" cmd = self.rpm_bin + " --addsign --define '_gpg_name %s' " % keyid @@ -35,10 +35,15 @@ class LocalSigner(object): if self.gpg_version > (2,1,): gpg_args += ' --pinentry-mode=loopback' cmd += "--define '_gpg_sign_cmd_extra_args %s' " % gpg_args + cmd += "--define '_binary_filedigest_algorithm %s' " % digest if self.gpg_bin: cmd += "--define '__gpg %s' " % self.gpg_bin if self.gpg_path: cmd += "--define '_gpg_path %s' " % self.gpg_path + if fsk: + cmd += "--signfiles --fskpath %s " % fsk + if fsk_password: + cmd += "--define '_file_signing_key_password %s' " % fsk_password # Sign in chunks of 100 packages for i in range(0, len(files), 100): |