2 files changed, 80 insertions, 0 deletions

diff --git a/meta/classes/package_rpm.bbclass b/meta/classes/package_rpm.bbclass
index 264438b442..1fa1634d29 100644
--- a/meta/classes/package_rpm.bbclass
+++ b/meta/classes/package_rpm.bbclass
@@ -697,6 +697,8 @@ python do_package_rpm () {
     else:
         d.setVar('PACKAGE_ARCH_EXTEND', package_arch)
     pkgwritedir = d.expand('${PKGWRITEDIRRPM}/${PACKAGE_ARCH_EXTEND}')
+    d.setVar('RPM_PKGWRITEDIR', pkgwritedir)
+    bb.debug(1, 'PKGWRITEDIR: %s' % d.getVar('RPM_PKGWRITEDIR', True))
     pkgarch = d.expand('${PACKAGE_ARCH_EXTEND}${HOST_VENDOR}-${HOST_OS}')
     magicfile = d.expand('${STAGING_DIR_NATIVE}${datadir_native}/misc/magic.mgc')
     bb.utils.mkdirhier(pkgwritedir)
@@ -732,6 +734,9 @@ python do_package_rpm () {
     d.setVar('BUILDSPEC', cmd + "\n")
     d.setVarFlag('BUILDSPEC', 'func', '1')
     bb.build.exec_func('BUILDSPEC', d)
+
+    if d.getVar('RPM_SIGN_PACKAGES', True) == '1':
+        bb.build.exec_func("sign_rpm", d)
 }
 
 python () {
diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass
new file mode 100644
index 0000000000..0aa4cd841c
--- /dev/null
+++ b/meta/classes/sign_rpm.bbclass
@@ -0,0 +1,75 @@
+# Class for generating signed RPM packages.
+#
+# Configuration variables used by this class:
+# RPM_GPG_PASSPHRASE_FILE
+#           Path to a file containing the passphrase of the signing key.
+# RPM_GPG_NAME
+#           Name of the key to sign with. Alternatively you can define
+#           %_gpg_name macro in your ~/.oerpmmacros file.
+# RPM_GPG_PUBKEY
+#           Path to a file containing the public key (in "armor" format)
+#           corresponding the signing key.
+# GPG_BIN
+#           Optional variable for specifying the gpg binary/wrapper to use for
+#           signing.
+#
+inherit sanity
+
+RPM_SIGN_PACKAGES='1'
+
+
+_check_gpg_name () {
+    macrodef=`rpm -E '%_gpg_name'`
+    [ "$macrodef" == "%_gpg_name" ] && return 1 || return 0
+}
+
+
+def rpmsign_wrapper(d, files, passphrase, gpg_name=None):
+    import pexpect
+
+    # Find the correct rpm binary
+    rpm_bin_path = d.getVar('STAGING_BINDIR_NATIVE', True) + '/rpm'
+    cmd = rpm_bin_path + " --addsign "
+    if gpg_name:
+        cmd += "--define '%%_gpg_name %s' " % gpg_name
+    else:
+        try:
+            bb.build.exec_func('_check_gpg_name', d)
+        except bb.build.FuncFailed:
+            raise_sanity_error("You need to define RPM_GPG_NAME in bitbake "
+                               "config or the %_gpg_name RPM macro defined "
+                               "(e.g. in  ~/.oerpmmacros", d)
+    if d.getVar('GPG_BIN', True):
+        cmd += "--define '%%__gpg %s' " % d.getVar('GPG_BIN', True)
+    cmd += ' '.join(files)
+
+    # Need to use pexpect for feeding the passphrase
+    proc = pexpect.spawn(cmd)
+    try:
+        proc.expect_exact('Enter pass phrase:', timeout=15)
+        proc.sendline(passphrase)
+        proc.expect(pexpect.EOF, timeout=900)
+        proc.close()
+    except pexpect.TIMEOUT as err:
+        bb.debug('rpmsign timeout: %s' % err)
+        proc.terminate()
+    return proc.exitstatus
+
+
+python sign_rpm () {
+    import glob
+
+    rpm_gpg_pass_file = (d.getVar("RPM_GPG_PASSPHRASE_FILE", True) or "")
+    if rpm_gpg_pass_file:
+        with open(rpm_gpg_pass_file) as fobj:
+            rpm_gpg_passphrase = fobj.readlines()[0].rstrip('\n')
+    else:
+        raise_sanity_error("You need to define RPM_GPG_PASSPHRASE_FILE in the config", d)
+
+    rpm_gpg_name = (d.getVar("RPM_GPG_NAME", True) or "")
+
+    rpms = glob.glob(d.getVar('RPM_PKGWRITEDIR', True) + '/*')
+
+    if rpmsign_wrapper(d, rpms, rpm_gpg_passphrase, rpm_gpg_name) != 0:
+        raise bb.build.FuncFailed("RPM signing failed")
+}