From 95b9ee33d5595078e90c633f6155ec9ba3d184f0 Mon Sep 17 00:00:00 2001 From: Lans Zhang Date: Tue, 11 Jul 2017 12:43:03 +0800 Subject: sign_rpm: support signing files in RPM payload Currently, RPM4 supports to sign the files in RPM payload with plugin mechanism. We introduce more definitions to make the file signing available for the users: - RPM_FILE_CHECKSUM_DIGEST Global switch to enable file signing. - RPM_FSK_PATH The file signing key. - RPM_FSK_PASSWORD The password of file signing key. - RPM_FILE_CHECKSUM_DIGEST The file checksum digest. Signed-off-by: Lans Zhang Signed-off-by: Ross Burton --- meta/lib/oe/gpg_sign.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'meta/lib') diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py index c53df54a5b..f4d8b10e4b 100644 --- a/meta/lib/oe/gpg_sign.py +++ b/meta/lib/oe/gpg_sign.py @@ -27,7 +27,7 @@ class LocalSigner(object): raise bb.build.FuncFailed('Failed to export gpg public key (%s): %s' % (keyid, output)) - def sign_rpms(self, files, keyid, passphrase): + def sign_rpms(self, files, keyid, passphrase, digest, fsk=None, fsk_password=None): """Sign RPM files""" cmd = self.rpm_bin + " --addsign --define '_gpg_name %s' " % keyid @@ -35,10 +35,15 @@ class LocalSigner(object): if self.gpg_version > (2,1,): gpg_args += ' --pinentry-mode=loopback' cmd += "--define '_gpg_sign_cmd_extra_args %s' " % gpg_args + cmd += "--define '_binary_filedigest_algorithm %s' " % digest if self.gpg_bin: cmd += "--define '__gpg %s' " % self.gpg_bin if self.gpg_path: cmd += "--define '_gpg_path %s' " % self.gpg_path + if fsk: + cmd += "--signfiles --fskpath %s " % fsk + if fsk_password: + cmd += "--define '_file_signing_key_password %s' " % fsk_password # Sign in chunks of 100 packages for i in range(0, len(files), 100): -- cgit 1.2.3-korg