summaryrefslogtreecommitdiffstats
path: root/meta/lib/oe
diff options
context:
space:
mode:
authorIoan-Adrian Ratiu <adrian.ratiu@ni.com>2016-03-10 12:02:55 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-03-11 16:50:27 +0000
commita40f27aa7802e8a0bd87a5417e35adbface62d05 (patch)
treeb4b2dbb79f30970216735fb373efeee4cf8bf6d9 /meta/lib/oe
parentc885b44480b14554c8835e114a2e5469a82f0598 (diff)
downloadopenembedded-core-a40f27aa7802e8a0bd87a5417e35adbface62d05.tar.gz
openembedded-core-a40f27aa7802e8a0bd87a5417e35adbface62d05.tar.bz2
openembedded-core-a40f27aa7802e8a0bd87a5417e35adbface62d05.zip
gpg_sign: add local ipk package signing functionality
Implement ipk signing inside the sign_ipk bbclass using the gpg_sign module and configure signing similar to how rpm does it. sign_ipk uses gpg_sign's detach_sign because its functionality is identical to package feed signing. IPK signing process is a bit different from rpm: - Signatures are stored outside ipk files; opkg connects to a feed server and downloads them to verify a package. - Signatures are of two types (both supported by opkg): binary or ascii armoured. By default we sign using ascii armoured. - Public keys are stored on targets to verify ipks using the opkg-keyrings recipe. Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/lib/oe')
-rw-r--r--meta/lib/oe/gpg_sign.py38
1 files changed, 26 insertions, 12 deletions
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index ada1b2f408..059381d5e3 100644
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -50,6 +50,7 @@ class LocalSigner(object):
bb.error('rpmsign failed: %s' % proc.before.strip())
raise bb.build.FuncFailed("Failed to sign RPM packages")
+
def detach_sign(self, input_file, keyid, passphrase_file, passphrase=None, armor=True):
"""Create a detached signature of a file"""
import subprocess
@@ -58,22 +59,35 @@ class LocalSigner(object):
raise Exception("You should use either passphrase_file of passphrase, not both")
cmd = [self.gpg_bin, '--detach-sign', '--batch', '--no-tty', '--yes',
- '-u', keyid]
- if passphrase_file:
- cmd += ['--passphrase-file', passphrase_file]
- else:
- cmd += ['--passphrase-fd', '0']
+ '--passphrase-fd', '0', '-u', keyid]
+
if self.gpg_path:
cmd += ['--homedir', self.gpg_path]
if armor:
cmd += ['--armor']
- cmd.append(input_file)
- job = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE,
- stderr=subprocess.PIPE)
- _, stderr = job.communicate(passphrase)
- if job.returncode:
- raise bb.build.FuncFailed("Failed to create signature for '%s': %s" %
- (input_file, stderr))
+
+ cmd += [input_file]
+
+ try:
+ if passphrase_file:
+ with open(passphrase_file) as fobj:
+ passphrase = fobj.readline();
+
+ job = subprocess.Popen(cmd, stdin=subprocess.PIPE, stderr=subprocess.PIPE)
+ (_, stderr) = job.communicate(passphrase)
+
+ if job.returncode:
+ raise bb.build.FuncFailed("GPG exited with code %d: %s" %
+ (job.returncode, stderr))
+
+ except IOError as e:
+ bb.error("IO error (%s): %s" % (e.errno, e.strerror))
+ raise Exception("Failed to sign '%s'" % input_file)
+
+ except OSError as e:
+ bb.error("OS error (%s): %s" % (e.errno, e.strerror))
+ raise Exception("Failed to sign '%s" % input_file)
+
def verify(self, sig_file):
"""Verify signature"""