From: Markus Lehtonen <markus.lehtonen@linux.intel.com>
To: openembedded-core@lists.openembedded.org
Subject: [PATCH 1/3] package signing: do actual sanity checking in the signer class
Date: Fri, 5 Feb 2016 16:00:22 +0200 [thread overview]
Message-ID: <1454680824-26075-2-git-send-email-markus.lehtonen@linux.intel.com> (raw)
In-Reply-To: <1454680824-26075-1-git-send-email-markus.lehtonen@linux.intel.com>
The configuration needed for different signing backends may vary
(although we currently support only one backend). Thus, do the actual
sanity checking of the configuration there.
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
---
meta/classes/sign_package_feed.bbclass | 14 ++++++++++----
meta/classes/sign_rpm.bbclass | 14 ++++++++++----
meta/lib/oe/gpg_sign.py | 22 ++++++++++++++++++----
3 files changed, 38 insertions(+), 12 deletions(-)
diff --git a/meta/classes/sign_package_feed.bbclass b/meta/classes/sign_package_feed.bbclass
index d5df8af..3f6ff2d 100644
--- a/meta/classes/sign_package_feed.bbclass
+++ b/meta/classes/sign_package_feed.bbclass
@@ -23,10 +23,16 @@ PACKAGE_FEED_GPG_BACKEND ?= 'local'
python () {
- # Check sanity of configuration
- for var in ('PACKAGE_FEED_GPG_NAME', 'PACKAGE_FEED_GPG_PASSPHRASE_FILE'):
- if not d.getVar(var, True):
- raise_sanity_error("You need to define %s in the config" % var, d)
+ # Check sanity of config
+ from oe.gpg_sign import get_signer_class
+ signer = get_signer_class(d.getVar('PACKAGE_FEED_GPG_BACKEND', True))
+ err_msg = signer.check_sanity(d,
+ d.getVar('PACKAGE_FEED_GPG_NAME', True),
+ d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True))
+ if err_msg:
+ raise_sanity_error(err_msg %{'keyid': 'PACKAGE_FEED_GPG_NAME',
+ 'passphrase_file': 'PACKAGE_FEED_GPG_PASSPHRASE_FILE'},
+ d)
# Set expected location of the public key
d.setVar('PACKAGE_FEED_GPG_PUBKEY',
diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass
index 8bcabee..79dc517 100644
--- a/meta/classes/sign_rpm.bbclass
+++ b/meta/classes/sign_rpm.bbclass
@@ -22,10 +22,16 @@ RPM_GPG_BACKEND ?= 'local'
python () {
- # Check configuration
- for var in ('RPM_GPG_NAME', 'RPM_GPG_PASSPHRASE_FILE'):
- if not d.getVar(var, True):
- raise_sanity_error("You need to define %s in the config" % var, d)
+ # Check sanity of config
+ from oe.gpg_sign import get_signer_class
+ signer = get_signer_class(d.getVar('RPM_GPG_BACKEND', True))
+ err_msg = signer.check_sanity(d,
+ d.getVar('RPM_GPG_NAME', True),
+ d.getVar('RPM_GPG_PASSPHRASE_FILE', True))
+ if err_msg:
+ raise_sanity_error(err_msg %{'keyid': 'RPM_GPG_NAME',
+ 'passphrase_file': 'RPM_GPG_PASSPHRASE_FILE'},
+ d)
# Set the expected location of the public key
d.setVar('RPM_GPG_PUBKEY', os.path.join(d.getVar('STAGING_ETCDIR_NATIVE', False),
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index 55abad8..8832ea9 100644
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -14,6 +14,17 @@ class LocalSigner(object):
self.gpg_path = d.getVar('GPG_PATH', True)
self.rpm_bin = bb.utils.which(os.getenv('PATH'), "rpm")
+ @classmethod
+ def check_sanity(cls, d, keyid, passphrase_file):
+ """(Pre-)check the sanity of a configuration"""
+ msg = ""
+ missing_vars = ['%(keyid)s'] if not keyid else []
+ if not passphrase_file:
+ missing_vars.append('%(passphrase_file)s')
+ if missing_vars:
+ msg += "You need to define " + ' and '.join(missing_vars) + " in the config."
+ return msg
+
def export_pubkey(self, output_file):
"""Export GPG public key to a file"""
cmd = '%s --batch --yes --export --armor -o %s ' % \
@@ -66,11 +77,14 @@ class LocalSigner(object):
(input_file, output))
-def get_signer(d, backend, keyid, passphrase_file):
- """Get signer object for the specified backend"""
- # Use local signing by default
+def get_signer_class(backend):
+ """Get signer class for the specified backend"""
if backend == 'local':
- return LocalSigner(d, keyid, passphrase_file)
+ return LocalSigner
else:
bb.fatal("Unsupported signing backend '%s'" % backend)
+
+def get_signer(d, backend, keyid, passphrase_file):
+ """Get signer object for the specified backend"""
+ return get_signer_class(backend)(keyid. passphrase_file)
--
2.6.2
next prev parent reply other threads:[~2016-02-05 14:00 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-05 14:00 [PATCH 0/3] signing: enhance sanity checking Markus Lehtonen
2016-02-05 14:00 ` Markus Lehtonen [this message]
2016-02-05 14:00 ` [PATCH 2/3] oe/gpg_sign: check for python-pexpect when using local signing Markus Lehtonen
2016-02-05 14:31 ` Burton, Ross
2016-02-08 10:52 ` Markus Lehtonen
2016-02-08 11:17 ` Ioan-Adrian Ratiu
2016-02-05 14:00 ` [PATCH 3/3] package signing: do sanity checking in an event handler Markus Lehtonen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1454680824-26075-2-git-send-email-markus.lehtonen@linux.intel.com \
--to=markus.lehtonen@linux.intel.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.