Re: [PATCH 3/3] package_manager: support for signed RPM package feeds

[Mark Hatle <mark.hatle@windriver.com>]

On 8/26/15 11:27 PM, Markus Lehtonen wrote:
> Hi Mark,
> 
> On 26/08/15 18:10, "Mark Hatle" <mark.hatle@windriver.com> wrote:
> 
>> On 8/26/15 6:18 AM, Markus Lehtonen wrote:
>>> This change makes it possible to create GPG signed RPM package feeds -
>>> i.e. package feed with GPG signed metadata (repodata). All deployed RPM
>>> repositories will be signed and the GPG public key is copied to the rpm
>>> deployment directory.
>>>
>>> In order to enable the new feature one needs to define four variables in
>>> bitbake configuration.
>>> 1. 'PACKAGE_FEED_SIGN = "1"' enabling the feature
>>> 2. 'PACKAGE_FEED_GPG_NAME = "<key_id>"' defining the GPG key to use for
>>>    signing
>>> 3. 'PACKAGE_FEED_GPG_PASSPHRASE_FILE = "<path_to_file>"' pointing to a
>>>    file containing the passphrase for the secret signing key
>>> 4. 'PACKAGE_FEED_GPG_PUBKEY = "<path_to_pubkey>"' pointing to the
>>>    corresponding public key (in "armor" format)
>>>
>>> [YOCTO #8134]
>>>
>>> Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
>>> ---
>>>  meta/lib/oe/package_manager.py | 24 ++++++++++++++++++++++--
>>>  1 file changed, 22 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/meta/lib/oe/package_manager.py
>>> b/meta/lib/oe/package_manager.py
>>> index 753b3eb..5d7ef54 100644
>>> --- a/meta/lib/oe/package_manager.py
>>> +++ b/meta/lib/oe/package_manager.py
>>> @@ -113,8 +113,15 @@ class RpmIndexer(Indexer):
>>>              rpm_pubkey = self.d.getVar('RPM_GPG_PUBKEY', True)
>>>          else:
>>>              rpm_pubkey = None
>>> +        if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
>>> +            pkgfeed_gpg_name = self.d.getVar('PACKAGE_FEED_GPG_NAME',
>>> True)
>>> +            pkgfeed_gpg_pass =
>>> self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True)
>>> +        else:
>>> +            pkgfeed_gpg_name = None
>>> +            pkgfeed_gpg_pass = None
>>>  
>>>          index_cmds = []
>>> +        repo_sign_cmds = []
>>>          key_import_cmds = []
>>>          rpm_dirs_found = False
>>>          for arch in archs:
>>> @@ -126,10 +133,16 @@ class RpmIndexer(Indexer):
>>>                  continue
>>>  
>>>              if rpm_pubkey:
>>> -                key_import_cmds.append("%s --define '_dbpath %s'
>>> --import %s" %
>>> +                key_import_cmds.append("%s --dbpath '%s' --import %s" %
>>>                                     (rpm_bin, dbpath, rpm_pubkey))
>>>              index_cmds.append("%s --dbpath %s --update -q %s" % \
>>>                               (rpm_createrepo, dbpath, arch_dir))
>>> +            if pkgfeed_gpg_name:
>>> +                repomd_file = os.path.join(arch_dir, 'repodata',
>>> 'repomd.xml')
>>> +                gpg_cmd = "gpg2 --detach-sign --armor --batch --no-tty
>>> --yes " \
>>> +                          "--passphrase-file '%s' -u '%s' %s" % \
>>> +                          (pkgfeed_gpg_pass, pkgfeed_gpg_name,
>>> repomd_file)
>>> +                repo_sign_cmds.append(gpg_cmd)
>>
>> I've had problems in the past hard coding 'gpg' or 'gpg2' as the name to
>> use.
>>
>> Can we get this to be dynamic.. even if it's a system level define for
>> what
>> GPG/PGP program to use?
> 
> OK, I can introduce a new variable for defining this.
> 
> 
>> Also I'd forgotten about it until there.  RPM has a similar variable to
>> define
>> the GPG program to use.  So using that variable (_signature) and
>> defaulting to
>> the same item would be a good idea.
> 
> I think this is not feasible as we're actually using the host's gpg(2)
> here and rpm might not even be available.

Sorry I listed the wrong variable..  What I was referring to was the gpg
program.  See below..

What I'm asking for is similar to the above of replacing:

gpg_cmd = "gpg2 --detach-sign --armor --batch --no-tty --yes "

with something like:

gpg_cmd = d.getVar("GPG", True) + "--detach-sign --armor --batch --no-tty --yes "

In the sections where you setup the RPM macros you would define signature in the
same way:

(patch 1/3)

    if gpg_name:
        cmd += "--define '%%_gpg_name %s' " % gpg_name

cmd += "--define '__gpg %s' --define '%%_gpg_name %s' " % (d.getVar("GPG",
True), gpg_name)

--Mark

> 
> Thanks,
>    Markus
> 
> 
> 
>> (One such reason to do this is to write a wrapper that uses an alternative
>> keychain for these keys....)
>>
>>>  
>>>              rpm_dirs_found = True
>>>  
>>> @@ -145,10 +158,17 @@ class RpmIndexer(Indexer):
>>>          result = oe.utils.multiprocess_exec(index_cmds, create_index)
>>>          if result:
>>>              bb.fatal('%s' % ('\n'.join(result)))
>>> -        # Copy pubkey to repo
>>> +        # Sign repomd
>>> +        result = oe.utils.multiprocess_exec(repo_sign_cmds,
>>> create_index)
>>> +        if result:
>>> +            bb.fatal('%s' % ('\n'.join(result)))
>>> +        # Copy pubkey(s) to repo
>>>          if self.d.getVar('RPM_SIGN_PACKAGES', True) == '1':
>>>              shutil.copy2(self.d.getVar('RPM_GPG_PUBKEY', True),
>>>                           os.path.join(self.deploy_dir,
>>> 'RPM-GPG-KEY-oe'))
>>> +        if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
>>> +            shutil.copy2(self.d.getVar('PACKAGE_FEED_GPG_PUBKEY',
>>> True),
>>> +                         os.path.join(self.deploy_dir,
>>> 'REPODATA-GPG-KEY'))
>>
>> I didn't notice this before..  but we shouldn't hardcode RPM-GPG-KEY-oe,
>> it
>> should use a value such as 'DISTRO' to allow different distributions to
>> have
>> non-conflicting keys.  The repository keys I would think would be similar
>> as
>> well.. since you may have multiple repositories from different sources.
>> So
>> naming the key ending in -${DISTRO} might be a good idea there as well.
>> (Extending it to ${DISTRO_VERSION} might be make sense... since these
>> will be
>> used for long-term upgradable systems.)
>>
>> --Mark
>>
>>>  
>>>  
>>>  class OpkgIndexer(Indexer):
>>>
>>
> 
>