* [PATCH][RFC] sstate: implement basic signing/validation
@ 2015-08-25 16:47 Ross Burton
2015-08-25 20:52 ` Richard Purdie
0 siblings, 1 reply; 3+ messages in thread
From: Ross Burton @ 2015-08-25 16:47 UTC (permalink / raw)
To: openembedded-core
To provide some element of integrity to sstate archives, allow sstate archives
to be GPG signed with a specified key (detached signature to a sidecar .sig
file), and verify the signatures when sstate archives are unpacked.
TODO: fetch .sig from remote sstate mirrors
Signed-off-by: Ross Burton <ross.burton@intel.com>
---
meta/classes/sstate.bbclass | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass
index 4e6afef..69145e5 100644
--- a/meta/classes/sstate.bbclass
+++ b/meta/classes/sstate.bbclass
@@ -54,6 +54,11 @@ EXTRA_STAGING_FIXMES ?= ""
SIGGEN_LOCKEDSIGS_CHECK_LEVEL ?= 'error'
+# The GnuPG key ID to use to sign sstate archives (or unset to not sign)
+SSTATE_SIG_KEY ?= ""
+# Whether to verify the GnUPG signatures when extracting sstate archives
+SSTATE_VERIFY_SIG ?= "0"
+
# Specify dirs in which the shell function is executed and don't use ${B}
# as default dirs to avoid possible race about ${B} with other task.
sstate_create_package[dirs] = "${SSTATE_BUILDDIR}"
@@ -298,6 +303,10 @@ def sstate_installpkg(ss, d):
d.setVar('SSTATE_INSTDIR', sstateinst)
d.setVar('SSTATE_PKG', sstatepkg)
+ if bb.utils.to_boolean(d.getVar("SSTATE_VERIFY_SIG", True), False):
+ if subprocess.call(["gpg", "--verify", sstatepkg + ".sig", sstatepkg]) != 0:
+ bb.warn("Cannot verify signature on sstate package %s" % sstatepkg)
+
for f in (d.getVar('SSTATEPREINSTFUNCS', True) or '').split() + ['sstate_unpack_package'] + (d.getVar('SSTATEPOSTUNPACKFUNCS', True) or '').split():
bb.build.exec_func(f, d)
@@ -604,6 +613,7 @@ def pstaging_fetch(sstatefetch, sstatepkg, d):
# Try a fetch from the sstate mirror, if it fails just return and
# we will build the package
+ # TODO attempt to fetch (and silently handle) the .sig file
for srcuri in ['file://{0}'.format(sstatefetch),
'file://{0}.siginfo'.format(sstatefetch)]:
localdata.setVar('SRC_URI', srcuri)
@@ -665,6 +675,11 @@ sstate_create_package () {
chmod 0664 $TFILE
mv -f $TFILE ${SSTATE_PKG}
+ if [ -n "${SSTATE_SIG_KEY}" ]; then
+ rm -f ${SSTATE_PKG}.sig
+ gpg --detach-sign --local-user ${SSTATE_SIG_KEY} --output ${SSTATE_PKG}.sig ${SSTATE_PKG}
+ fi
+
cd ${WORKDIR}
rm -rf ${SSTATE_BUILDDIR}
}
--
2.1.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH][RFC] sstate: implement basic signing/validation
2015-08-25 16:47 [PATCH][RFC] sstate: implement basic signing/validation Ross Burton
@ 2015-08-25 20:52 ` Richard Purdie
2015-08-25 20:55 ` Burton, Ross
0 siblings, 1 reply; 3+ messages in thread
From: Richard Purdie @ 2015-08-25 20:52 UTC (permalink / raw)
To: Ross Burton; +Cc: openembedded-core
On Tue, 2015-08-25 at 17:47 +0100, Ross Burton wrote:
> To provide some element of integrity to sstate archives, allow sstate archives
> to be GPG signed with a specified key (detached signature to a sidecar .sig
> file), and verify the signatures when sstate archives are unpacked.
Some random thoughts. We could add the signature into the tarball using
something like the --use-compress-program option (see
https://www.gnu.org/software/tar/manual/html_chapter/tar_8.html and the
gpg references). That would mean we have one less separate file to worry
about.
Not sure which approach I prefer, just putting the idea out there...
> TODO: fetch .sig from remote sstate mirrors
We do something similar for siginfo already FWIW.
> Signed-off-by: Ross Burton <ross.burton@intel.com>
I'd also probably make these callable functions, then others can
override them and use them as hooks if they want to.
Cheers,
Richard
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH][RFC] sstate: implement basic signing/validation
2015-08-25 20:52 ` Richard Purdie
@ 2015-08-25 20:55 ` Burton, Ross
0 siblings, 0 replies; 3+ messages in thread
From: Burton, Ross @ 2015-08-25 20:55 UTC (permalink / raw)
To: Richard Purdie; +Cc: OE-core
[-- Attachment #1: Type: text/plain, Size: 1003 bytes --]
On 25 August 2015 at 21:52, Richard Purdie <
richard.purdie@linuxfoundation.org> wrote:
> Some random thoughts. We could add the signature into the tarball using
> something like the --use-compress-program option (see
> https://www.gnu.org/software/tar/manual/html_chapter/tar_8.html and the
> gpg references). That would mean we have one less separate file to worry
> about.
>
> Not sure which approach I prefer, just putting the idea out there...
Or alternatively stash the signature in the siginfo as another field in the
data store.
Still not sure what I prefer either!
> I'd also probably make these callable functions, then others can
> override them and use them as hooks if they want to.
FWIW, initially they were functions in the pre-extract and post-create
functions, but error handling disappears that way and instead of shouting
"signature verification failed" it just says that "an error occured". I
can still factor them out but call them directly.
Ross
[-- Attachment #2: Type: text/html, Size: 1292 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-08-25 20:55 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-08-25 16:47 [PATCH][RFC] sstate: implement basic signing/validation Ross Burton
2015-08-25 20:52 ` Richard Purdie
2015-08-25 20:55 ` Burton, Ross
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox