* [PATCH 0/3] signing: enhance sanity checking
@ 2016-02-05 14:00 Markus Lehtonen
2016-02-05 14:00 ` [PATCH 1/3] package signing: do actual sanity checking in the signer class Markus Lehtonen
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Markus Lehtonen @ 2016-02-05 14:00 UTC (permalink / raw)
To: openembedded-core
This patchset contains that should make sanity checking of rpm and package feed
signing more sane.
The following changes since commit 11a6227759515da433230eb44eca1a4cb2ac3b14:
e2fsprogs: Ensure we use the right mke2fs.conf when restoring from sstate (2016-02-05 11:16:20 +0000)
are available in the git repository at:
git://git.openembedded.org/openembedded-core-contrib marquiz/rpmsign
for you to fetch changes up to 643834ad064be34e2ad4218b436420cd5a1bc520:
package signing: do sanity checking in an event handler (2016-02-05 15:32:29 +0200)
Markus Lehtonen (3):
package signing: do actual sanity checking in the signer class
oe/gpg_sign: check for python-pexpect when using local signing
package signing: do sanity checking in an event handler
meta/classes/sign_package_feed.bbclass | 22 +++++++++++++++++-----
meta/classes/sign_rpm.bbclass | 22 +++++++++++++++++-----
meta/lib/oe/gpg_sign.py | 26 ++++++++++++++++++++++----
3 files changed, 56 insertions(+), 14 deletions(-)
--
2.6.2
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/3] package signing: do actual sanity checking in the signer class
2016-02-05 14:00 [PATCH 0/3] signing: enhance sanity checking Markus Lehtonen
@ 2016-02-05 14:00 ` Markus Lehtonen
2016-02-05 14:00 ` [PATCH 2/3] oe/gpg_sign: check for python-pexpect when using local signing Markus Lehtonen
2016-02-05 14:00 ` [PATCH 3/3] package signing: do sanity checking in an event handler Markus Lehtonen
2 siblings, 0 replies; 7+ messages in thread
From: Markus Lehtonen @ 2016-02-05 14:00 UTC (permalink / raw)
To: openembedded-core
The configuration needed for different signing backends may vary
(although we currently support only one backend). Thus, do the actual
sanity checking of the configuration there.
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
---
meta/classes/sign_package_feed.bbclass | 14 ++++++++++----
meta/classes/sign_rpm.bbclass | 14 ++++++++++----
meta/lib/oe/gpg_sign.py | 22 ++++++++++++++++++----
3 files changed, 38 insertions(+), 12 deletions(-)
diff --git a/meta/classes/sign_package_feed.bbclass b/meta/classes/sign_package_feed.bbclass
index d5df8af..3f6ff2d 100644
--- a/meta/classes/sign_package_feed.bbclass
+++ b/meta/classes/sign_package_feed.bbclass
@@ -23,10 +23,16 @@ PACKAGE_FEED_GPG_BACKEND ?= 'local'
python () {
- # Check sanity of configuration
- for var in ('PACKAGE_FEED_GPG_NAME', 'PACKAGE_FEED_GPG_PASSPHRASE_FILE'):
- if not d.getVar(var, True):
- raise_sanity_error("You need to define %s in the config" % var, d)
+ # Check sanity of config
+ from oe.gpg_sign import get_signer_class
+ signer = get_signer_class(d.getVar('PACKAGE_FEED_GPG_BACKEND', True))
+ err_msg = signer.check_sanity(d,
+ d.getVar('PACKAGE_FEED_GPG_NAME', True),
+ d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True))
+ if err_msg:
+ raise_sanity_error(err_msg %{'keyid': 'PACKAGE_FEED_GPG_NAME',
+ 'passphrase_file': 'PACKAGE_FEED_GPG_PASSPHRASE_FILE'},
+ d)
# Set expected location of the public key
d.setVar('PACKAGE_FEED_GPG_PUBKEY',
diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass
index 8bcabee..79dc517 100644
--- a/meta/classes/sign_rpm.bbclass
+++ b/meta/classes/sign_rpm.bbclass
@@ -22,10 +22,16 @@ RPM_GPG_BACKEND ?= 'local'
python () {
- # Check configuration
- for var in ('RPM_GPG_NAME', 'RPM_GPG_PASSPHRASE_FILE'):
- if not d.getVar(var, True):
- raise_sanity_error("You need to define %s in the config" % var, d)
+ # Check sanity of config
+ from oe.gpg_sign import get_signer_class
+ signer = get_signer_class(d.getVar('RPM_GPG_BACKEND', True))
+ err_msg = signer.check_sanity(d,
+ d.getVar('RPM_GPG_NAME', True),
+ d.getVar('RPM_GPG_PASSPHRASE_FILE', True))
+ if err_msg:
+ raise_sanity_error(err_msg %{'keyid': 'RPM_GPG_NAME',
+ 'passphrase_file': 'RPM_GPG_PASSPHRASE_FILE'},
+ d)
# Set the expected location of the public key
d.setVar('RPM_GPG_PUBKEY', os.path.join(d.getVar('STAGING_ETCDIR_NATIVE', False),
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index 55abad8..8832ea9 100644
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -14,6 +14,17 @@ class LocalSigner(object):
self.gpg_path = d.getVar('GPG_PATH', True)
self.rpm_bin = bb.utils.which(os.getenv('PATH'), "rpm")
+ @classmethod
+ def check_sanity(cls, d, keyid, passphrase_file):
+ """(Pre-)check the sanity of a configuration"""
+ msg = ""
+ missing_vars = ['%(keyid)s'] if not keyid else []
+ if not passphrase_file:
+ missing_vars.append('%(passphrase_file)s')
+ if missing_vars:
+ msg += "You need to define " + ' and '.join(missing_vars) + " in the config."
+ return msg
+
def export_pubkey(self, output_file):
"""Export GPG public key to a file"""
cmd = '%s --batch --yes --export --armor -o %s ' % \
@@ -66,11 +77,14 @@ class LocalSigner(object):
(input_file, output))
-def get_signer(d, backend, keyid, passphrase_file):
- """Get signer object for the specified backend"""
- # Use local signing by default
+def get_signer_class(backend):
+ """Get signer class for the specified backend"""
if backend == 'local':
- return LocalSigner(d, keyid, passphrase_file)
+ return LocalSigner
else:
bb.fatal("Unsupported signing backend '%s'" % backend)
+
+def get_signer(d, backend, keyid, passphrase_file):
+ """Get signer object for the specified backend"""
+ return get_signer_class(backend)(keyid. passphrase_file)
--
2.6.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 2/3] oe/gpg_sign: check for python-pexpect when using local signing
2016-02-05 14:00 [PATCH 0/3] signing: enhance sanity checking Markus Lehtonen
2016-02-05 14:00 ` [PATCH 1/3] package signing: do actual sanity checking in the signer class Markus Lehtonen
@ 2016-02-05 14:00 ` Markus Lehtonen
2016-02-05 14:31 ` Burton, Ross
2016-02-05 14:00 ` [PATCH 3/3] package signing: do sanity checking in an event handler Markus Lehtonen
2 siblings, 1 reply; 7+ messages in thread
From: Markus Lehtonen @ 2016-02-05 14:00 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
---
meta/lib/oe/gpg_sign.py | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index 8832ea9..ea35564 100644
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -17,13 +17,17 @@ class LocalSigner(object):
@classmethod
def check_sanity(cls, d, keyid, passphrase_file):
"""(Pre-)check the sanity of a configuration"""
- msg = ""
+ msgs = []
+ try:
+ import pexpect
+ except ImportError:
+ msgs.append("Please install python-pexpect that is needed by lcocal gpg signing.")
missing_vars = ['%(keyid)s'] if not keyid else []
if not passphrase_file:
missing_vars.append('%(passphrase_file)s')
if missing_vars:
- msg += "You need to define " + ' and '.join(missing_vars) + " in the config."
- return msg
+ msgs.append("You need to define " + ' and '.join(missing_vars) + " in the config.")
+ return ' '.join(msgs)
def export_pubkey(self, output_file):
"""Export GPG public key to a file"""
--
2.6.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 3/3] package signing: do sanity checking in an event handler
2016-02-05 14:00 [PATCH 0/3] signing: enhance sanity checking Markus Lehtonen
2016-02-05 14:00 ` [PATCH 1/3] package signing: do actual sanity checking in the signer class Markus Lehtonen
2016-02-05 14:00 ` [PATCH 2/3] oe/gpg_sign: check for python-pexpect when using local signing Markus Lehtonen
@ 2016-02-05 14:00 ` Markus Lehtonen
2 siblings, 0 replies; 7+ messages in thread
From: Markus Lehtonen @ 2016-02-05 14:00 UTC (permalink / raw)
To: openembedded-core
This way, one does not get a ton of identical error messages. But, only
one error message before all the recipes are parsed.
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
---
meta/classes/sign_package_feed.bbclass | 26 ++++++++++++++++----------
meta/classes/sign_rpm.bbclass | 26 ++++++++++++++++----------
2 files changed, 32 insertions(+), 20 deletions(-)
diff --git a/meta/classes/sign_package_feed.bbclass b/meta/classes/sign_package_feed.bbclass
index 3f6ff2d..5170562 100644
--- a/meta/classes/sign_package_feed.bbclass
+++ b/meta/classes/sign_package_feed.bbclass
@@ -22,18 +22,24 @@ PACKAGE_FEED_SIGN = '1'
PACKAGE_FEED_GPG_BACKEND ?= 'local'
-python () {
+addhandler sign_package_feed_eventhandler
+sign_package_feed_eventhandler[eventmask] = "bb.event.SanityCheck"
+python sign_package_feed_eventhandler() {
# Check sanity of config
- from oe.gpg_sign import get_signer_class
- signer = get_signer_class(d.getVar('PACKAGE_FEED_GPG_BACKEND', True))
- err_msg = signer.check_sanity(d,
- d.getVar('PACKAGE_FEED_GPG_NAME', True),
- d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True))
- if err_msg:
- raise_sanity_error(err_msg %{'keyid': 'PACKAGE_FEED_GPG_NAME',
- 'passphrase_file': 'PACKAGE_FEED_GPG_PASSPHRASE_FILE'},
- d)
+ if bb.event.getName(e) == "SanityCheck":
+ from oe.gpg_sign import get_signer_class
+ d = e.data
+ signer = get_signer_class(d.getVar('PACKAGE_FEED_GPG_BACKEND', True))
+ err_msg = signer.check_sanity(d,
+ d.getVar('PACKAGE_FEED_GPG_NAME', True),
+ d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True))
+ if err_msg:
+ raise_sanity_error(err_msg %{'keyid': 'PACKAGE_FEED_GPG_NAME',
+ 'passphrase_file': 'PACKAGE_FEED_GPG_PASSPHRASE_FILE'},
+ d)
+}
+python () {
# Set expected location of the public key
d.setVar('PACKAGE_FEED_GPG_PUBKEY',
os.path.join(d.getVar('STAGING_ETCDIR_NATIVE', False),
diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass
index 79dc517..47a8378 100644
--- a/meta/classes/sign_rpm.bbclass
+++ b/meta/classes/sign_rpm.bbclass
@@ -21,18 +21,24 @@ RPM_SIGN_PACKAGES='1'
RPM_GPG_BACKEND ?= 'local'
-python () {
+addhandler sign_rpm_eventhandler
+sign_rpm_eventhandler[eventmask] = "bb.event.SanityCheck"
+python sign_rpm_eventhandler() {
# Check sanity of config
- from oe.gpg_sign import get_signer_class
- signer = get_signer_class(d.getVar('RPM_GPG_BACKEND', True))
- err_msg = signer.check_sanity(d,
- d.getVar('RPM_GPG_NAME', True),
- d.getVar('RPM_GPG_PASSPHRASE_FILE', True))
- if err_msg:
- raise_sanity_error(err_msg %{'keyid': 'RPM_GPG_NAME',
- 'passphrase_file': 'RPM_GPG_PASSPHRASE_FILE'},
- d)
+ if bb.event.getName(e) == "SanityCheck":
+ from oe.gpg_sign import get_signer_class
+ d = e.data
+ signer = get_signer_class(d.getVar('RPM_GPG_BACKEND', True))
+ err_msg = signer.check_sanity(d,
+ d.getVar('RPM_GPG_NAME', True),
+ d.getVar('RPM_GPG_PASSPHRASE_FILE', True))
+ if err_msg:
+ raise_sanity_error(err_msg %{'keyid': 'RPM_GPG_NAME',
+ 'passphrase_file': 'RPM_GPG_PASSPHRASE_FILE'},
+ d)
+}
+python () {
# Set the expected location of the public key
d.setVar('RPM_GPG_PUBKEY', os.path.join(d.getVar('STAGING_ETCDIR_NATIVE', False),
'RPM-GPG-PUBKEY'))
--
2.6.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 2/3] oe/gpg_sign: check for python-pexpect when using local signing
2016-02-05 14:00 ` [PATCH 2/3] oe/gpg_sign: check for python-pexpect when using local signing Markus Lehtonen
@ 2016-02-05 14:31 ` Burton, Ross
2016-02-08 10:52 ` Markus Lehtonen
0 siblings, 1 reply; 7+ messages in thread
From: Burton, Ross @ 2016-02-05 14:31 UTC (permalink / raw)
To: Markus Lehtonen; +Cc: OE-core
[-- Attachment #1: Type: text/plain, Size: 393 bytes --]
On 5 February 2016 at 14:00, Markus Lehtonen <
markus.lehtonen@linux.intel.com> wrote:
> + msgs.append("Please install python-pexpect that is needed by
> lcocal gpg signing.")
>
Isn't this only needed if signing RPMs? Hopefully in the future this class
will be used for more than RPM signing and detached signing doesn't need
pexpect.
Also, typo in "local".
Ross
[-- Attachment #2: Type: text/html, Size: 901 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 2/3] oe/gpg_sign: check for python-pexpect when using local signing
2016-02-05 14:31 ` Burton, Ross
@ 2016-02-08 10:52 ` Markus Lehtonen
2016-02-08 11:17 ` Ioan-Adrian Ratiu
0 siblings, 1 reply; 7+ messages in thread
From: Markus Lehtonen @ 2016-02-08 10:52 UTC (permalink / raw)
To: Burton, Ross; +Cc: OE-core
[-- Attachment #1: Type: text/plain, Size: 724 bytes --]
On Fri, 2016-02-05 at 14:31 +0000, Burton, Ross wrote:
>
> On 5 February 2016 at 14:00, Markus Lehtonen <
> markus.lehtonen@linux.intel.com> wrote:
> > + msgs.append("Please install python-pexpect that is
> > needed by lcocal gpg signing.")
> >
> Isn't this only needed if signing RPMs? Hopefully in the future this
> class will be used for more than RPM signing and detached signing
> doesn't need pexpect.
Yes, that is true. Any suggestions how to change this? Just try
ImportError in sign_rpms() and fail there(?)
> Also, typo in "local".
Typo fixed (and commit message modified) in my contrib repo:
git://git.openembedded.org/openembedded-core-contrib marquiz/rpmsign
Thanks,
Markus
[-- Attachment #2: Type: text/html, Size: 1522 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 2/3] oe/gpg_sign: check for python-pexpect when using local signing
2016-02-08 10:52 ` Markus Lehtonen
@ 2016-02-08 11:17 ` Ioan-Adrian Ratiu
0 siblings, 0 replies; 7+ messages in thread
From: Ioan-Adrian Ratiu @ 2016-02-08 11:17 UTC (permalink / raw)
To: Markus Lehtonen; +Cc: OE-core
Hello
On Mon, 8 Feb 2016 12:52:39 +0200
Markus Lehtonen <markus.lehtonen@linux.intel.com> wrote:
> On Fri, 2016-02-05 at 14:31 +0000, Burton, Ross wrote:
> >
> > On 5 February 2016 at 14:00, Markus Lehtonen <
> > markus.lehtonen@linux.intel.com> wrote:
> > > + msgs.append("Please install python-pexpect that is
> > > needed by lcocal gpg signing.")
> > >
> > Isn't this only needed if signing RPMs? Hopefully in the future this
> > class will be used for more than RPM signing and detached signing
> > doesn't need pexpect.
> Yes, that is true. Any suggestions how to change this? Just try
> ImportError in sign_rpms() and fail there(?)
I'm using "from subprocess import Popen" for ipk signing. Isn't it by default included as opposed to python-pexpect?
We could use that.
I'll try to update today or tomorrow the patches for ipk signing to use the gpg backend and I'll resubmit them.
> > Also, typo in "local".
> Typo fixed (and commit message modified) in my contrib repo:
> git://git.openembedded.org/openembedded-core-contrib marquiz/rpmsign
>
>
> Thanks,
> Markus
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2016-02-08 11:18 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-02-05 14:00 [PATCH 0/3] signing: enhance sanity checking Markus Lehtonen
2016-02-05 14:00 ` [PATCH 1/3] package signing: do actual sanity checking in the signer class Markus Lehtonen
2016-02-05 14:00 ` [PATCH 2/3] oe/gpg_sign: check for python-pexpect when using local signing Markus Lehtonen
2016-02-05 14:31 ` Burton, Ross
2016-02-08 10:52 ` Markus Lehtonen
2016-02-08 11:17 ` Ioan-Adrian Ratiu
2016-02-05 14:00 ` [PATCH 3/3] package signing: do sanity checking in an event handler Markus Lehtonen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox