Re: [PATCH 3/3] package_manager: support for signed RPM package feeds

[Markus Lehtonen <markus.lehtonen@linux.intel.com>]

Hi Mark,

On 26/08/15 18:10, "Mark Hatle" <mark.hatle@windriver.com> wrote:

>On 8/26/15 6:18 AM, Markus Lehtonen wrote:
>> This change makes it possible to create GPG signed RPM package feeds -
>> i.e. package feed with GPG signed metadata (repodata). All deployed RPM
>> repositories will be signed and the GPG public key is copied to the rpm
>> deployment directory.
>> 
>> In order to enable the new feature one needs to define four variables in
>> bitbake configuration.
>> 1. 'PACKAGE_FEED_SIGN = "1"' enabling the feature
>> 2. 'PACKAGE_FEED_GPG_NAME = "<key_id>"' defining the GPG key to use for
>>    signing
>> 3. 'PACKAGE_FEED_GPG_PASSPHRASE_FILE = "<path_to_file>"' pointing to a
>>    file containing the passphrase for the secret signing key
>> 4. 'PACKAGE_FEED_GPG_PUBKEY = "<path_to_pubkey>"' pointing to the
>>    corresponding public key (in "armor" format)
>> 
>> [YOCTO #8134]
>> 
>> Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
>> ---
>>  meta/lib/oe/package_manager.py | 24 ++++++++++++++++++++++--
>>  1 file changed, 22 insertions(+), 2 deletions(-)
>> 
>> diff --git a/meta/lib/oe/package_manager.py
>>b/meta/lib/oe/package_manager.py
>> index 753b3eb..5d7ef54 100644
>> --- a/meta/lib/oe/package_manager.py
>> +++ b/meta/lib/oe/package_manager.py
>> @@ -113,8 +113,15 @@ class RpmIndexer(Indexer):
>>              rpm_pubkey = self.d.getVar('RPM_GPG_PUBKEY', True)
>>          else:
>>              rpm_pubkey = None
>> +        if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
>> +            pkgfeed_gpg_name = self.d.getVar('PACKAGE_FEED_GPG_NAME',
>>True)
>> +            pkgfeed_gpg_pass =
>>self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True)
>> +        else:
>> +            pkgfeed_gpg_name = None
>> +            pkgfeed_gpg_pass = None
>>  
>>          index_cmds = []
>> +        repo_sign_cmds = []
>>          key_import_cmds = []
>>          rpm_dirs_found = False
>>          for arch in archs:
>> @@ -126,10 +133,16 @@ class RpmIndexer(Indexer):
>>                  continue
>>  
>>              if rpm_pubkey:
>> -                key_import_cmds.append("%s --define '_dbpath %s'
>>--import %s" %
>> +                key_import_cmds.append("%s --dbpath '%s' --import %s" %
>>                                     (rpm_bin, dbpath, rpm_pubkey))
>>              index_cmds.append("%s --dbpath %s --update -q %s" % \
>>                               (rpm_createrepo, dbpath, arch_dir))
>> +            if pkgfeed_gpg_name:
>> +                repomd_file = os.path.join(arch_dir, 'repodata',
>>'repomd.xml')
>> +                gpg_cmd = "gpg2 --detach-sign --armor --batch --no-tty
>>--yes " \
>> +                          "--passphrase-file '%s' -u '%s' %s" % \
>> +                          (pkgfeed_gpg_pass, pkgfeed_gpg_name,
>>repomd_file)
>> +                repo_sign_cmds.append(gpg_cmd)
>
>I've had problems in the past hard coding 'gpg' or 'gpg2' as the name to
>use.
>
>Can we get this to be dynamic.. even if it's a system level define for
>what
>GPG/PGP program to use?

OK, I can introduce a new variable for defining this.


>Also I'd forgotten about it until there.  RPM has a similar variable to
>define
>the GPG program to use.  So using that variable (_signature) and
>defaulting to
>the same item would be a good idea.

I think this is not feasible as we're actually using the host's gpg(2)
here and rpm might not even be available.


Thanks,
   Markus



>(One such reason to do this is to write a wrapper that uses an alternative
>keychain for these keys....)
>
>>  
>>              rpm_dirs_found = True
>>  
>> @@ -145,10 +158,17 @@ class RpmIndexer(Indexer):
>>          result = oe.utils.multiprocess_exec(index_cmds, create_index)
>>          if result:
>>              bb.fatal('%s' % ('\n'.join(result)))
>> -        # Copy pubkey to repo
>> +        # Sign repomd
>> +        result = oe.utils.multiprocess_exec(repo_sign_cmds,
>>create_index)
>> +        if result:
>> +            bb.fatal('%s' % ('\n'.join(result)))
>> +        # Copy pubkey(s) to repo
>>          if self.d.getVar('RPM_SIGN_PACKAGES', True) == '1':
>>              shutil.copy2(self.d.getVar('RPM_GPG_PUBKEY', True),
>>                           os.path.join(self.deploy_dir,
>>'RPM-GPG-KEY-oe'))
>> +        if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
>> +            shutil.copy2(self.d.getVar('PACKAGE_FEED_GPG_PUBKEY',
>>True),
>> +                         os.path.join(self.deploy_dir,
>>'REPODATA-GPG-KEY'))
>
>I didn't notice this before..  but we shouldn't hardcode RPM-GPG-KEY-oe,
>it
>should use a value such as 'DISTRO' to allow different distributions to
>have
>non-conflicting keys.  The repository keys I would think would be similar
>as
>well.. since you may have multiple repositories from different sources.
>So
>naming the key ending in -${DISTRO} might be a good idea there as well.
>(Extending it to ${DISTRO_VERSION} might be make sense... since these
>will be
>used for long-term upgradable systems.)
>
>--Mark
>
>>  
>>  
>>  class OpkgIndexer(Indexer):
>> 
>