* [PATCH v4 0/3] IPK signing for gpg_sign module
@ 2016-02-09 14:22 Ioan-Adrian Ratiu
2016-02-09 14:22 ` [PATCH v4 1/3] gpg_sign: add support for gpg signature types Ioan-Adrian Ratiu
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Ioan-Adrian Ratiu @ 2016-02-09 14:22 UTC (permalink / raw)
To: openembedded-core
v4 of this patch series is a complete refactoring of the IPK signing
logic on top of the gpg_sign module. It extends the module to add
support for both ascii armored and binary signatures, ipk package
signing and opkg package feed signing.
Ioan-Adrian Ratiu (3):
gpg_sign: add support for gpg signature types
gpg_sign: add local ipk package signing functionality
package_manager: sign IPK package feeds
meta/classes/package_ipk.bbclass | 6 ++++
meta/classes/sign_ipk.bbclass | 53 ++++++++++++++++++++++++++++++++++
meta/classes/sign_package_feed.bbclass | 10 ++++++-
meta/classes/sign_rpm.bbclass | 12 +++++++-
meta/lib/oe/gpg_sign.py | 51 +++++++++++++++++++++++++++++---
meta/lib/oe/package_manager.py | 19 ++++++++++--
meta/recipes-core/meta/signing-keys.bb | 6 ++--
7 files changed, 146 insertions(+), 11 deletions(-)
create mode 100644 meta/classes/sign_ipk.bbclass
--
2.7.0
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH v4 1/3] gpg_sign: add support for gpg signature types
2016-02-09 14:22 [PATCH v4 0/3] IPK signing for gpg_sign module Ioan-Adrian Ratiu
@ 2016-02-09 14:22 ` Ioan-Adrian Ratiu
2016-02-16 11:54 ` Burton, Ross
2016-02-09 14:22 ` [PATCH v4 2/3] gpg_sign: add local ipk package signing functionality Ioan-Adrian Ratiu
2016-02-09 14:22 ` [PATCH v4 3/3] package_manager: sign IPK package feeds Ioan-Adrian Ratiu
2 siblings, 1 reply; 6+ messages in thread
From: Ioan-Adrian Ratiu @ 2016-02-09 14:22 UTC (permalink / raw)
To: openembedded-core
ASC = ascii armoured, BIN = binary
Create new variables + parameters to the gpg signer module to specify
which type of gpg signature to generate (ASC or BIN).
The rpm backend has already implemented signatures which default to
binary, so its behaviour is unchanged by this.
Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com>
---
meta/classes/sign_package_feed.bbclass | 10 +++++++++-
meta/classes/sign_rpm.bbclass | 12 +++++++++++-
meta/lib/oe/gpg_sign.py | 13 +++++++++----
meta/lib/oe/package_manager.py | 3 ++-
meta/recipes-core/meta/signing-keys.bb | 6 ++++--
5 files changed, 35 insertions(+), 9 deletions(-)
diff --git a/meta/classes/sign_package_feed.bbclass b/meta/classes/sign_package_feed.bbclass
index d5df8af..4e703f2 100644
--- a/meta/classes/sign_package_feed.bbclass
+++ b/meta/classes/sign_package_feed.bbclass
@@ -10,6 +10,10 @@
# Optional variable for specifying the backend to use for signing.
# Currently the only available option is 'local', i.e. local signing
# on the build host.
+# PACKAGE_FEED_GPG_SIGNATURE_TYPE
+# Optional variable for specifying the type of gpg signature, can be:
+# 1. Ascii armored (ASC), default if not set
+# 2. Binary (BIN)
# GPG_BIN
# Optional variable for specifying the gpg binary/wrapper to use for
# signing.
@@ -20,7 +24,7 @@ inherit sanity
PACKAGE_FEED_SIGN = '1'
PACKAGE_FEED_GPG_BACKEND ?= 'local'
-
+PACKAGE_FEED_GPG_SIGNATURE_TYPE ?= 'ASC'
python () {
# Check sanity of configuration
@@ -28,6 +32,10 @@ python () {
if not d.getVar(var, True):
raise_sanity_error("You need to define %s in the config" % var, d)
+ sigtype = d.getVar("PACKAGE_FEED_GPG_SIGNATURE_TYPE", True)
+ if sigtype.upper() != "ASC" and sigtype.upper() != "BIN":
+ raise_sanity_error("Bad value for PACKAGE_FEED_GPG_SIGNATURE_TYPE (%s), use either ASC or BIN" % sigtype)
+
# Set expected location of the public key
d.setVar('PACKAGE_FEED_GPG_PUBKEY',
os.path.join(d.getVar('STAGING_ETCDIR_NATIVE', False),
diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass
index 8bcabee..840b6ca 100644
--- a/meta/classes/sign_rpm.bbclass
+++ b/meta/classes/sign_rpm.bbclass
@@ -9,6 +9,10 @@
# Optional variable for specifying the backend to use for signing.
# Currently the only available option is 'local', i.e. local signing
# on the build host.
+# RPM_GPG_SIGNATURE_TYPE
+# Optional variable for specifying the type of gpg signatures, can be:
+# 1. Ascii armored (ASC), default if not set
+# 2. Binary (BIN)
# GPG_BIN
# Optional variable for specifying the gpg binary/wrapper to use for
# signing.
@@ -19,6 +23,7 @@ inherit sanity
RPM_SIGN_PACKAGES='1'
RPM_GPG_BACKEND ?= 'local'
+RPM_GPG_SIGNATURE_TYPE ?= 'BIN'
python () {
@@ -27,6 +32,10 @@ python () {
if not d.getVar(var, True):
raise_sanity_error("You need to define %s in the config" % var, d)
+ sigtype = d.getVar("RPM_GPG_SIGNATURE_TYPE", True)
+ if sigtype.upper() != "ASC" and sigtype.upper() != "BIN":
+ raise_sanity_error("Bad value for RPM_GPG_SIGNATURE_TYPE (%s), use either ASC or BIN" % sigtype)
+
# Set the expected location of the public key
d.setVar('RPM_GPG_PUBKEY', os.path.join(d.getVar('STAGING_ETCDIR_NATIVE', False),
'RPM-GPG-PUBKEY'))
@@ -39,7 +48,8 @@ python sign_rpm () {
signer = get_signer(d,
d.getVar('RPM_GPG_BACKEND', True),
d.getVar('RPM_GPG_NAME', True),
- d.getVar('RPM_GPG_PASSPHRASE_FILE', True))
+ d.getVar('RPM_GPG_PASSPHRASE_FILE', True),
+ d.getVar('RPM_GPG_SIGNATURE_TYPE', True))
rpms = glob.glob(d.getVar('RPM_PKGWRITEDIR', True) + '/*')
signer.sign_rpms(rpms)
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index 55abad8..d971d32 100644
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -6,9 +6,10 @@ import oe.utils
class LocalSigner(object):
"""Class for handling local (on the build host) signing"""
- def __init__(self, d, keyid, passphrase_file):
+ def __init__(self, d, keyid, passphrase_file, signature_type):
self.keyid = keyid
self.passphrase_file = passphrase_file
+ self.gpg_sig_type = signature_type
self.gpg_bin = d.getVar('GPG_BIN', True) or \
bb.utils.which(os.getenv('PATH'), 'gpg')
self.gpg_path = d.getVar('GPG_PATH', True)
@@ -16,10 +17,12 @@ class LocalSigner(object):
def export_pubkey(self, output_file):
"""Export GPG public key to a file"""
- cmd = '%s --batch --yes --export --armor -o %s ' % \
+ cmd = '%s --batch --yes --export -o %s ' % \
(self.gpg_bin, output_file)
if self.gpg_path:
cmd += "--homedir %s " % self.gpg_path
+ if self.gpg_sig_type == "ASC":
+ cmd += "-a "
cmd += self.keyid
status, output = oe.utils.getstatusoutput(cmd)
if status:
@@ -59,6 +62,8 @@ class LocalSigner(object):
(self.gpg_bin, self.passphrase_file, self.keyid)
if self.gpg_path:
gpg_cmd += "--homedir %s " % self.gpg_path
+ if self.gpg_sig_type == "ASC":
+ cmd += "-a "
cmd += input_file
status, output = oe.utils.getstatusoutput(cmd)
if status:
@@ -66,11 +71,11 @@ class LocalSigner(object):
(input_file, output))
-def get_signer(d, backend, keyid, passphrase_file):
+def get_signer(d, backend, keyid, passphrase_file, signature_type):
"""Get signer object for the specified backend"""
# Use local signing by default
if backend == 'local':
- return LocalSigner(d, keyid, passphrase_file)
+ return LocalSigner(d, keyid, passphrase_file, signature_type)
else:
bb.fatal("Unsupported signing backend '%s'" % backend)
diff --git a/meta/lib/oe/package_manager.py b/meta/lib/oe/package_manager.py
index 26f6466..7ea523a 100644
--- a/meta/lib/oe/package_manager.py
+++ b/meta/lib/oe/package_manager.py
@@ -113,7 +113,8 @@ class RpmIndexer(Indexer):
signer = get_signer(self.d,
self.d.getVar('PACKAGE_FEED_GPG_BACKEND', True),
self.d.getVar('PACKAGE_FEED_GPG_NAME', True),
- self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True))
+ self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True),
+ self.d.getVar('PACKAGE_FEED_GPG_SIGNATURE_TYPE', True))
else:
signer = None
index_cmds = []
diff --git a/meta/recipes-core/meta/signing-keys.bb b/meta/recipes-core/meta/signing-keys.bb
index d7aa79d..82c8c59 100644
--- a/meta/recipes-core/meta/signing-keys.bb
+++ b/meta/recipes-core/meta/signing-keys.bb
@@ -29,7 +29,8 @@ python do_export_public_keys () {
signer = get_signer(d,
d.getVar('RPM_GPG_BACKEND', True),
d.getVar('RPM_GPG_NAME', True),
- d.getVar('RPM_GPG_PASSPHRASE_FILE', True))
+ d.getVar('RPM_GPG_PASSPHRASE_FILE', True),
+ d.getVar('PACKAGE_FEED_GPG_SIGNATURE_TYPE', True))
signer.export_pubkey(d.getVar('RPM_GPG_PUBKEY', True))
if d.getVar('PACKAGE_FEED_SIGN', True) == '1':
@@ -37,7 +38,8 @@ python do_export_public_keys () {
signer = get_signer(d,
d.getVar('PACKAGE_FEED_GPG_BACKEND', True),
d.getVar('PACKAGE_FEED_GPG_NAME', True),
- d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True))
+ d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True),
+ d.getVar('PACKAGE_FEED_GPG_SIGNATURE_TYPE', True))
signer.export_pubkey(d.getVar('PACKAGE_FEED_GPG_PUBKEY', True))
}
addtask do_export_public_keys before do_build
--
2.7.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH v4 2/3] gpg_sign: add local ipk package signing functionality
2016-02-09 14:22 [PATCH v4 0/3] IPK signing for gpg_sign module Ioan-Adrian Ratiu
2016-02-09 14:22 ` [PATCH v4 1/3] gpg_sign: add support for gpg signature types Ioan-Adrian Ratiu
@ 2016-02-09 14:22 ` Ioan-Adrian Ratiu
2016-02-09 14:22 ` [PATCH v4 3/3] package_manager: sign IPK package feeds Ioan-Adrian Ratiu
2 siblings, 0 replies; 6+ messages in thread
From: Ioan-Adrian Ratiu @ 2016-02-09 14:22 UTC (permalink / raw)
To: openembedded-core
Implement local ipk signing logic inside the gpg backend and add a new
bbclass which configures signing similar to how rpm does it.
The ipk signing process is a bit different from rpm:
- Signatures are stored outside ipk files; opkg connects to a feed
server and downloads them to verify a package.
- Signatures are of two types (both supported by opkg): binary or
ascii armoured. By default we sign using ascii armoured.
- Public keys are stored on targets to verify ipks using the
opkg-keyrings recipe.
Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com>
---
meta/classes/package_ipk.bbclass | 6 +++++
meta/classes/sign_ipk.bbclass | 53 ++++++++++++++++++++++++++++++++++++++++
meta/lib/oe/gpg_sign.py | 38 ++++++++++++++++++++++++++++
3 files changed, 97 insertions(+)
create mode 100644 meta/classes/sign_ipk.bbclass
diff --git a/meta/classes/package_ipk.bbclass b/meta/classes/package_ipk.bbclass
index 51bee28..4f5bbd0 100644
--- a/meta/classes/package_ipk.bbclass
+++ b/meta/classes/package_ipk.bbclass
@@ -246,6 +246,12 @@ python do_package_ipk () {
bb.utils.unlockfile(lf)
raise bb.build.FuncFailed("opkg-build execution failed")
+ if d.getVar('IPK_SIGN_PACKAGES', True) == '1':
+ ipkver = "%s-%s" % (d.getVar('PKGV'), d.getVar('PKGR'))
+ ipk_to_sign = "%s/%s_%s_%s.ipk" % (pkgoutdir, pkgname, ipkver, d.getVar('PACKAGE_ARCH', True))
+ d.setVar('IPK_TO_SIGN', ipk_to_sign)
+ bb.build.exec_func("sign_ipk", d)
+
cleanupcontrol(root)
bb.utils.unlockfile(lf)
diff --git a/meta/classes/sign_ipk.bbclass b/meta/classes/sign_ipk.bbclass
new file mode 100644
index 0000000..d301413
--- /dev/null
+++ b/meta/classes/sign_ipk.bbclass
@@ -0,0 +1,53 @@
+# Class for generating signed IPK packages.
+#
+# Configuration variables used by this class:
+# IPK_GPG_PASSPHRASE_FILE
+# Path to a file containing the passphrase of the signing key.
+# IPK_GPG_NAME
+# Name of the key to sign with.
+# IPK_GPG_BACKEND
+# Optional variable for specifying the backend to use for signing.
+# Currently the only available option is 'local', i.e. local signing
+# on the build host.
+# IPK_GPG_SIGNATURE_TYPE
+# Optional variable for specifying the type of gpg signatures, can be:
+# 1. Ascii armored (ASC), default if not set
+# 2. Binary (BIN)
+# GPG_BIN
+# Optional variable for specifying the gpg binary/wrapper to use for
+# signing.
+# GPG_PATH
+# Optional variable for specifying the gnupg "home" directory:
+#
+
+inherit sanity
+
+IPK_SIGN_PACKAGES = '1'
+IPK_GPG_BACKEND ?= 'local'
+IPK_GPG_SIGNATURE_TYPE ?= 'ASC'
+
+python () {
+ # Check configuration
+ for var in ('IPK_GPG_NAME', 'IPK_GPG_PASSPHRASE_FILE'):
+ if not d.getVar(var, True):
+ raise_sanity_error("You need to define %s in the config" % var, d)
+
+ sigtype = d.getVar("IPK_GPG_SIGNATURE_TYPE", True)
+ if sigtype.upper() != "ASC" and sigtype.upper() != "BIN":
+ raise_sanity_error("Bad value for IPK_GPG_SIGNATURE_TYPE (%s), use either ASC or BIN" % sigtype)
+}
+
+python sign_ipk () {
+ from oe.gpg_sign import get_signer
+
+ ipk_file = d.getVar('IPK_TO_SIGN')
+ bb.debug(1, 'Signing ipk: %s' % ipk_file)
+
+ signer = get_signer(d,
+ d.getVar('IPK_GPG_BACKEND', True),
+ d.getVar('IPK_GPG_NAME', True),
+ d.getVar('IPK_GPG_PASSPHRASE_FILE', True),
+ d.getVar('IPK_GPG_SIGNATURE_TYPE', True))
+
+ signer.sign_ipk(ipk_file)
+}
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index d971d32..ff40cdd 100644
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -1,5 +1,6 @@
"""Helper module for GPG signing"""
import os
+import sys
import bb
import oe.utils
@@ -55,6 +56,43 @@ class LocalSigner(object):
bb.error('rpmsign failed: %s' % proc.before.strip())
raise bb.build.FuncFailed("Failed to sign RPM packages")
+ def sign_ipk(self, ipkfile):
+ """Sign IPK files"""
+ import subprocess
+ from subprocess import Popen
+
+ cmd = [self.gpg_bin, "-q", "--batch", "--yes", "-b", "-u", self.keyid]
+ if self.gpg_path:
+ cmd += ["--homedir", self.gpg_path]
+ if self.gpg_sig_type == "ASC":
+ cmd += ["-a"]
+
+ try:
+ keypipe = os.pipe()
+
+ # Need to add '\n' in case the passfile does not have it
+ with open(self.passphrase_file) as fobj:
+ os.write(keypipe[1], fobj.readline() + '\n')
+
+ cmd += ["--passphrase-fd", str(keypipe[0])]
+ cmd += [ipkfile]
+
+ gpg_proc = Popen(cmd, stdin=subprocess.PIPE)
+ gpg_proc.wait()
+
+ os.close(keypipe[1]);
+ os.close(keypipe[0]);
+
+ except IOError as e:
+ bb.error("IO error ({0}): {1}".format(e.errno, e.strerror))
+ raise bb.build.FuncFailed("Failed to sign IPK packages")
+ except OSError as e:
+ bb.error("OS error ({0}): {1}".format(e.errno, e.strerror))
+ raise bb.build.FuncFailed("Failed to sign IPK packages")
+ except:
+ bb.error("Unexpected error: {1}".format(sys.exc_info()[0]))
+ raise bb.build.FuncFailed("Failed to sign IPK packages")
+
def detach_sign(self, input_file):
"""Create a detached signature of a file"""
cmd = "%s --detach-sign --armor --batch --no-tty --yes " \
--
2.7.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH v4 3/3] package_manager: sign IPK package feeds
2016-02-09 14:22 [PATCH v4 0/3] IPK signing for gpg_sign module Ioan-Adrian Ratiu
2016-02-09 14:22 ` [PATCH v4 1/3] gpg_sign: add support for gpg signature types Ioan-Adrian Ratiu
2016-02-09 14:22 ` [PATCH v4 2/3] gpg_sign: add local ipk package signing functionality Ioan-Adrian Ratiu
@ 2016-02-09 14:22 ` Ioan-Adrian Ratiu
2 siblings, 0 replies; 6+ messages in thread
From: Ioan-Adrian Ratiu @ 2016-02-09 14:22 UTC (permalink / raw)
To: openembedded-core
Create gpg signed ipk package feeds using the gpg backend if configured.
Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com>
---
meta/lib/oe/package_manager.py | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/meta/lib/oe/package_manager.py b/meta/lib/oe/package_manager.py
index 7ea523a..2051c8c 100644
--- a/meta/lib/oe/package_manager.py
+++ b/meta/lib/oe/package_manager.py
@@ -165,11 +165,20 @@ class OpkgIndexer(Indexer):
"MULTILIB_ARCHS"]
opkg_index_cmd = bb.utils.which(os.getenv('PATH'), "opkg-make-index")
+ if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
+ signer = get_signer(self.d,
+ self.d.getVar('PACKAGE_FEED_GPG_BACKEND', True),
+ self.d.getVar('PACKAGE_FEED_GPG_NAME', True),
+ self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True),
+ self.d.getVar('PACKAGE_FEED_GPG_SIGNATURE_TYPE', True))
+ else:
+ signer = None
if not os.path.exists(os.path.join(self.deploy_dir, "Packages")):
open(os.path.join(self.deploy_dir, "Packages"), "w").close()
index_cmds = []
+ index_sign_files = []
for arch_var in arch_vars:
archs = self.d.getVar(arch_var, True)
if archs is None:
@@ -188,6 +197,8 @@ class OpkgIndexer(Indexer):
index_cmds.append('%s -r %s -p %s -m %s' %
(opkg_index_cmd, pkgs_file, pkgs_file, pkgs_dir))
+ index_sign_files.append(pkgs_file)
+
if len(index_cmds) == 0:
bb.note("There are no packages in %s!" % self.deploy_dir)
return
@@ -195,9 +206,10 @@ class OpkgIndexer(Indexer):
result = oe.utils.multiprocess_exec(index_cmds, create_index)
if result:
bb.fatal('%s' % ('\n'.join(result)))
- if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
- raise NotImplementedError('Package feed signing not implementd for ipk')
+ if signer:
+ for f in index_sign_files:
+ signer.detach_sign(f)
class DpkgIndexer(Indexer):
--
2.7.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v4 1/3] gpg_sign: add support for gpg signature types
2016-02-09 14:22 ` [PATCH v4 1/3] gpg_sign: add support for gpg signature types Ioan-Adrian Ratiu
@ 2016-02-16 11:54 ` Burton, Ross
2016-02-16 14:03 ` Ioan-Adrian Ratiu
0 siblings, 1 reply; 6+ messages in thread
From: Burton, Ross @ 2016-02-16 11:54 UTC (permalink / raw)
To: Ioan-Adrian Ratiu; +Cc: OE-core
[-- Attachment #1: Type: text/plain, Size: 9410 bytes --]
Hi,
This is an awesome patch, but sadly it conflicts with Markus's refactor of
related code. Can you rebase this on top of Markus's work? If you can't
find it on the list, then it's also staging in my poky-contrib:ross/mut
branch.
Thanks,
Ross
On 9 February 2016 at 14:22, Ioan-Adrian Ratiu <adrian.ratiu@ni.com> wrote:
> ASC = ascii armoured, BIN = binary
>
> Create new variables + parameters to the gpg signer module to specify
> which type of gpg signature to generate (ASC or BIN).
>
> The rpm backend has already implemented signatures which default to
> binary, so its behaviour is unchanged by this.
>
> Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com>
> ---
> meta/classes/sign_package_feed.bbclass | 10 +++++++++-
> meta/classes/sign_rpm.bbclass | 12 +++++++++++-
> meta/lib/oe/gpg_sign.py | 13 +++++++++----
> meta/lib/oe/package_manager.py | 3 ++-
> meta/recipes-core/meta/signing-keys.bb | 6 ++++--
> 5 files changed, 35 insertions(+), 9 deletions(-)
>
> diff --git a/meta/classes/sign_package_feed.bbclass
> b/meta/classes/sign_package_feed.bbclass
> index d5df8af..4e703f2 100644
> --- a/meta/classes/sign_package_feed.bbclass
> +++ b/meta/classes/sign_package_feed.bbclass
> @@ -10,6 +10,10 @@
> # Optional variable for specifying the backend to use for
> signing.
> # Currently the only available option is 'local', i.e. local
> signing
> # on the build host.
> +# PACKAGE_FEED_GPG_SIGNATURE_TYPE
> +# Optional variable for specifying the type of gpg signature,
> can be:
> +# 1. Ascii armored (ASC), default if not set
> +# 2. Binary (BIN)
> # GPG_BIN
> # Optional variable for specifying the gpg binary/wrapper to
> use for
> # signing.
> @@ -20,7 +24,7 @@ inherit sanity
>
> PACKAGE_FEED_SIGN = '1'
> PACKAGE_FEED_GPG_BACKEND ?= 'local'
> -
> +PACKAGE_FEED_GPG_SIGNATURE_TYPE ?= 'ASC'
>
> python () {
> # Check sanity of configuration
> @@ -28,6 +32,10 @@ python () {
> if not d.getVar(var, True):
> raise_sanity_error("You need to define %s in the config" %
> var, d)
>
> + sigtype = d.getVar("PACKAGE_FEED_GPG_SIGNATURE_TYPE", True)
> + if sigtype.upper() != "ASC" and sigtype.upper() != "BIN":
> + raise_sanity_error("Bad value for PACKAGE_FEED_GPG_SIGNATURE_TYPE
> (%s), use either ASC or BIN" % sigtype)
> +
> # Set expected location of the public key
> d.setVar('PACKAGE_FEED_GPG_PUBKEY',
> os.path.join(d.getVar('STAGING_ETCDIR_NATIVE', False),
> diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass
> index 8bcabee..840b6ca 100644
> --- a/meta/classes/sign_rpm.bbclass
> +++ b/meta/classes/sign_rpm.bbclass
> @@ -9,6 +9,10 @@
> # Optional variable for specifying the backend to use for
> signing.
> # Currently the only available option is 'local', i.e. local
> signing
> # on the build host.
> +# RPM_GPG_SIGNATURE_TYPE
> +# Optional variable for specifying the type of gpg signatures,
> can be:
> +# 1. Ascii armored (ASC), default if not set
> +# 2. Binary (BIN)
> # GPG_BIN
> # Optional variable for specifying the gpg binary/wrapper to
> use for
> # signing.
> @@ -19,6 +23,7 @@ inherit sanity
>
> RPM_SIGN_PACKAGES='1'
> RPM_GPG_BACKEND ?= 'local'
> +RPM_GPG_SIGNATURE_TYPE ?= 'BIN'
>
>
> python () {
> @@ -27,6 +32,10 @@ python () {
> if not d.getVar(var, True):
> raise_sanity_error("You need to define %s in the config" %
> var, d)
>
> + sigtype = d.getVar("RPM_GPG_SIGNATURE_TYPE", True)
> + if sigtype.upper() != "ASC" and sigtype.upper() != "BIN":
> + raise_sanity_error("Bad value for RPM_GPG_SIGNATURE_TYPE (%s),
> use either ASC or BIN" % sigtype)
> +
> # Set the expected location of the public key
> d.setVar('RPM_GPG_PUBKEY',
> os.path.join(d.getVar('STAGING_ETCDIR_NATIVE', False),
> 'RPM-GPG-PUBKEY'))
> @@ -39,7 +48,8 @@ python sign_rpm () {
> signer = get_signer(d,
> d.getVar('RPM_GPG_BACKEND', True),
> d.getVar('RPM_GPG_NAME', True),
> - d.getVar('RPM_GPG_PASSPHRASE_FILE', True))
> + d.getVar('RPM_GPG_PASSPHRASE_FILE', True),
> + d.getVar('RPM_GPG_SIGNATURE_TYPE', True))
> rpms = glob.glob(d.getVar('RPM_PKGWRITEDIR', True) + '/*')
>
> signer.sign_rpms(rpms)
> diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
> index 55abad8..d971d32 100644
> --- a/meta/lib/oe/gpg_sign.py
> +++ b/meta/lib/oe/gpg_sign.py
> @@ -6,9 +6,10 @@ import oe.utils
>
> class LocalSigner(object):
> """Class for handling local (on the build host) signing"""
> - def __init__(self, d, keyid, passphrase_file):
> + def __init__(self, d, keyid, passphrase_file, signature_type):
> self.keyid = keyid
> self.passphrase_file = passphrase_file
> + self.gpg_sig_type = signature_type
> self.gpg_bin = d.getVar('GPG_BIN', True) or \
> bb.utils.which(os.getenv('PATH'), 'gpg')
> self.gpg_path = d.getVar('GPG_PATH', True)
> @@ -16,10 +17,12 @@ class LocalSigner(object):
>
> def export_pubkey(self, output_file):
> """Export GPG public key to a file"""
> - cmd = '%s --batch --yes --export --armor -o %s ' % \
> + cmd = '%s --batch --yes --export -o %s ' % \
> (self.gpg_bin, output_file)
> if self.gpg_path:
> cmd += "--homedir %s " % self.gpg_path
> + if self.gpg_sig_type == "ASC":
> + cmd += "-a "
> cmd += self.keyid
> status, output = oe.utils.getstatusoutput(cmd)
> if status:
> @@ -59,6 +62,8 @@ class LocalSigner(object):
> (self.gpg_bin, self.passphrase_file, self.keyid)
> if self.gpg_path:
> gpg_cmd += "--homedir %s " % self.gpg_path
> + if self.gpg_sig_type == "ASC":
> + cmd += "-a "
> cmd += input_file
> status, output = oe.utils.getstatusoutput(cmd)
> if status:
> @@ -66,11 +71,11 @@ class LocalSigner(object):
> (input_file, output))
>
>
> -def get_signer(d, backend, keyid, passphrase_file):
> +def get_signer(d, backend, keyid, passphrase_file, signature_type):
> """Get signer object for the specified backend"""
> # Use local signing by default
> if backend == 'local':
> - return LocalSigner(d, keyid, passphrase_file)
> + return LocalSigner(d, keyid, passphrase_file, signature_type)
> else:
> bb.fatal("Unsupported signing backend '%s'" % backend)
>
> diff --git a/meta/lib/oe/package_manager.py
> b/meta/lib/oe/package_manager.py
> index 26f6466..7ea523a 100644
> --- a/meta/lib/oe/package_manager.py
> +++ b/meta/lib/oe/package_manager.py
> @@ -113,7 +113,8 @@ class RpmIndexer(Indexer):
> signer = get_signer(self.d,
> self.d.getVar('PACKAGE_FEED_GPG_BACKEND',
> True),
> self.d.getVar('PACKAGE_FEED_GPG_NAME',
> True),
> -
> self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True))
> +
> self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True),
> +
> self.d.getVar('PACKAGE_FEED_GPG_SIGNATURE_TYPE', True))
> else:
> signer = None
> index_cmds = []
> diff --git a/meta/recipes-core/meta/signing-keys.bb
> b/meta/recipes-core/meta/signing-keys.bb
> index d7aa79d..82c8c59 100644
> --- a/meta/recipes-core/meta/signing-keys.bb
> +++ b/meta/recipes-core/meta/signing-keys.bb
> @@ -29,7 +29,8 @@ python do_export_public_keys () {
> signer = get_signer(d,
> d.getVar('RPM_GPG_BACKEND', True),
> d.getVar('RPM_GPG_NAME', True),
> - d.getVar('RPM_GPG_PASSPHRASE_FILE', True))
> + d.getVar('RPM_GPG_PASSPHRASE_FILE', True),
> + d.getVar('PACKAGE_FEED_GPG_SIGNATURE_TYPE',
> True))
> signer.export_pubkey(d.getVar('RPM_GPG_PUBKEY', True))
>
> if d.getVar('PACKAGE_FEED_SIGN', True) == '1':
> @@ -37,7 +38,8 @@ python do_export_public_keys () {
> signer = get_signer(d,
> d.getVar('PACKAGE_FEED_GPG_BACKEND', True),
> d.getVar('PACKAGE_FEED_GPG_NAME', True),
> - d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE',
> True))
> + d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE',
> True),
> + d.getVar('PACKAGE_FEED_GPG_SIGNATURE_TYPE',
> True))
> signer.export_pubkey(d.getVar('PACKAGE_FEED_GPG_PUBKEY', True))
> }
> addtask do_export_public_keys before do_build
> --
> 2.7.0
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
[-- Attachment #2: Type: text/html, Size: 12250 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v4 1/3] gpg_sign: add support for gpg signature types
2016-02-16 11:54 ` Burton, Ross
@ 2016-02-16 14:03 ` Ioan-Adrian Ratiu
0 siblings, 0 replies; 6+ messages in thread
From: Ioan-Adrian Ratiu @ 2016-02-16 14:03 UTC (permalink / raw)
To: Burton, Ross; +Cc: OE-core
Hi
On Tue, 16 Feb 2016 11:54:29 +0000
"Burton, Ross" <ross.burton@intel.com> wrote:
> Hi,
>
>
> This is an awesome patch, but sadly it conflicts with Markus's refactor of
> related code. Can you rebase this on top of Markus's work? If you can't
> find it on the list, then it's also staging in my poky-contrib:ross/mut
> branch.
Yes, sure, I'll rewrite and send the v5 patches by tomorrow. I'll use your staging branch.
>
> Thanks,
> Ross
>
> On 9 February 2016 at 14:22, Ioan-Adrian Ratiu <adrian.ratiu@ni.com> wrote:
>
> > ASC = ascii armoured, BIN = binary
> >
> > Create new variables + parameters to the gpg signer module to specify
> > which type of gpg signature to generate (ASC or BIN).
> >
> > The rpm backend has already implemented signatures which default to
> > binary, so its behaviour is unchanged by this.
> >
> > Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com>
> > ---
> > meta/classes/sign_package_feed.bbclass | 10 +++++++++-
> > meta/classes/sign_rpm.bbclass | 12 +++++++++++-
> > meta/lib/oe/gpg_sign.py | 13 +++++++++----
> > meta/lib/oe/package_manager.py | 3 ++-
> > meta/recipes-core/meta/signing-keys.bb | 6 ++++--
> > 5 files changed, 35 insertions(+), 9 deletions(-)
> >
> > diff --git a/meta/classes/sign_package_feed.bbclass
> > b/meta/classes/sign_package_feed.bbclass
> > index d5df8af..4e703f2 100644
> > --- a/meta/classes/sign_package_feed.bbclass
> > +++ b/meta/classes/sign_package_feed.bbclass
> > @@ -10,6 +10,10 @@
> > # Optional variable for specifying the backend to use for
> > signing.
> > # Currently the only available option is 'local', i.e. local
> > signing
> > # on the build host.
> > +# PACKAGE_FEED_GPG_SIGNATURE_TYPE
> > +# Optional variable for specifying the type of gpg signature,
> > can be:
> > +# 1. Ascii armored (ASC), default if not set
> > +# 2. Binary (BIN)
> > # GPG_BIN
> > # Optional variable for specifying the gpg binary/wrapper to
> > use for
> > # signing.
> > @@ -20,7 +24,7 @@ inherit sanity
> >
> > PACKAGE_FEED_SIGN = '1'
> > PACKAGE_FEED_GPG_BACKEND ?= 'local'
> > -
> > +PACKAGE_FEED_GPG_SIGNATURE_TYPE ?= 'ASC'
> >
> > python () {
> > # Check sanity of configuration
> > @@ -28,6 +32,10 @@ python () {
> > if not d.getVar(var, True):
> > raise_sanity_error("You need to define %s in the config" %
> > var, d)
> >
> > + sigtype = d.getVar("PACKAGE_FEED_GPG_SIGNATURE_TYPE", True)
> > + if sigtype.upper() != "ASC" and sigtype.upper() != "BIN":
> > + raise_sanity_error("Bad value for PACKAGE_FEED_GPG_SIGNATURE_TYPE
> > (%s), use either ASC or BIN" % sigtype)
> > +
> > # Set expected location of the public key
> > d.setVar('PACKAGE_FEED_GPG_PUBKEY',
> > os.path.join(d.getVar('STAGING_ETCDIR_NATIVE', False),
> > diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass
> > index 8bcabee..840b6ca 100644
> > --- a/meta/classes/sign_rpm.bbclass
> > +++ b/meta/classes/sign_rpm.bbclass
> > @@ -9,6 +9,10 @@
> > # Optional variable for specifying the backend to use for
> > signing.
> > # Currently the only available option is 'local', i.e. local
> > signing
> > # on the build host.
> > +# RPM_GPG_SIGNATURE_TYPE
> > +# Optional variable for specifying the type of gpg signatures,
> > can be:
> > +# 1. Ascii armored (ASC), default if not set
> > +# 2. Binary (BIN)
> > # GPG_BIN
> > # Optional variable for specifying the gpg binary/wrapper to
> > use for
> > # signing.
> > @@ -19,6 +23,7 @@ inherit sanity
> >
> > RPM_SIGN_PACKAGES='1'
> > RPM_GPG_BACKEND ?= 'local'
> > +RPM_GPG_SIGNATURE_TYPE ?= 'BIN'
> >
> >
> > python () {
> > @@ -27,6 +32,10 @@ python () {
> > if not d.getVar(var, True):
> > raise_sanity_error("You need to define %s in the config" %
> > var, d)
> >
> > + sigtype = d.getVar("RPM_GPG_SIGNATURE_TYPE", True)
> > + if sigtype.upper() != "ASC" and sigtype.upper() != "BIN":
> > + raise_sanity_error("Bad value for RPM_GPG_SIGNATURE_TYPE (%s),
> > use either ASC or BIN" % sigtype)
> > +
> > # Set the expected location of the public key
> > d.setVar('RPM_GPG_PUBKEY',
> > os.path.join(d.getVar('STAGING_ETCDIR_NATIVE', False),
> > 'RPM-GPG-PUBKEY'))
> > @@ -39,7 +48,8 @@ python sign_rpm () {
> > signer = get_signer(d,
> > d.getVar('RPM_GPG_BACKEND', True),
> > d.getVar('RPM_GPG_NAME', True),
> > - d.getVar('RPM_GPG_PASSPHRASE_FILE', True))
> > + d.getVar('RPM_GPG_PASSPHRASE_FILE', True),
> > + d.getVar('RPM_GPG_SIGNATURE_TYPE', True))
> > rpms = glob.glob(d.getVar('RPM_PKGWRITEDIR', True) + '/*')
> >
> > signer.sign_rpms(rpms)
> > diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
> > index 55abad8..d971d32 100644
> > --- a/meta/lib/oe/gpg_sign.py
> > +++ b/meta/lib/oe/gpg_sign.py
> > @@ -6,9 +6,10 @@ import oe.utils
> >
> > class LocalSigner(object):
> > """Class for handling local (on the build host) signing"""
> > - def __init__(self, d, keyid, passphrase_file):
> > + def __init__(self, d, keyid, passphrase_file, signature_type):
> > self.keyid = keyid
> > self.passphrase_file = passphrase_file
> > + self.gpg_sig_type = signature_type
> > self.gpg_bin = d.getVar('GPG_BIN', True) or \
> > bb.utils.which(os.getenv('PATH'), 'gpg')
> > self.gpg_path = d.getVar('GPG_PATH', True)
> > @@ -16,10 +17,12 @@ class LocalSigner(object):
> >
> > def export_pubkey(self, output_file):
> > """Export GPG public key to a file"""
> > - cmd = '%s --batch --yes --export --armor -o %s ' % \
> > + cmd = '%s --batch --yes --export -o %s ' % \
> > (self.gpg_bin, output_file)
> > if self.gpg_path:
> > cmd += "--homedir %s " % self.gpg_path
> > + if self.gpg_sig_type == "ASC":
> > + cmd += "-a "
> > cmd += self.keyid
> > status, output = oe.utils.getstatusoutput(cmd)
> > if status:
> > @@ -59,6 +62,8 @@ class LocalSigner(object):
> > (self.gpg_bin, self.passphrase_file, self.keyid)
> > if self.gpg_path:
> > gpg_cmd += "--homedir %s " % self.gpg_path
> > + if self.gpg_sig_type == "ASC":
> > + cmd += "-a "
> > cmd += input_file
> > status, output = oe.utils.getstatusoutput(cmd)
> > if status:
> > @@ -66,11 +71,11 @@ class LocalSigner(object):
> > (input_file, output))
> >
> >
> > -def get_signer(d, backend, keyid, passphrase_file):
> > +def get_signer(d, backend, keyid, passphrase_file, signature_type):
> > """Get signer object for the specified backend"""
> > # Use local signing by default
> > if backend == 'local':
> > - return LocalSigner(d, keyid, passphrase_file)
> > + return LocalSigner(d, keyid, passphrase_file, signature_type)
> > else:
> > bb.fatal("Unsupported signing backend '%s'" % backend)
> >
> > diff --git a/meta/lib/oe/package_manager.py
> > b/meta/lib/oe/package_manager.py
> > index 26f6466..7ea523a 100644
> > --- a/meta/lib/oe/package_manager.py
> > +++ b/meta/lib/oe/package_manager.py
> > @@ -113,7 +113,8 @@ class RpmIndexer(Indexer):
> > signer = get_signer(self.d,
> > self.d.getVar('PACKAGE_FEED_GPG_BACKEND',
> > True),
> > self.d.getVar('PACKAGE_FEED_GPG_NAME',
> > True),
> > -
> > self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True))
> > +
> > self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True),
> > +
> > self.d.getVar('PACKAGE_FEED_GPG_SIGNATURE_TYPE', True))
> > else:
> > signer = None
> > index_cmds = []
> > diff --git a/meta/recipes-core/meta/signing-keys.bb
> > b/meta/recipes-core/meta/signing-keys.bb
> > index d7aa79d..82c8c59 100644
> > --- a/meta/recipes-core/meta/signing-keys.bb
> > +++ b/meta/recipes-core/meta/signing-keys.bb
> > @@ -29,7 +29,8 @@ python do_export_public_keys () {
> > signer = get_signer(d,
> > d.getVar('RPM_GPG_BACKEND', True),
> > d.getVar('RPM_GPG_NAME', True),
> > - d.getVar('RPM_GPG_PASSPHRASE_FILE', True))
> > + d.getVar('RPM_GPG_PASSPHRASE_FILE', True),
> > + d.getVar('PACKAGE_FEED_GPG_SIGNATURE_TYPE',
> > True))
> > signer.export_pubkey(d.getVar('RPM_GPG_PUBKEY', True))
> >
> > if d.getVar('PACKAGE_FEED_SIGN', True) == '1':
> > @@ -37,7 +38,8 @@ python do_export_public_keys () {
> > signer = get_signer(d,
> > d.getVar('PACKAGE_FEED_GPG_BACKEND', True),
> > d.getVar('PACKAGE_FEED_GPG_NAME', True),
> > - d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE',
> > True))
> > + d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE',
> > True),
> > + d.getVar('PACKAGE_FEED_GPG_SIGNATURE_TYPE',
> > True))
> > signer.export_pubkey(d.getVar('PACKAGE_FEED_GPG_PUBKEY', True))
> > }
> > addtask do_export_public_keys before do_build
> > --
> > 2.7.0
> >
> > --
> > _______________________________________________
> > Openembedded-core mailing list
> > Openembedded-core@lists.openembedded.org
> > http://lists.openembedded.org/mailman/listinfo/openembedded-core
> >
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2016-02-16 14:03 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-02-09 14:22 [PATCH v4 0/3] IPK signing for gpg_sign module Ioan-Adrian Ratiu
2016-02-09 14:22 ` [PATCH v4 1/3] gpg_sign: add support for gpg signature types Ioan-Adrian Ratiu
2016-02-16 11:54 ` Burton, Ross
2016-02-16 14:03 ` Ioan-Adrian Ratiu
2016-02-09 14:22 ` [PATCH v4 2/3] gpg_sign: add local ipk package signing functionality Ioan-Adrian Ratiu
2016-02-09 14:22 ` [PATCH v4 3/3] package_manager: sign IPK package feeds Ioan-Adrian Ratiu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox