package_manager: sign DEB package feeds

Implement debian package repository signature. For each Release file created in repository subdirectory, a signature Release.gpg is created. Signature is performed using gpg backend when the following variables are set in local.conf: PACKAGE_CLASSES += "sign_package_feed" PACKAGE_FEED_GPG_NAME = "<Id of GPG key>" PACKAGE_FEED_GPG_PASSPHRASE_FILE="<path to password file>" (From OE-Core rev: fcc3cee276999efe6402959eb295e7a0e1e96f96) Signed-off-by: Xavier Berger <xavier.berger@bio-logic.net> Signed-off-by: Ferry Toth <ftoth@exalondelft.nl> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-01-31 05:48:43 +01:00 · 2022-04-03 21:50:45 +02:00
parent bd8f1f7787
commit 0b4231b597
1 changed files with 16 additions and 3 deletions
--- a/meta/lib/oe/package_manager/deb/init.py
+++ b/meta/lib/oe/package_manager/deb/init.py
@@ -53,6 +53,7 @@ class DpkgIndexer(Indexer):

        index_cmds = []
        deb_dirs_found = False
+        index_sign_files = set()
        for arch in arch_list:
            arch_dir = os.path.join(self.deploy_dir, arch)
            if not os.path.isdir(arch_dir):
@@ -62,7 +63,10 @@ class DpkgIndexer(Indexer):

            cmd += "%s -fcn Packages > Packages.gz;" % gzip

-            with open(os.path.join(arch_dir, "Release"), "w+") as release:
+            release_file = os.path.join(arch_dir, "Release")
+            index_sign_files.add(release_file)
+
+            with open(release_file, "w+") as release:
                release.write("Label: %s\n" % arch)

            cmd += "PSEUDO_UNLOAD=1 %s release . >> Release" % apt_ftparchive
@@ -76,8 +80,17 @@ class DpkgIndexer(Indexer):
            return

        oe.utils.multiprocess_launch(create_index, index_cmds, self.d)
-        if self.d.getVar('PACKAGE_FEED_SIGN') == '1':
-            raise NotImplementedError('Package feed signing not implementd for dpkg')
+        if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
+            signer = get_signer(self.d, self.d.getVar('PACKAGE_FEED_GPG_BACKEND', True))
+        else:
+            signer = None
+        if signer:
+            for f in index_sign_files:
+                signer.detach_sign(f,
+                                   self.d.getVar('PACKAGE_FEED_GPG_NAME', True),
+                                   self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True),
+                                   output_suffix="gpg",
+                                   use_sha256=True)

 class PMPkgsList(PkgsList):