mirror of
https://git.yoctoproject.org/poky
synced 2026-02-20 08:29:42 +01:00
752736ae9f
This patch adds a new bbclass for generating rpm packages that are signed with a user defined key. The packages are signed as part of the "package_write_rpm" task. In order to enable the feature you need to 1. 'INHERIT += " sign_rpm"' in bitbake config (e.g. local or distro) 2. Create a file that contains the passphrase to your gpg secret key 3. 'RPM_GPG_PASSPHRASE_FILE = "<path_to_file>" in bitbake config, pointing to the passphrase file created in 2. 4. Define GPG key name to use by either defining 'RPM_GPG_NAME = "<key_id>" in bitbake config OR by defining %_gpg_name <key_id> in your ~/.oerpmmacros file 5. 'RPM_GPG_PUBKEY = "<path_to_pubkey>" in bitbake config pointing to the public key (in "armor" format) The user may optionally define "GPG_BIN" variable in the bitbake configuration in order to specify a specific gpg binary/wrapper to use. The sign_rpm.bbclass implements a simple scenario of locally signing the packages. It could be replaced by a more advanced class that would utilize a separate signing server for signing the packages, for example. [YOCTO #8134] (From OE-Core rev: 75f5f11b19ba1bf8743caf9ee7c99a3c67f4b266) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
76 lines
2.4 KiB
Plaintext
76 lines
2.4 KiB
Plaintext
# Class for generating signed RPM packages.
|
|
#
|
|
# Configuration variables used by this class:
|
|
# RPM_GPG_PASSPHRASE_FILE
|
|
# Path to a file containing the passphrase of the signing key.
|
|
# RPM_GPG_NAME
|
|
# Name of the key to sign with. Alternatively you can define
|
|
# %_gpg_name macro in your ~/.oerpmmacros file.
|
|
# RPM_GPG_PUBKEY
|
|
# Path to a file containing the public key (in "armor" format)
|
|
# corresponding the signing key.
|
|
# GPG_BIN
|
|
# Optional variable for specifying the gpg binary/wrapper to use for
|
|
# signing.
|
|
#
|
|
inherit sanity
|
|
|
|
RPM_SIGN_PACKAGES='1'
|
|
|
|
|
|
_check_gpg_name () {
|
|
macrodef=`rpm -E '%_gpg_name'`
|
|
[ "$macrodef" == "%_gpg_name" ] && return 1 || return 0
|
|
}
|
|
|
|
|
|
def rpmsign_wrapper(d, files, passphrase, gpg_name=None):
|
|
import pexpect
|
|
|
|
# Find the correct rpm binary
|
|
rpm_bin_path = d.getVar('STAGING_BINDIR_NATIVE', True) + '/rpm'
|
|
cmd = rpm_bin_path + " --addsign "
|
|
if gpg_name:
|
|
cmd += "--define '%%_gpg_name %s' " % gpg_name
|
|
else:
|
|
try:
|
|
bb.build.exec_func('_check_gpg_name', d)
|
|
except bb.build.FuncFailed:
|
|
raise_sanity_error("You need to define RPM_GPG_NAME in bitbake "
|
|
"config or the %_gpg_name RPM macro defined "
|
|
"(e.g. in ~/.oerpmmacros", d)
|
|
if d.getVar('GPG_BIN', True):
|
|
cmd += "--define '%%__gpg %s' " % d.getVar('GPG_BIN', True)
|
|
cmd += ' '.join(files)
|
|
|
|
# Need to use pexpect for feeding the passphrase
|
|
proc = pexpect.spawn(cmd)
|
|
try:
|
|
proc.expect_exact('Enter pass phrase:', timeout=15)
|
|
proc.sendline(passphrase)
|
|
proc.expect(pexpect.EOF, timeout=900)
|
|
proc.close()
|
|
except pexpect.TIMEOUT as err:
|
|
bb.debug('rpmsign timeout: %s' % err)
|
|
proc.terminate()
|
|
return proc.exitstatus
|
|
|
|
|
|
python sign_rpm () {
|
|
import glob
|
|
|
|
rpm_gpg_pass_file = (d.getVar("RPM_GPG_PASSPHRASE_FILE", True) or "")
|
|
if rpm_gpg_pass_file:
|
|
with open(rpm_gpg_pass_file) as fobj:
|
|
rpm_gpg_passphrase = fobj.readlines()[0].rstrip('\n')
|
|
else:
|
|
raise_sanity_error("You need to define RPM_GPG_PASSPHRASE_FILE in the config", d)
|
|
|
|
rpm_gpg_name = (d.getVar("RPM_GPG_NAME", True) or "")
|
|
|
|
rpms = glob.glob(d.getVar('RPM_PKGWRITEDIR', True) + '/*')
|
|
|
|
if rpmsign_wrapper(d, rpms, rpm_gpg_passphrase, rpm_gpg_name) != 0:
|
|
raise bb.build.FuncFailed("RPM signing failed")
|
|
}
|