mirror of
https://git.yoctoproject.org/poky
synced 2026-02-20 08:29:42 +01:00
043d9ac0ae
Newer versions of gpg (at least 2.1.5 and 2.2.1) have issues when signing occurs in parallel so (unfortunately) the signing must be done serially. Once the upstream problem is fixed, this patch must be reverted, otherwise we loose all the intrinsic parallelism from bitbake. [YOCTO #12022] (From OE-Core rev: 5301712f9735fcf8d3dec756772668de930e53fe) Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
76 lines
2.8 KiB
Plaintext
76 lines
2.8 KiB
Plaintext
# Class for generating signed RPM packages.
|
|
#
|
|
# Configuration variables used by this class:
|
|
# RPM_GPG_PASSPHRASE
|
|
# The passphrase of the signing key.
|
|
# RPM_GPG_NAME
|
|
# Name of the key to sign with. May be key id or key name.
|
|
# RPM_GPG_BACKEND
|
|
# Optional variable for specifying the backend to use for signing.
|
|
# Currently the only available option is 'local', i.e. local signing
|
|
# on the build host.
|
|
# RPM_FILE_CHECKSUM_DIGEST
|
|
# Optional variable for specifying the algorithm for generating file
|
|
# checksum digest.
|
|
# RPM_FSK_PATH
|
|
# Optional variable for the file signing key.
|
|
# RPM_FSK_PASSWORD
|
|
# Optional variable for the file signing key password.
|
|
# GPG_BIN
|
|
# Optional variable for specifying the gpg binary/wrapper to use for
|
|
# signing.
|
|
# RPM_GPG_SIGN_CHUNK
|
|
# Optional variable indicating the number of packages used per gpg
|
|
# invocation
|
|
# GPG_PATH
|
|
# Optional variable for specifying the gnupg "home" directory:
|
|
|
|
inherit sanity
|
|
|
|
RPM_SIGN_PACKAGES='1'
|
|
RPM_SIGN_FILES ?= '0'
|
|
RPM_GPG_BACKEND ?= 'local'
|
|
# SHA-256 is used by default
|
|
RPM_FILE_CHECKSUM_DIGEST ?= '8'
|
|
RPM_GPG_SIGN_CHUNK ?= "${BB_NUMBER_THREADS}"
|
|
|
|
|
|
python () {
|
|
if d.getVar('RPM_GPG_PASSPHRASE_FILE'):
|
|
raise_sanity_error('RPM_GPG_PASSPHRASE_FILE is replaced by RPM_GPG_PASSPHRASE', d)
|
|
# Check configuration
|
|
for var in ('RPM_GPG_NAME', 'RPM_GPG_PASSPHRASE'):
|
|
if not d.getVar(var):
|
|
raise_sanity_error("You need to define %s in the config" % var, d)
|
|
|
|
if d.getVar('RPM_SIGN_FILES') == '1':
|
|
for var in ('RPM_FSK_PATH', 'RPM_FSK_PASSWORD'):
|
|
if not d.getVar(var):
|
|
raise_sanity_error("You need to define %s in the config" % var, d)
|
|
}
|
|
|
|
python sign_rpm () {
|
|
import glob
|
|
from oe.gpg_sign import get_signer
|
|
|
|
signer = get_signer(d, d.getVar('RPM_GPG_BACKEND'))
|
|
rpms = glob.glob(d.getVar('RPM_PKGWRITEDIR') + '/*')
|
|
|
|
signer.sign_rpms(rpms,
|
|
d.getVar('RPM_GPG_NAME'),
|
|
d.getVar('RPM_GPG_PASSPHRASE'),
|
|
d.getVar('RPM_FILE_CHECKSUM_DIGEST'),
|
|
int(d.getVar('RPM_GPG_SIGN_CHUNK')),
|
|
d.getVar('RPM_FSK_PATH'),
|
|
d.getVar('RPM_FSK_PASSWORD'))
|
|
}
|
|
|
|
do_package_index[depends] += "signing-keys:do_deploy"
|
|
do_rootfs[depends] += "signing-keys:do_populate_sysroot"
|
|
|
|
# Newer versions of gpg (at least 2.1.5 and 2.2.1) have issues when signing occurs in parallel
|
|
# so unfortunately the signing must be done serially. Once the upstream problem is fixed,
|
|
# the following line must be removed otherwise we loose all the intrinsic parallelism from
|
|
# bitbake. For more information, check https://bugzilla.yoctoproject.org/show_bug.cgi?id=12022.
|
|
do_package_write_rpm[lockfiles] += "${TMPDIR}/gpg.lock"
|