openembedded-core.git/meta/classes/sign_package_feed.bbclass, branch thud Mirror of openembedded-core gnupg: use native version for signing, rather than one provided by host 2018-01-10T22:14:53+00:00 Alexander Kanavin alexander.kanavin@linux.intel.com 2018-01-10T12:27:42+00:00 08fef6198122fe79d4c1213f9a64b862162ed6cd Using host gpg has been problematic, and particularly this removes the need to serialize package creation, as long as --auto-expand-secmem is passed to gpg-agent, and gnupg >= 2.2.4 is in use (https://dev.gnupg.org/T3530). Sadly, gpg-agent itself is single-threaded, so in the longer run we might want to seek alternatives: https://lwn.net/Articles/742542/ (a smaller issue is that rpm itself runs the gpg fronted in a serial fashion, which slows down the build in cases of recipes with very large amount of packages, e.g. glibc-locale) Note that sstate signing and verification continues to use host gpg, as depending on native gpg would create circular dependencies. [YOCTO #12022] Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Using host gpg has been problematic, and particularly this removes
the need to serialize package creation, as long as --auto-expand-secmem
is passed to gpg-agent, and gnupg >= 2.2.4 is in use
(https://dev.gnupg.org/T3530).

Sadly, gpg-agent itself is single-threaded, so in the longer run
we might want to seek alternatives:
https://lwn.net/Articles/742542/

(a smaller issue is that rpm itself runs the gpg fronted in a serial
fashion, which slows down the build in cases of recipes with very
large amount of packages, e.g. glibc-locale)

Note that sstate signing and verification continues to use host
gpg, as depending on native gpg would create circular dependencies.

[YOCTO #12022]

Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
sign_package_feed.bbclass: install signing key into rootfs 2017-08-15T23:02:01+00:00 Markus Lehtonen markus.lehtonen@linux.intel.com 2017-08-15T11:34:53+00:00 4f89a5629f876a833c0178d1ec687448d3ed8e71 If package-management is enabled. [YOCTO #11209] Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
If package-management is enabled.

[YOCTO #11209]

Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
meta: remove True option to getVar calls 2016-12-16T08:30:03+00:00 Joshua Lock joshua.g.lock@intel.com 2016-12-14T21:13:04+00:00 7c552996597faaee2fbee185b250c0ee30ea3b5f getVar() now defaults to expanding by default, thus remove the True option from getVar() calls with a regex search and replace. Search made with the following regex: getVar ?\(( ?[^,()]*), True\) Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
getVar() now defaults to expanding by default, thus remove the True
option from getVar() calls with a regex search and replace.

Search made with the following regex: getVar ?\(( ?[^,()]*), True\)

Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
sign_package_feed: add feed signature type 2016-03-11T16:50:28+00:00 Ioan-Adrian Ratiu adrian.ratiu@ni.com 2016-03-10T10:03:00+00:00 862a3892feb2628282e1d6f2e4498a7a3bd60cbf Signing package feeds will default to ascii armored signatures (ASC) the other option being binary (BIN). This is for both rpm and ipk backends. Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Signing package feeds will default to ascii armored signatures (ASC) the
other option being binary (BIN). This is for both rpm and ipk backends.

Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
signing-keys: Make signing keys the only publisher of keys 2016-02-26T17:16:01+00:00 Randy Witt randy.e.witt@linux.intel.com 2016-02-19T16:45:25+00:00 1e38068ac38dfd067655dfd41464e28439179306 Previously the keys were put into the os-release package. The package indexing code was also deploying the keys rather than only using the keys. This change makes signing-keys.bb the only publisher of the keys and also uses standard tasks that already have sstate. Signed-off-by: Randy Witt <randy.e.witt@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Previously the keys were put into the os-release package. The package
indexing code was also deploying the keys rather than only using the keys.

This change makes signing-keys.bb the only publisher of the keys and also
uses standard tasks that already have sstate.

Signed-off-by: Randy Witt <randy.e.witt@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
sign_package_feed.bbclass: fix task dependencies 2016-02-11T12:27:26+00:00 Markus Lehtonen markus.lehtonen@linux.intel.com 2016-02-08T15:20:06+00:00 f1eada135a6b6eef0444ca7a7ff14ab388cb879b This dependency was already added to sign_rpm.bbclass. However, the same dep needs to be added to sign_package_feed.bbclass, too, to cover the case where rpm signing is disabled but package feed signing is enabled. Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
This dependency was already added to sign_rpm.bbclass. However, the same dep needs to be
added to sign_package_feed.bbclass, too, to cover the case where rpm
signing is disabled but package feed signing is enabled.

Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
meta/lib: new module for handling GPG signing 2016-01-26T22:31:08+00:00 Markus Lehtonen markus.lehtonen@linux.intel.com 2016-01-25T12:21:34+00:00 9b3dc1bd4b8336423a3f8f7db0ab5fa6fa0e7257 Add a new Python module (oe.gpg_sign) for handling GPG signing operations, i.e. currently package and package feed signing. The purpose is to be able to more easily support various signing backends and to be able to centralise signing functionality into one place (e.g. package signing and sstate signing). Currently, only local signing with gpg is implemented. [YOCTO #8755] Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
Add a new Python module (oe.gpg_sign) for handling GPG signing
operations, i.e. currently package and package feed signing. The purpose
is to be able to more easily support various signing backends and to be
able to centralise signing functionality into one place (e.g.  package
signing and sstate signing). Currently, only local signing with gpg is
implemented.

[YOCTO #8755]

Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
populate_sdk_ext/sign_rpm/sign_package_feed: Add missing getVar parameter 2015-12-14T15:16:04+00:00 Richard Purdie richard.purdie@linuxfoundation.org 2015-12-10T22:48:35+00:00 31bc0a46a97d7dc98568a218c077c31d8b11dbd9 We should always pass a parameter to getVar, add missing default value. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
We should always pass a parameter to getVar, add missing default value.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
package signing: automatically export public keys 2015-10-24T11:17:16+00:00 Markus Lehtonen markus.lehtonen@linux.intel.com 2015-10-16T10:37:32+00:00 23b30c34581948e1ea02c25cbf7b9194d7e49fb8 Automatically export public key(s) of the signing key(s) from the gpg keyring. Adds a new simple recipe that does the actual task of exporting the keys. This patch makes the RPM_GPG_PUBKEY and PACKAGE_FEED_GPG PUBKEY settings obsolete. Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> 
Automatically export public key(s) of the signing key(s) from the gpg
keyring. Adds a new simple recipe that does the actual task of exporting
the keys.  This patch makes the RPM_GPG_PUBKEY and PACKAGE_FEED_GPG
PUBKEY settings obsolete.

Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Add new bbclass for package feed signing 2015-10-24T11:17:14+00:00 Markus Lehtonen markus.lehtonen@linux.intel.com 2015-10-16T10:25:34+00:00 2ba901da9a07350cc8975fc951ef5054b32d421b After this change signed package feeds should be enabled by adding INERIT += "sign_package_feed" instead of definining PACKAGE_FEED_SIGN="1". Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> 
After this change signed package feeds should be enabled by adding
INERIT += "sign_package_feed"
instead of definining PACKAGE_FEED_SIGN="1".

Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>