diff options
| author | Randy Witt <randy.e.witt@linux.intel.com> | 2016-02-19 08:45:25 -0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-02-26 17:16:01 +0000 |
| commit | 1e38068ac38dfd067655dfd41464e28439179306 (patch) | |
| tree | 366f29e80330afdf9d95e27886dd48774ea381c4 | |
| parent | 50743301bd8c0c4817d039d08c9567d15243a74d (diff) | |
| download | openembedded-core-1e38068ac38dfd067655dfd41464e28439179306.tar.gz openembedded-core-1e38068ac38dfd067655dfd41464e28439179306.tar.bz2 openembedded-core-1e38068ac38dfd067655dfd41464e28439179306.zip | |
signing-keys: Make signing keys the only publisher of keys
Previously the keys were put into the os-release package. The package
indexing code was also deploying the keys rather than only using the keys.
This change makes signing-keys.bb the only publisher of the keys and also
uses standard tasks that already have sstate.
Signed-off-by: Randy Witt <randy.e.witt@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/classes/sign_package_feed.bbclass | 9 | ||||
| -rw-r--r-- | meta/classes/sign_rpm.bbclass | 11 | ||||
| -rw-r--r-- | meta/lib/oe/package_manager.py | 10 | ||||
| -rw-r--r-- | meta/recipes-core/meta/signing-keys.bb | 61 | ||||
| -rw-r--r-- | meta/recipes-core/os-release/os-release.bb | 11 |
5 files changed, 52 insertions, 50 deletions
diff --git a/meta/classes/sign_package_feed.bbclass b/meta/classes/sign_package_feed.bbclass index 63ca02fd9d..e1ec82e2ff 100644 --- a/meta/classes/sign_package_feed.bbclass +++ b/meta/classes/sign_package_feed.bbclass @@ -27,12 +27,7 @@ python () { for var in ('PACKAGE_FEED_GPG_NAME', 'PACKAGE_FEED_GPG_PASSPHRASE_FILE'): if not d.getVar(var, True): raise_sanity_error("You need to define %s in the config" % var, d) - - # Set expected location of the public key - d.setVar('PACKAGE_FEED_GPG_PUBKEY', - os.path.join(d.getVar('STAGING_ETCDIR_NATIVE', False), - 'PACKAGE-FEED-GPG-PUBKEY')) } -do_package_index[depends] += "signing-keys:do_export_public_keys" -do_rootfs[depends] += "signing-keys:do_export_public_keys" +do_package_index[depends] += "signing-keys:do_deploy" +do_rootfs[depends] += "signing-keys:do_populate_sysroot" diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass index 8b59bacd45..c21e3f09af 100644 --- a/meta/classes/sign_rpm.bbclass +++ b/meta/classes/sign_rpm.bbclass @@ -28,8 +28,11 @@ python () { raise_sanity_error("You need to define %s in the config" % var, d) # Set the expected location of the public key - d.setVar('RPM_GPG_PUBKEY', os.path.join(d.getVar('STAGING_ETCDIR_NATIVE', False), - 'RPM-GPG-PUBKEY')) + d.setVar('RPM_GPG_PUBKEY', os.path.join(d.getVar('STAGING_DIR_TARGET', False), + d.getVar('sysconfdir', False), + 'pki', + 'rpm-gpg', + 'RPM-GPG-KEY-${DISTRO_VERSION}')) } python sign_rpm () { @@ -44,5 +47,5 @@ python sign_rpm () { d.getVar('RPM_GPG_PASSPHRASE_FILE', True)) } -do_package_index[depends] += "signing-keys:do_export_public_keys" -do_rootfs[depends] += "signing-keys:do_export_public_keys" +do_package_index[depends] += "signing-keys:do_deploy" +do_rootfs[depends] += "signing-keys:do_populate_sysroot" diff --git a/meta/lib/oe/package_manager.py b/meta/lib/oe/package_manager.py index b30a4da057..5cd43e9b1d 100644 --- a/meta/lib/oe/package_manager.py +++ b/meta/lib/oe/package_manager.py @@ -144,16 +144,6 @@ class RpmIndexer(Indexer): signer.detach_sign(repomd, self.d.getVar('PACKAGE_FEED_GPG_NAME', True), self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True)) - # Copy pubkey(s) to repo - distro_version = self.d.getVar('DISTRO_VERSION', True) or "oe.0" - if self.d.getVar('RPM_SIGN_PACKAGES', True) == '1': - shutil.copy2(self.d.getVar('RPM_GPG_PUBKEY', True), - os.path.join(self.deploy_dir, - 'RPM-GPG-KEY-%s' % distro_version)) - if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1': - shutil.copy2(self.d.getVar('PACKAGE_FEED_GPG_PUBKEY', True), - os.path.join(self.deploy_dir, - 'REPODATA-GPG-KEY-%s' % distro_version)) class OpkgIndexer(Indexer): diff --git a/meta/recipes-core/meta/signing-keys.bb b/meta/recipes-core/meta/signing-keys.bb index d7763c664e..1d0e8344ef 100644 --- a/meta/recipes-core/meta/signing-keys.bb +++ b/meta/recipes-core/meta/signing-keys.bb @@ -3,37 +3,62 @@ DESCRIPTION = "Make public keys of the signing keys available" LICENSE = "MIT" -PACKAGES = "" - -do_fetch[noexec] = "1" -do_unpack[noexec] = "1" -do_patch[noexec] = "1" -do_configure[noexec] = "1" -do_compile[noexec] = "1" -do_install[noexec] = "1" -do_package[noexec] = "1" -do_packagedata[noexec] = "1" -do_package_write_ipk[noexec] = "1" -do_package_write_rpm[noexec] = "1" -do_package_write_deb[noexec] = "1" -do_populate_sysroot[noexec] = "1" +LIC_FILES_CHKSUM = "file://${COREBASE}/LICENSE;md5=4d92cd373abda3937c2bc47fbc49d690 \ + file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + + +inherit allarch deploy EXCLUDE_FROM_WORLD = "1" +INHIBIT_DEFAULT_DEPS = "1" + +PACKAGES =+ "${PN}-rpm ${PN}-packagefeed" +FILES_${PN}-rpm = "${sysconfdir}/pki/rpm-gpg" +FILES_${PN}-packagefeed = "${sysconfdir}/pki/packagefeed-gpg" -python do_export_public_keys () { +python do_get_public_keys () { from oe.gpg_sign import get_signer if d.getVar("RPM_SIGN_PACKAGES", True): # Export public key of the rpm signing key signer = get_signer(d, d.getVar('RPM_GPG_BACKEND', True)) - signer.export_pubkey(d.getVar('RPM_GPG_PUBKEY', True), + signer.export_pubkey(os.path.join(d.expand('${B}'), 'rpm-key'), d.getVar('RPM_GPG_NAME', True)) if d.getVar('PACKAGE_FEED_SIGN', True) == '1': # Export public key of the feed signing key signer = get_signer(d, d.getVar('PACKAGE_FEED_GPG_BACKEND', True)) - signer.export_pubkey(d.getVar('PACKAGE_FEED_GPG_PUBKEY', True), + signer.export_pubkey(os.path.join(d.expand('${B}'), 'pf-key'), d.getVar('PACKAGE_FEED_GPG_NAME', True)) } -addtask do_export_public_keys before do_build +do_get_public_keys[cleandirs] = "${B}" +addtask get_public_keys before do_install + +do_install () { + if [ -f "${B}/rpm-key" ]; then + install -D -m 0644 "${B}/rpm-key" "${D}${sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-${DISTRO_VERSION}" + fi + if [ -f "${B}/pf-key" ]; then + install -D -m 0644 "${B}/pf-key" "${D}${sysconfdir}/pki/packagefeed-gpg/PACKAGEFEED-GPG-KEY-${DISTRO_VERSION}" + fi +} + +sysroot_stage_all_append () { + sysroot_stage_dir ${D}${sysconfdir}/pki ${SYSROOT_DESTDIR}${sysconfdir}/pki +} + +do_deploy () { + if [ -f "${B}/rpm-key" ]; then + install -D -m 0644 "${B}/rpm-key" "${DEPLOYDIR}/RPM-GPG-KEY-${DISTRO_VERSION}" + fi + if [ -f "${B}/pf-key" ]; then + install -D -m 0644 "${B}/pf-key" "${DEPLOYDIR}/PACKAGEFEED-GPG-KEY-${DISTRO_VERSION}" + fi +} +do_deploy[sstate-outputdirs] = "${DEPLOY_DIR_RPM}" +# cleandirs should possibly be in deploy.bbclass but we need it +do_deploy[cleandirs] = "${DEPLOYDIR}" +# clear stamp-extra-info since MACHINE is normally put there by deploy.bbclass +do_deploy[stamp-extra-info] = "" +addtask deploy after do_get_public_keys diff --git a/meta/recipes-core/os-release/os-release.bb b/meta/recipes-core/os-release/os-release.bb index df19ca216f..58364ea249 100644 --- a/meta/recipes-core/os-release/os-release.bb +++ b/meta/recipes-core/os-release/os-release.bb @@ -30,21 +30,10 @@ python do_compile () { value = d.getVar(field, True) if value: f.write('{0}="{1}"\n'.format(field, value)) - if d.getVar('RPM_SIGN_PACKAGES', True) == '1': - rpm_gpg_pubkey = d.getVar('RPM_GPG_PUBKEY', True) - bb.utils.mkdirhier('${B}/rpm-gpg') - distro_version = d.getVar('DISTRO_VERSION', True) or "oe.0" - shutil.copy2(rpm_gpg_pubkey, d.expand('${B}/rpm-gpg/RPM-GPG-KEY-%s' % distro_version)) } do_compile[vardeps] += "${OS_RELEASE_FIELDS}" -do_compile[depends] += "signing-keys:do_export_public_keys" do_install () { install -d ${D}${sysconfdir} install -m 0644 os-release ${D}${sysconfdir}/ - - if [ -d "rpm-gpg" ]; then - install -d "${D}${sysconfdir}/pki" - cp -r "rpm-gpg" "${D}${sysconfdir}/pki/" - fi } |