diff options
| author | Ioan-Adrian Ratiu <adrian.ratiu@ni.com> | 2016-03-10 12:02:55 +0200 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-03-11 16:50:27 +0000 |
| commit | a40f27aa7802e8a0bd87a5417e35adbface62d05 (patch) | |
| tree | b4b2dbb79f30970216735fb373efeee4cf8bf6d9 /meta/lib | |
| parent | c885b44480b14554c8835e114a2e5469a82f0598 (diff) | |
| download | openembedded-core-a40f27aa7802e8a0bd87a5417e35adbface62d05.tar.gz openembedded-core-a40f27aa7802e8a0bd87a5417e35adbface62d05.tar.bz2 openembedded-core-a40f27aa7802e8a0bd87a5417e35adbface62d05.zip | |
gpg_sign: add local ipk package signing functionality
Implement ipk signing inside the sign_ipk bbclass using the gpg_sign
module and configure signing similar to how rpm does it. sign_ipk uses
gpg_sign's detach_sign because its functionality is identical to package
feed signing.
IPK signing process is a bit different from rpm:
- Signatures are stored outside ipk files; opkg connects to a feed
server and downloads them to verify a package.
- Signatures are of two types (both supported by opkg): binary or
ascii armoured. By default we sign using ascii armoured.
- Public keys are stored on targets to verify ipks using the
opkg-keyrings recipe.
Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/lib')
| -rw-r--r-- | meta/lib/oe/gpg_sign.py | 38 |
1 files changed, 26 insertions, 12 deletions
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py index ada1b2f408..059381d5e3 100644 --- a/meta/lib/oe/gpg_sign.py +++ b/meta/lib/oe/gpg_sign.py @@ -50,6 +50,7 @@ class LocalSigner(object): bb.error('rpmsign failed: %s' % proc.before.strip()) raise bb.build.FuncFailed("Failed to sign RPM packages") + def detach_sign(self, input_file, keyid, passphrase_file, passphrase=None, armor=True): """Create a detached signature of a file""" import subprocess @@ -58,22 +59,35 @@ class LocalSigner(object): raise Exception("You should use either passphrase_file of passphrase, not both") cmd = [self.gpg_bin, '--detach-sign', '--batch', '--no-tty', '--yes', - '-u', keyid] - if passphrase_file: - cmd += ['--passphrase-file', passphrase_file] - else: - cmd += ['--passphrase-fd', '0'] + '--passphrase-fd', '0', '-u', keyid] + if self.gpg_path: cmd += ['--homedir', self.gpg_path] if armor: cmd += ['--armor'] - cmd.append(input_file) - job = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, - stderr=subprocess.PIPE) - _, stderr = job.communicate(passphrase) - if job.returncode: - raise bb.build.FuncFailed("Failed to create signature for '%s': %s" % - (input_file, stderr)) + + cmd += [input_file] + + try: + if passphrase_file: + with open(passphrase_file) as fobj: + passphrase = fobj.readline(); + + job = subprocess.Popen(cmd, stdin=subprocess.PIPE, stderr=subprocess.PIPE) + (_, stderr) = job.communicate(passphrase) + + if job.returncode: + raise bb.build.FuncFailed("GPG exited with code %d: %s" % + (job.returncode, stderr)) + + except IOError as e: + bb.error("IO error (%s): %s" % (e.errno, e.strerror)) + raise Exception("Failed to sign '%s'" % input_file) + + except OSError as e: + bb.error("OS error (%s): %s" % (e.errno, e.strerror)) + raise Exception("Failed to sign '%s" % input_file) + def verify(self, sig_file): """Verify signature""" |