diff options
-rw-r--r-- | meta/classes/sign_package_feed.bbclass | 7 | ||||
-rw-r--r-- | meta/classes/sign_rpm.bbclass | 9 | ||||
-rw-r--r-- | meta/recipes-core/meta/signing-keys.bb | 45 | ||||
-rw-r--r-- | meta/recipes-core/os-release/os-release.bb | 1 |
4 files changed, 59 insertions, 3 deletions
diff --git a/meta/classes/sign_package_feed.bbclass b/meta/classes/sign_package_feed.bbclass index 8877d905f7..4263810028 100644 --- a/meta/classes/sign_package_feed.bbclass +++ b/meta/classes/sign_package_feed.bbclass @@ -21,4 +21,11 @@ python () { for var in ('PACKAGE_FEED_GPG_NAME', 'PACKAGE_FEED_GPG_PASSPHRASE_FILE'): if not d.getVar(var, True): raise_sanity_error("You need to define %s in the config" % var, d) + + # Set expected location of the public key + d.setVar('PACKAGE_FEED_GPG_PUBKEY', + os.path.join(d.getVar('STAGING_ETCDIR_NATIVE'), + 'PACKAGE-FEED-GPG-PUBKEY')) } + +do_package_index[depends] += "signing-keys:do_export_public_keys" diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass index 4da17633a7..f0c3dc9be3 100644 --- a/meta/classes/sign_rpm.bbclass +++ b/meta/classes/sign_rpm.bbclass @@ -5,9 +5,6 @@ # Path to a file containing the passphrase of the signing key. # RPM_GPG_NAME # Name of the key to sign with. May be key id or key name. -# RPM_GPG_PUBKEY -# Path to a file containing the public key (in "armor" format) -# corresponding the signing key. # GPG_BIN # Optional variable for specifying the gpg binary/wrapper to use for # signing. @@ -24,6 +21,10 @@ python () { for var in ('RPM_GPG_NAME', 'RPM_GPG_PASSPHRASE_FILE'): if not d.getVar(var, True): raise_sanity_error("You need to define %s in the config" % var, d) + + # Set the expected location of the public key + d.setVar('RPM_GPG_PUBKEY', os.path.join(d.getVar('STAGING_ETCDIR_NATIVE'), + 'RPM-GPG-PUBKEY')) } @@ -68,3 +69,5 @@ python sign_rpm () { if rpmsign_wrapper(d, rpms, rpm_gpg_passphrase, rpm_gpg_name) != 0: raise bb.build.FuncFailed("RPM signing failed") } + +do_package_index[depends] += "signing-keys:do_export_public_keys" diff --git a/meta/recipes-core/meta/signing-keys.bb b/meta/recipes-core/meta/signing-keys.bb new file mode 100644 index 0000000000..cc401f3b6c --- /dev/null +++ b/meta/recipes-core/meta/signing-keys.bb @@ -0,0 +1,45 @@ +# Copyright (C) 2015 Intel Corporation +# Released under the MIT license (see COPYING.MIT for the terms) + +DESCRIPTION = "Make public keys of the signing keys available" +LICENSE = "MIT" +PACKAGES = "" + +do_fetch[noexec] = "1" +do_unpack[noexec] = "1" +do_patch[noexec] = "1" +do_configure[noexec] = "1" +do_compile[noexec] = "1" +do_install[noexec] = "1" +do_package[noexec] = "1" +do_packagedata[noexec] = "1" +do_package_write_ipk[noexec] = "1" +do_package_write_rpm[noexec] = "1" +do_package_write_deb[noexec] = "1" +do_populate_sysroot[noexec] = "1" + +EXCLUDE_FROM_WORLD = "1" + +def export_gpg_pubkey(d, keyid, path): + import bb + gpg_bin = d.getVar('GPG_BIN', True) or \ + bb.utils.which(os.getenv('PATH'), "gpg") + cmd = '%s --batch --yes --export --armor -o %s %s' % \ + (gpg_bin, path, keyid) + status, output = oe.utils.getstatusoutput(cmd) + if status: + raise bb.build.FuncFailed('Failed to export gpg public key (%s): %s' % + (keyid, output)) + +python do_export_public_keys () { + if d.getVar("RPM_SIGN_PACKAGES", True): + # Export public key of the rpm signing key + export_gpg_pubkey(d, d.getVar("RPM_GPG_NAME", True), + d.getVar('RPM_GPG_PUBKEY', True)) + + if d.getVar('PACKAGE_FEED_SIGN', True) == '1': + # Export public key of the feed signing key + export_gpg_pubkey(d, d.getVar("PACKAGE_FEED_GPG_NAME", True), + d.getVar('PACKAGE_FEED_GPG_PUBKEY', True)) +} +addtask do_export_public_keys before do_build diff --git a/meta/recipes-core/os-release/os-release.bb b/meta/recipes-core/os-release/os-release.bb index db827602f3..c690b82b2e 100644 --- a/meta/recipes-core/os-release/os-release.bb +++ b/meta/recipes-core/os-release/os-release.bb @@ -37,6 +37,7 @@ python do_compile () { shutil.copy2(rpm_gpg_pubkey, d.expand('${B}/rpm-gpg/RPM-GPG-KEY-%s' % distro_version)) } do_compile[vardeps] += "${OS_RELEASE_FIELDS}" +do_compile[depends] += "signing-keys:do_export_public_keys" do_install () { install -d ${D}${sysconfdir} |