summaryrefslogtreecommitdiff
path: root/meta/classes/sign_rpm.bbclass
AgeCommit message (Collapse)AuthorFiles
2016-03-23gpg_sign.py: get rid of pexpectRobert Yang1
The python-expect is not installed on the distro such as Ubuntu by default, and we can get rid of it. Use RPM_GPG_PASSPHRASE to replace of RPM_GPG_PASSPHRASE_FILE which is more straightforward. Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-02-26signing-keys: Make signing keys the only publisher of keysRandy Witt1
Previously the keys were put into the os-release package. The package indexing code was also deploying the keys rather than only using the keys. This change makes signing-keys.bb the only publisher of the keys and also uses standard tasks that already have sstate. Signed-off-by: Randy Witt <randy.e.witt@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-02-18sign_rpm.bbclass: do not store key details in signer instanceMarkus Lehtonen1
Refactor the LocalSigner class. Do not store keyid or passphrase file in the signer object as they are only needed for some of the methods. For example, the newly added verify() method does not need any key parameters and export_pubkey only uses keyid. Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-26meta/lib: new module for handling GPG signingMarkus Lehtonen1
Add a new Python module (oe.gpg_sign) for handling GPG signing operations, i.e. currently package and package feed signing. The purpose is to be able to more easily support various signing backends and to be able to centralise signing functionality into one place (e.g. package signing and sstate signing). Currently, only local signing with gpg is implemented. [YOCTO #8755] Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-01-19sign_rpm.bbclass: fix task dependenciesMarkus Lehtonen1
do_rootfs task needs to depend on signing-keys:do_export_public_keys. The rpm signing public key needs to be present in order to prevent a crash because it is imported into the rootfs rpmdb before rootfs creation starts. Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2015-12-14populate_sdk_ext/sign_rpm/sign_package_feed: Add missing getVar parameterRichard Purdie1
We should always pass a parameter to getVar, add missing default value. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2015-10-24package signing: automatically export public keysMarkus Lehtonen1
Automatically export public key(s) of the signing key(s) from the gpg keyring. Adds a new simple recipe that does the actual task of exporting the keys. This patch makes the RPM_GPG_PUBKEY and PACKAGE_FEED_GPG PUBKEY settings obsolete. Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
2015-10-24sign_rpm.bbclass: make RPM_GPG_NAME a mandatory settingMarkus Lehtonen1
Simplifies the configuration. Makes way for the removal of RPM_GPG_PUBKEY setting and possible future implementation of a separate signing server support. Also, moves the configuration sanity checking into a separate function. Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
2015-10-24sign_rpm.bbclass: be more verbose in case of errorMarkus Lehtonen1
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
2015-10-24sign_rpm.bbclass: introduce GPG_PATH variableMarkus Lehtonen1
This bitbake configuration variable can be used to define the gpg home directory. Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
2015-09-01package_rpm: support signing of rpm packagesMarkus Lehtonen1
This patch adds a new bbclass for generating rpm packages that are signed with a user defined key. The packages are signed as part of the "package_write_rpm" task. In order to enable the feature you need to 1. 'INHERIT += " sign_rpm"' in bitbake config (e.g. local or distro) 2. Create a file that contains the passphrase to your gpg secret key 3. 'RPM_GPG_PASSPHRASE_FILE = "<path_to_file>" in bitbake config, pointing to the passphrase file created in 2. 4. Define GPG key name to use by either defining 'RPM_GPG_NAME = "<key_id>" in bitbake config OR by defining %_gpg_name <key_id> in your ~/.oerpmmacros file 5. 'RPM_GPG_PUBKEY = "<path_to_pubkey>" in bitbake config pointing to the public key (in "armor" format) The user may optionally define "GPG_BIN" variable in the bitbake configuration in order to specify a specific gpg binary/wrapper to use. The sign_rpm.bbclass implements a simple scenario of locally signing the packages. It could be replaced by a more advanced class that would utilize a separate signing server for signing the packages, for example. [YOCTO #8134] Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>