sign_rpm_ext: support RPM signing

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
This commit is contained in:
Lans Zhang
2017-08-17 11:22:49 +08:00
parent d5a4de8f09
commit 464433a169
4 changed files with 113 additions and 8 deletions
+45 -6
View File
@@ -1,16 +1,55 @@
#RPM_GPG_NAME ?= "SecureCore Sample RPM Signing Key"
#RPM_GPG_PASSPHRASE ?= "password"
# RPM_GPG_NAME and RPM_GPG_PASSPHRASE must be configured in your build
# environment. By default, the values for the sample keys are configured
# in meta-signing-key.
RPM_GPG_NAME ?= "SecureCore"
RPM_GPG_PASSPHRASE ?= "SecureCore"
RPM_GPG_BACKEND ?= "local"
# SHA-256 is used for the file checksum digest.
RPM_FILE_CHECKSUM_DIGEST ?= "8"
RPM_SIGN_FILES = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', '1', '0', d)}"
# By default, the values below are applicable for the sample keys provided
# by meta-signing-key.
RPM_FSK_PATH ?= "${@uks_ima_keys_dir(d) + 'x509_ima.key'}"
RPM_FSK_PASSWORD ?= "password"
inherit sign_rpm user-key-store
#python () {
# if not d.getVar('GPG_PATH', True):
# d.setVar('GPG_PATH', d.getVar('DEPLOY_DIR_IMAGE', True) + '/.gnupg')
#}
python () {
if d.getVar('RPM_SIGN_FILES', True) != '1':
return
gpg_path = d.getVar('GPG_PATH', True)
if not gpg_path:
gpg_path = d.getVar('DEPLOY_DIR_IMAGE', True) + '/.gnupg'
if not os.path.exists(gpg_path):
cmd = ' '.join(('mkdir -p', gpg_path))
status, output = oe.utils.getstatusoutput(cmd)
if status:
raise bb.build.FuncFailed('Failed to create gpg keying %s: %s' %
(gpg_path, output))
d.setVar('GPG_PATH', gpg_path)
gpg_bin = d.getVar('GPG_BIN', True) or \
bb.utils.which(os.getenv('PATH'), 'gpg')
gpg_keyid = d.getVar('RPM_GPG_NAME', True)
# Check RPM_GPG_NAME and RPM_GPG_PASSPHRASE
cmd = "%s --homedir %s --list-keys -a %s" % \
(gpg_bin, gpg_path, gpg_keyid)
status, output = oe.utils.getstatusoutput(cmd)
if not status:
return
# Import RPM_GPG_NAME if not found
gpg_key = uks_rpm_keys_dir(d) + 'RPM-GPG-PRIVKEY-' + gpg_keyid
cmd = '%s --homedir %s --import %s' % \
(gpg_bin, gpg_path, gpg_key)
status, output = oe.utils.getstatusoutput(cmd)
if status:
raise bb.build.FuncFailed('Failed to import gpg key (%s): %s' %
(gpg_key, output))
}
@@ -11,6 +11,7 @@ UEFI_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0",
MOK_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d)}'
IMA = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}'
SYSTEM_TRUSTED = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}'
RPM = '1'
def vprint(str, d):
if d.getVar('USER_KEY_SHOW_VERBOSE', True) == '1':
@@ -32,6 +33,7 @@ def uks_rpm_keys_dir(d):
if uks_signing_model(d) != 'sample':
return ''
set_keys_dir('RPM', d)
return d.getVar('RPM_KEYS_DIR', True) + '/'
def sign_efi_image(key, cert, input, output, d):
@@ -165,6 +167,19 @@ def check_system_trusted_keys(d):
vprint("%s.crt is unavailable" % _, d)
return False
def check_rpm_keys(d):
dir = uks_rpm_keys_dir(d)
_ = dir + 'RPM-GPG-PRIVKEY-' + d.getVar('RPM_GPG_NAME', True)
if not os.path.exists(_):
vprint("%s is unavailable" % _, d)
return False
_ = dir + 'RPM-GPG-KEY-' + d.getVar('RPM_GPG_NAME', True)
if not os.path.exists(_):
vprint("%s is unavailable" % _, d)
return False
# Convert the PEM to DER format.
def pem2der(input, output, d):
import bb.process
@@ -338,6 +353,8 @@ def sanity_check_user_keys(name, may_exit, d):
_ = check_ima_user_keys(d)
elif name == 'SYSTEM_TRUSTED':
_ = check_system_trusted_keys(d)
elif name == 'RPM':
_ = check_rpm_keys(d)
else:
_ = False
may_exit = True
@@ -359,8 +376,7 @@ def set_keys_dir(name, d):
d.setVar(name + '_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/user-keys/' + name.lower() + '_keys')
python check_deploy_keys() {
# XXX: the user key for rpm signing is necessary but not required.
for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED'):
for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'RPM'):
if d.getVar(_, True) != "1":
continue
@@ -0,0 +1,18 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFmNb48BCADfgM0IVukaMp5qK607ZpfaOx89JONJaP0BfACLxRRsQIJoT/2E
Ba0TjYO5IqSuDNXLsfQoHLfLqY0jPkPUsv8PU5+94KwonEQHfE0wbUUXYE/WRGaS
tHx1lsM7IjI1Lv39+k/7gE+DT1s0RctK/uhwlFzVsiszb2+iVRpCZjDcfNc3kE9u
PkC2/rKfk9IHJ8CsyPMLmgiZYSQ64q2G6ysQNLsRReKgC42aEYrPMkD2tlqmJ1oV
vkD3uf/mFrHNMMKT2MArGLai5T5ZF5KD6zcnX6jFmO8DvqGThZDSNMFxdo3y+dLY
bubjM09FyUUaZKmaEJXk16RVmhRhu+zj+obXABEBAAG0OVNlY3VyZUNvcmUgKFJQ
TSBTaWduaW5nIENlcnRpZmljYXRlKSA8U2VjdXJlQ29yZUBmb28uY29tPokBOAQT
AQIAIgUCWY1vjwIbLwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ/WXQJg3d
uIpC8ggAhiX9mcr9/phJckcUoQNZJuhxxn+IOU533QYapWh1ulikr4Hqa8Q0bsDr
szXJoPd+u18oPE8TE9Q/pUvcRCpVPtP2lbc91cyWXbchbMATFvmt/wcCFyKTTczo
vLaCsZt2EVfDuEDHeev+3ABkl7xYD6OxlueQeGZM75XyxDovPEPVuhiwhBIZASK2
RS2nVXQm3SlyabkRAmzCPxS9Z86qYiF37+hjmx6CtGpTMCy2BCeQyAQiB1nyx/Ix
VmvRB0PSE/fEetYMLrNBzKOG0GjbgsorYkOrzHzIBCKhOnTsOQJLjE9cuTWG38Gx
ogkVTwDo5Lc9K4wBWnX1jNhE56XMxQ==
=AA9G
-----END PGP PUBLIC KEY BLOCK-----
@@ -0,0 +1,32 @@
-----BEGIN PGP PRIVATE KEY BLOCK-----
lQPGBFmNb48BCADfgM0IVukaMp5qK607ZpfaOx89JONJaP0BfACLxRRsQIJoT/2E
Ba0TjYO5IqSuDNXLsfQoHLfLqY0jPkPUsv8PU5+94KwonEQHfE0wbUUXYE/WRGaS
tHx1lsM7IjI1Lv39+k/7gE+DT1s0RctK/uhwlFzVsiszb2+iVRpCZjDcfNc3kE9u
PkC2/rKfk9IHJ8CsyPMLmgiZYSQ64q2G6ysQNLsRReKgC42aEYrPMkD2tlqmJ1oV
vkD3uf/mFrHNMMKT2MArGLai5T5ZF5KD6zcnX6jFmO8DvqGThZDSNMFxdo3y+dLY
bubjM09FyUUaZKmaEJXk16RVmhRhu+zj+obXABEBAAH+BwMCfLq1JDxWFFxguoqa
QVOe9j1oQORI+UK5T4/PyLQAa0m1L4gCApy2bEbS0fAqoF3rJ3k1+h6C5hHCdVdL
UNFTmMHGZw1jXpv2iQiShdegX7fgguzy8AFW/4SxPRS8acT9S7V8AUfje1goOs7u
QpCNn+lKdxyjaRvRIHUmldQRt+NYgBgcTibJWyISOA0bcwgDpiud3yhLJ2gAUAEO
wdE37GnvYa2hC1yzIjV0IPQfKq3UDSrFwiOUAOsGCk8a59S+Me8lcUrA7XO9aceE
4uT9fnsM0E8/O+P+oW4ZaiPo5k+MWMy80LF43fR6oPYAojPt9cilBrpLju8ip8Z0
D2aeGqFfCFnBynU2QFSjAk8DPRcBwZECgNmhuVUPxxWRYPYo0hJF/X3Vmz6B5EEX
x9Iv4s6oJX7lWGXztKl2rKKLDeHI3JvEfvRA4cwJwR3t7puSp74oNzo+gpA5vMOb
LNWRZfSH5Gl71EFzQ78jNjN931O0FjfyPM44V6BiJFs5zg90K6/umfLCGWEGfbwu
7KwmqOJ3lFf+WwYqD0VT3fbN/dpuBWadok7FLahC61laJ2Kl2bejVpgn7nTodEPZ
kQNwsDtVZCVx5eX76SKSRd2gAAcTk2fhdtkn1pTMl5g/Eb+GMNc1bQaLoYVM0JDZ
mFnWK1gfzvoxESunCOf5VAEESeXjz1L2ABLmkkThteKYn5vGz0gFWI5PUaAJi5Qz
A82/tbBE//rmj/4Igv/nAdvcKZm+/T6C+JBN4H1g1TkRnGgIjs9I9fYnY1D1MLxu
IMGGUBD523av1B8doHcf+67IGUlC9xiwAehWm31EUzuk0RipaiCm5aSr7qvh0SqL
a9tnRTItUO/uelyoSFT/X9X4UxCcz9U32yzB+4M6a6P6yoO1M6x49SchsVTohejP
tdZI/wn0JOPGtDlTZWN1cmVDb3JlIChSUE0gU2lnbmluZyBDZXJ0aWZpY2F0ZSkg
PFNlY3VyZUNvcmVAZm9vLmNvbT6JATgEEwECACIFAlmNb48CGy8GCwkIBwMCBhUI
AgkKCwQWAgMBAh4BAheAAAoJEP1l0CYN3biKQvIIAIYl/ZnK/f6YSXJHFKEDWSbo
ccZ/iDlOd90GGqVodbpYpK+B6mvENG7A67M1yaD3frtfKDxPExPUP6VL3EQqVT7T
9pW3PdXMll23IWzAExb5rf8HAhcik03M6Ly2grGbdhFXw7hAx3nr/twAZJe8WA+j
sZbnkHhmTO+V8sQ6LzxD1boYsIQSGQEitkUtp1V0Jt0pcmm5EQJswj8UvWfOqmIh
d+/oY5segrRqUzAstgQnkMgEIgdZ8sfyMVZr0QdD0hP3xHrWDC6zQcyjhtBo24LK
K2JDq8x8yAQioTp07DkCS4xPXLk1ht/BsaIJFU8A6OS3PSuMAVp19YzYROelzMU=
=G84i
-----END PGP PRIVATE KEY BLOCK-----