mirror of
https://github.com/jiazhang0/meta-secure-core.git
synced 2026-07-16 20:56:58 +00:00
sign_rpm_ext: support RPM signing
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
This commit is contained in:
@@ -1,16 +1,55 @@
|
||||
#RPM_GPG_NAME ?= "SecureCore Sample RPM Signing Key"
|
||||
#RPM_GPG_PASSPHRASE ?= "password"
|
||||
# RPM_GPG_NAME and RPM_GPG_PASSPHRASE must be configured in your build
|
||||
# environment. By default, the values for the sample keys are configured
|
||||
# in meta-signing-key.
|
||||
RPM_GPG_NAME ?= "SecureCore"
|
||||
RPM_GPG_PASSPHRASE ?= "SecureCore"
|
||||
|
||||
RPM_GPG_BACKEND ?= "local"
|
||||
# SHA-256 is used for the file checksum digest.
|
||||
RPM_FILE_CHECKSUM_DIGEST ?= "8"
|
||||
|
||||
RPM_SIGN_FILES = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', '1', '0', d)}"
|
||||
# By default, the values below are applicable for the sample keys provided
|
||||
# by meta-signing-key.
|
||||
RPM_FSK_PATH ?= "${@uks_ima_keys_dir(d) + 'x509_ima.key'}"
|
||||
RPM_FSK_PASSWORD ?= "password"
|
||||
|
||||
inherit sign_rpm user-key-store
|
||||
|
||||
#python () {
|
||||
# if not d.getVar('GPG_PATH', True):
|
||||
# d.setVar('GPG_PATH', d.getVar('DEPLOY_DIR_IMAGE', True) + '/.gnupg')
|
||||
#}
|
||||
python () {
|
||||
if d.getVar('RPM_SIGN_FILES', True) != '1':
|
||||
return
|
||||
|
||||
gpg_path = d.getVar('GPG_PATH', True)
|
||||
if not gpg_path:
|
||||
gpg_path = d.getVar('DEPLOY_DIR_IMAGE', True) + '/.gnupg'
|
||||
|
||||
if not os.path.exists(gpg_path):
|
||||
cmd = ' '.join(('mkdir -p', gpg_path))
|
||||
status, output = oe.utils.getstatusoutput(cmd)
|
||||
if status:
|
||||
raise bb.build.FuncFailed('Failed to create gpg keying %s: %s' %
|
||||
(gpg_path, output))
|
||||
|
||||
d.setVar('GPG_PATH', gpg_path)
|
||||
|
||||
gpg_bin = d.getVar('GPG_BIN', True) or \
|
||||
bb.utils.which(os.getenv('PATH'), 'gpg')
|
||||
gpg_keyid = d.getVar('RPM_GPG_NAME', True)
|
||||
|
||||
# Check RPM_GPG_NAME and RPM_GPG_PASSPHRASE
|
||||
cmd = "%s --homedir %s --list-keys -a %s" % \
|
||||
(gpg_bin, gpg_path, gpg_keyid)
|
||||
status, output = oe.utils.getstatusoutput(cmd)
|
||||
if not status:
|
||||
return
|
||||
|
||||
# Import RPM_GPG_NAME if not found
|
||||
gpg_key = uks_rpm_keys_dir(d) + 'RPM-GPG-PRIVKEY-' + gpg_keyid
|
||||
cmd = '%s --homedir %s --import %s' % \
|
||||
(gpg_bin, gpg_path, gpg_key)
|
||||
status, output = oe.utils.getstatusoutput(cmd)
|
||||
if status:
|
||||
raise bb.build.FuncFailed('Failed to import gpg key (%s): %s' %
|
||||
(gpg_key, output))
|
||||
}
|
||||
|
||||
@@ -11,6 +11,7 @@ UEFI_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0",
|
||||
MOK_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d)}'
|
||||
IMA = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}'
|
||||
SYSTEM_TRUSTED = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}'
|
||||
RPM = '1'
|
||||
|
||||
def vprint(str, d):
|
||||
if d.getVar('USER_KEY_SHOW_VERBOSE', True) == '1':
|
||||
@@ -32,6 +33,7 @@ def uks_rpm_keys_dir(d):
|
||||
if uks_signing_model(d) != 'sample':
|
||||
return ''
|
||||
|
||||
set_keys_dir('RPM', d)
|
||||
return d.getVar('RPM_KEYS_DIR', True) + '/'
|
||||
|
||||
def sign_efi_image(key, cert, input, output, d):
|
||||
@@ -165,6 +167,19 @@ def check_system_trusted_keys(d):
|
||||
vprint("%s.crt is unavailable" % _, d)
|
||||
return False
|
||||
|
||||
def check_rpm_keys(d):
|
||||
dir = uks_rpm_keys_dir(d)
|
||||
|
||||
_ = dir + 'RPM-GPG-PRIVKEY-' + d.getVar('RPM_GPG_NAME', True)
|
||||
if not os.path.exists(_):
|
||||
vprint("%s is unavailable" % _, d)
|
||||
return False
|
||||
|
||||
_ = dir + 'RPM-GPG-KEY-' + d.getVar('RPM_GPG_NAME', True)
|
||||
if not os.path.exists(_):
|
||||
vprint("%s is unavailable" % _, d)
|
||||
return False
|
||||
|
||||
# Convert the PEM to DER format.
|
||||
def pem2der(input, output, d):
|
||||
import bb.process
|
||||
@@ -338,6 +353,8 @@ def sanity_check_user_keys(name, may_exit, d):
|
||||
_ = check_ima_user_keys(d)
|
||||
elif name == 'SYSTEM_TRUSTED':
|
||||
_ = check_system_trusted_keys(d)
|
||||
elif name == 'RPM':
|
||||
_ = check_rpm_keys(d)
|
||||
else:
|
||||
_ = False
|
||||
may_exit = True
|
||||
@@ -359,8 +376,7 @@ def set_keys_dir(name, d):
|
||||
d.setVar(name + '_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/user-keys/' + name.lower() + '_keys')
|
||||
|
||||
python check_deploy_keys() {
|
||||
# XXX: the user key for rpm signing is necessary but not required.
|
||||
for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED'):
|
||||
for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'RPM'):
|
||||
if d.getVar(_, True) != "1":
|
||||
continue
|
||||
|
||||
|
||||
@@ -0,0 +1,18 @@
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mQENBFmNb48BCADfgM0IVukaMp5qK607ZpfaOx89JONJaP0BfACLxRRsQIJoT/2E
|
||||
Ba0TjYO5IqSuDNXLsfQoHLfLqY0jPkPUsv8PU5+94KwonEQHfE0wbUUXYE/WRGaS
|
||||
tHx1lsM7IjI1Lv39+k/7gE+DT1s0RctK/uhwlFzVsiszb2+iVRpCZjDcfNc3kE9u
|
||||
PkC2/rKfk9IHJ8CsyPMLmgiZYSQ64q2G6ysQNLsRReKgC42aEYrPMkD2tlqmJ1oV
|
||||
vkD3uf/mFrHNMMKT2MArGLai5T5ZF5KD6zcnX6jFmO8DvqGThZDSNMFxdo3y+dLY
|
||||
bubjM09FyUUaZKmaEJXk16RVmhRhu+zj+obXABEBAAG0OVNlY3VyZUNvcmUgKFJQ
|
||||
TSBTaWduaW5nIENlcnRpZmljYXRlKSA8U2VjdXJlQ29yZUBmb28uY29tPokBOAQT
|
||||
AQIAIgUCWY1vjwIbLwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ/WXQJg3d
|
||||
uIpC8ggAhiX9mcr9/phJckcUoQNZJuhxxn+IOU533QYapWh1ulikr4Hqa8Q0bsDr
|
||||
szXJoPd+u18oPE8TE9Q/pUvcRCpVPtP2lbc91cyWXbchbMATFvmt/wcCFyKTTczo
|
||||
vLaCsZt2EVfDuEDHeev+3ABkl7xYD6OxlueQeGZM75XyxDovPEPVuhiwhBIZASK2
|
||||
RS2nVXQm3SlyabkRAmzCPxS9Z86qYiF37+hjmx6CtGpTMCy2BCeQyAQiB1nyx/Ix
|
||||
VmvRB0PSE/fEetYMLrNBzKOG0GjbgsorYkOrzHzIBCKhOnTsOQJLjE9cuTWG38Gx
|
||||
ogkVTwDo5Lc9K4wBWnX1jNhE56XMxQ==
|
||||
=AA9G
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
@@ -0,0 +1,32 @@
|
||||
-----BEGIN PGP PRIVATE KEY BLOCK-----
|
||||
|
||||
lQPGBFmNb48BCADfgM0IVukaMp5qK607ZpfaOx89JONJaP0BfACLxRRsQIJoT/2E
|
||||
Ba0TjYO5IqSuDNXLsfQoHLfLqY0jPkPUsv8PU5+94KwonEQHfE0wbUUXYE/WRGaS
|
||||
tHx1lsM7IjI1Lv39+k/7gE+DT1s0RctK/uhwlFzVsiszb2+iVRpCZjDcfNc3kE9u
|
||||
PkC2/rKfk9IHJ8CsyPMLmgiZYSQ64q2G6ysQNLsRReKgC42aEYrPMkD2tlqmJ1oV
|
||||
vkD3uf/mFrHNMMKT2MArGLai5T5ZF5KD6zcnX6jFmO8DvqGThZDSNMFxdo3y+dLY
|
||||
bubjM09FyUUaZKmaEJXk16RVmhRhu+zj+obXABEBAAH+BwMCfLq1JDxWFFxguoqa
|
||||
QVOe9j1oQORI+UK5T4/PyLQAa0m1L4gCApy2bEbS0fAqoF3rJ3k1+h6C5hHCdVdL
|
||||
UNFTmMHGZw1jXpv2iQiShdegX7fgguzy8AFW/4SxPRS8acT9S7V8AUfje1goOs7u
|
||||
QpCNn+lKdxyjaRvRIHUmldQRt+NYgBgcTibJWyISOA0bcwgDpiud3yhLJ2gAUAEO
|
||||
wdE37GnvYa2hC1yzIjV0IPQfKq3UDSrFwiOUAOsGCk8a59S+Me8lcUrA7XO9aceE
|
||||
4uT9fnsM0E8/O+P+oW4ZaiPo5k+MWMy80LF43fR6oPYAojPt9cilBrpLju8ip8Z0
|
||||
D2aeGqFfCFnBynU2QFSjAk8DPRcBwZECgNmhuVUPxxWRYPYo0hJF/X3Vmz6B5EEX
|
||||
x9Iv4s6oJX7lWGXztKl2rKKLDeHI3JvEfvRA4cwJwR3t7puSp74oNzo+gpA5vMOb
|
||||
LNWRZfSH5Gl71EFzQ78jNjN931O0FjfyPM44V6BiJFs5zg90K6/umfLCGWEGfbwu
|
||||
7KwmqOJ3lFf+WwYqD0VT3fbN/dpuBWadok7FLahC61laJ2Kl2bejVpgn7nTodEPZ
|
||||
kQNwsDtVZCVx5eX76SKSRd2gAAcTk2fhdtkn1pTMl5g/Eb+GMNc1bQaLoYVM0JDZ
|
||||
mFnWK1gfzvoxESunCOf5VAEESeXjz1L2ABLmkkThteKYn5vGz0gFWI5PUaAJi5Qz
|
||||
A82/tbBE//rmj/4Igv/nAdvcKZm+/T6C+JBN4H1g1TkRnGgIjs9I9fYnY1D1MLxu
|
||||
IMGGUBD523av1B8doHcf+67IGUlC9xiwAehWm31EUzuk0RipaiCm5aSr7qvh0SqL
|
||||
a9tnRTItUO/uelyoSFT/X9X4UxCcz9U32yzB+4M6a6P6yoO1M6x49SchsVTohejP
|
||||
tdZI/wn0JOPGtDlTZWN1cmVDb3JlIChSUE0gU2lnbmluZyBDZXJ0aWZpY2F0ZSkg
|
||||
PFNlY3VyZUNvcmVAZm9vLmNvbT6JATgEEwECACIFAlmNb48CGy8GCwkIBwMCBhUI
|
||||
AgkKCwQWAgMBAh4BAheAAAoJEP1l0CYN3biKQvIIAIYl/ZnK/f6YSXJHFKEDWSbo
|
||||
ccZ/iDlOd90GGqVodbpYpK+B6mvENG7A67M1yaD3frtfKDxPExPUP6VL3EQqVT7T
|
||||
9pW3PdXMll23IWzAExb5rf8HAhcik03M6Ly2grGbdhFXw7hAx3nr/twAZJe8WA+j
|
||||
sZbnkHhmTO+V8sQ6LzxD1boYsIQSGQEitkUtp1V0Jt0pcmm5EQJswj8UvWfOqmIh
|
||||
d+/oY5segrRqUzAstgQnkMgEIgdZ8sfyMVZr0QdD0hP3xHrWDC6zQcyjhtBo24LK
|
||||
K2JDq8x8yAQioTp07DkCS4xPXLk1ht/BsaIJFU8A6OS3PSuMAVp19YzYROelzMU=
|
||||
=G84i
|
||||
-----END PGP PRIVATE KEY BLOCK-----
|
||||
Reference in New Issue
Block a user