mirrors/meta-secure-core
1
0
Fork 0
mirror of https://github.com/jiazhang0/meta-secure-core.git synced 2026-01-12 01:00:15 +00:00
Code Issues Projects Releases Wiki Activity

sign_rpm_ext: Use socket redirection to avoid GPG_PATH length limitation

Browse Source 
Currently, an error will be thrown when trying to use a GPG homedir whose path
length exceeds 80 characters. This limitation can be worked around by providing
libassuan socket redirection files for "S.gpg-agent.yocto-native",
"S.gpg-agent.ssh", "S.gpg-agent.browser" and "S.gpg-agent.extra"
sockets. The redirection files will point to the real sockets in /tmp
directory. The sockets will be automatically cleaned up by gpg agent.

References:
[1] https://dev.gnupg.org/T1752
[2] https://gnupg.org/documentation/manuals/assuan.pdf

Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
This commit is contained in:
Ovidiu Panait
2020-02-29 20:49:49 +02:00
committed by Jia Zhang
parent 8853e39b1e
commit b1dee36ce6
2 changed files with 11 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
meta-integrity/classes/sign_rpm_ext.bbclass
View File

@@ -34,9 +34,4 @@ python () {
if not gpg_path:
gpg_path = d.getVar('TMPDIR', True) + '/.gnupg'
d.setVar('GPG_PATH', gpg_path)
if len(gpg_path) > 80:
msg = "The default GPG_PATH {} of {} characters is too long. Due to GPG homedir path length limit, please set GPG_PATH shorter than 80 characters.".format(gpg_path, len(gpg_path))
raise bb.parse.SkipRecipe(msg)
}

11
meta-signing-key/classes/user-key-store.bbclass
View File

@@ -481,6 +481,15 @@ def check_gpg_key(basekeyname, keydirfunc, d):
f.write('allow-loopback-pinentry\n')
f.write('auto-expand-secmem\n')
f.close()
bn = d.getVar('BUILDNAME', True)
socklist = ["yocto-native", "browser", "ssh", "extra"]
for sock in socklist:
f = open(os.path.join(gpg_path, 'S.gpg-agent.' + sock), 'w')
f.write('%Assuan%\n')
f.write('socket=/tmp/S.gpg-agent.%s-%s\n' % (sock, bn))
f.close()
gpg_bin = d.getVar('GPG_BIN', True) or \
bb.utils.which(os.getenv('PATH'), 'gpg')
gpg_keyid = d.getVar(basekeyname + '_GPG_NAME', True)
@@ -500,6 +509,8 @@ def check_gpg_key(basekeyname, keydirfunc, d):
if status:
bb.fatal('Failed to import gpg key (%s): %s' % (gpg_key, output))
check_gpg_key[vardepsexclude] = "BUILDNAME"
python check_boot_public_key () {
check_gpg_key('BOOT', uks_boot_keys_dir, d)
}