mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-31 00:39:46 +00:00
Code Issues Projects Releases Wiki Activity

signing-keys: Make signing keys the only publisher of keys

Browse Source 
Previously the keys were put into the os-release package. The package
indexing code was also deploying the keys rather than only using the keys.

This change makes signing-keys.bb the only publisher of the keys and also
uses standard tasks that already have sstate.

(From OE-Core rev: 1e38068ac38dfd067655dfd41464e28439179306)

Signed-off-by: Randy Witt <randy.e.witt@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Randy Witt
2016-02-19 08:45:25 -08:00
committed by Richard Purdie
parent 64ab17b707
commit 7bb9e8ddbf
5 changed files with 51 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/classes/sign_package_feed.bbclass
+2 -7
View File
@@ -27,12 +27,7 @@ python () {
for var in ('PACKAGE_FEED_GPG_NAME', 'PACKAGE_FEED_GPG_PASSPHRASE_FILE'): for var in ('PACKAGE_FEED_GPG_NAME', 'PACKAGE_FEED_GPG_PASSPHRASE_FILE'):
if not d.getVar(var, True): if not d.getVar(var, True):
raise_sanity_error("You need to define %s in the config" % var, d) raise_sanity_error("You need to define %s in the config" % var, d)
# Set expected location of the public key
d.setVar('PACKAGE_FEED_GPG_PUBKEY',
os.path.join(d.getVar('STAGING_ETCDIR_NATIVE', False),
'PACKAGE-FEED-GPG-PUBKEY'))
} }
do_package_index[depends] += "signing-keys:do_export_public_keys" do_package_index[depends] += "signing-keys:do_deploy"
do_rootfs[depends] += "signing-keys:do_export_public_keys" do_rootfs[depends] += "signing-keys:do_populate_sysroot"
meta/classes/sign_rpm.bbclass
+7 -4
View File
@@ -28,8 +28,11 @@ python () {
raise_sanity_error("You need to define %s in the config" % var, d) raise_sanity_error("You need to define %s in the config" % var, d)
# Set the expected location of the public key # Set the expected location of the public key
d.setVar('RPM_GPG_PUBKEY', os.path.join(d.getVar('STAGING_ETCDIR_NATIVE', False), d.setVar('RPM_GPG_PUBKEY', os.path.join(d.getVar('STAGING_DIR_TARGET', False),
'RPM-GPG-PUBKEY')) d.getVar('sysconfdir', False),
'pki',
'rpm-gpg',
'RPM-GPG-KEY-${DISTRO_VERSION}'))
} }
python sign_rpm () { python sign_rpm () {
@@ -44,5 +47,5 @@ python sign_rpm () {
d.getVar('RPM_GPG_PASSPHRASE_FILE', True)) d.getVar('RPM_GPG_PASSPHRASE_FILE', True))
} }
do_package_index[depends] += "signing-keys:do_export_public_keys" do_package_index[depends] += "signing-keys:do_deploy"
do_rootfs[depends] += "signing-keys:do_export_public_keys" do_rootfs[depends] += "signing-keys:do_populate_sysroot"
meta/lib/oe/package_manager.py
-10
View File
@@ -144,16 +144,6 @@ class RpmIndexer(Indexer):
signer.detach_sign(repomd, signer.detach_sign(repomd,
self.d.getVar('PACKAGE_FEED_GPG_NAME', True), self.d.getVar('PACKAGE_FEED_GPG_NAME', True),
self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True)) self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True))
# Copy pubkey(s) to repo
distro_version = self.d.getVar('DISTRO_VERSION', True) or "oe.0"
if self.d.getVar('RPM_SIGN_PACKAGES', True) == '1':
shutil.copy2(self.d.getVar('RPM_GPG_PUBKEY', True),
os.path.join(self.deploy_dir,
'RPM-GPG-KEY-%s' % distro_version))
if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
shutil.copy2(self.d.getVar('PACKAGE_FEED_GPG_PUBKEY', True),
os.path.join(self.deploy_dir,
'REPODATA-GPG-KEY-%s' % distro_version))
class OpkgIndexer(Indexer): class OpkgIndexer(Indexer):
meta/recipes-core/meta/signing-keys.bb
+42 -17
View File
@@ -3,37 +3,62 @@
DESCRIPTION = "Make public keys of the signing keys available" DESCRIPTION = "Make public keys of the signing keys available"
LICENSE = "MIT" LICENSE = "MIT"
PACKAGES = "" LIC_FILES_CHKSUM = "file://${COREBASE}/LICENSE;md5=4d92cd373abda3937c2bc47fbc49d690 \
file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
do_fetch[noexec] = "1"
do_unpack[noexec] = "1" inherit allarch deploy
do_patch[noexec] = "1"
do_configure[noexec] = "1"
do_compile[noexec] = "1"
do_install[noexec] = "1"
do_package[noexec] = "1"
do_packagedata[noexec] = "1"
do_package_write_ipk[noexec] = "1"
do_package_write_rpm[noexec] = "1"
do_package_write_deb[noexec] = "1"
do_populate_sysroot[noexec] = "1"
EXCLUDE_FROM_WORLD = "1" EXCLUDE_FROM_WORLD = "1"
INHIBIT_DEFAULT_DEPS = "1"
PACKAGES =+ "${PN}-rpm ${PN}-packagefeed"
python do_export_public_keys () { FILES_${PN}-rpm = "${sysconfdir}/pki/rpm-gpg"
FILES_${PN}-packagefeed = "${sysconfdir}/pki/packagefeed-gpg"
python do_get_public_keys () {
from oe.gpg_sign import get_signer from oe.gpg_sign import get_signer
if d.getVar("RPM_SIGN_PACKAGES", True): if d.getVar("RPM_SIGN_PACKAGES", True):
# Export public key of the rpm signing key # Export public key of the rpm signing key
signer = get_signer(d, d.getVar('RPM_GPG_BACKEND', True)) signer = get_signer(d, d.getVar('RPM_GPG_BACKEND', True))
signer.export_pubkey(d.getVar('RPM_GPG_PUBKEY', True), signer.export_pubkey(os.path.join(d.expand('${B}'), 'rpm-key'),
d.getVar('RPM_GPG_NAME', True)) d.getVar('RPM_GPG_NAME', True))
if d.getVar('PACKAGE_FEED_SIGN', True) == '1': if d.getVar('PACKAGE_FEED_SIGN', True) == '1':
# Export public key of the feed signing key # Export public key of the feed signing key
signer = get_signer(d, d.getVar('PACKAGE_FEED_GPG_BACKEND', True)) signer = get_signer(d, d.getVar('PACKAGE_FEED_GPG_BACKEND', True))
signer.export_pubkey(d.getVar('PACKAGE_FEED_GPG_PUBKEY', True), signer.export_pubkey(os.path.join(d.expand('${B}'), 'pf-key'),
d.getVar('PACKAGE_FEED_GPG_NAME', True)) d.getVar('PACKAGE_FEED_GPG_NAME', True))
} }
addtask do_export_public_keys before do_build do_get_public_keys[cleandirs] = "${B}"
addtask get_public_keys before do_install
do_install () {
if [ -f "${B}/rpm-key" ]; then
install -D -m 0644 "${B}/rpm-key" "${D}${sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-${DISTRO_VERSION}"
fi
if [ -f "${B}/pf-key" ]; then
install -D -m 0644 "${B}/pf-key" "${D}${sysconfdir}/pki/packagefeed-gpg/PACKAGEFEED-GPG-KEY-${DISTRO_VERSION}"
fi
}
sysroot_stage_all_append () {
sysroot_stage_dir ${D}${sysconfdir}/pki ${SYSROOT_DESTDIR}${sysconfdir}/pki
}
do_deploy () {
if [ -f "${B}/rpm-key" ]; then
install -D -m 0644 "${B}/rpm-key" "${DEPLOYDIR}/RPM-GPG-KEY-${DISTRO_VERSION}"
fi
if [ -f "${B}/pf-key" ]; then
install -D -m 0644 "${B}/pf-key" "${DEPLOYDIR}/PACKAGEFEED-GPG-KEY-${DISTRO_VERSION}"
fi
}
do_deploy[sstate-outputdirs] = "${DEPLOY_DIR_RPM}"
# cleandirs should possibly be in deploy.bbclass but we need it
do_deploy[cleandirs] = "${DEPLOYDIR}"
# clear stamp-extra-info since MACHINE is normally put there by deploy.bbclass
do_deploy[stamp-extra-info] = ""
addtask deploy after do_get_public_keys
meta/recipes-core/os-release/os-release.bb
-11
View File
@@ -30,21 +30,10 @@ python do_compile () {
value = d.getVar(field, True) value = d.getVar(field, True)
if value: if value:
f.write('{0}="{1}"\n'.format(field, value)) f.write('{0}="{1}"\n'.format(field, value))
if d.getVar('RPM_SIGN_PACKAGES', True) == '1':
rpm_gpg_pubkey = d.getVar('RPM_GPG_PUBKEY', True)
bb.utils.mkdirhier('${B}/rpm-gpg')
distro_version = d.getVar('DISTRO_VERSION', True) or "oe.0"
shutil.copy2(rpm_gpg_pubkey, d.expand('${B}/rpm-gpg/RPM-GPG-KEY-%s' % distro_version))
} }
do_compile[vardeps] += "${OS_RELEASE_FIELDS}" do_compile[vardeps] += "${OS_RELEASE_FIELDS}"
do_compile[depends] += "signing-keys:do_export_public_keys"
do_install () { do_install () {
install -d ${D}${sysconfdir} install -d ${D}${sysconfdir}
install -m 0644 os-release ${D}${sysconfdir}/ install -m 0644 os-release ${D}${sysconfdir}/
if [ -d "rpm-gpg" ]; then
install -d "${D}${sysconfdir}/pki"
cp -r "rpm-gpg" "${D}${sysconfdir}/pki/"
fi
} }