blob: 4961b03618f170ed245ce1f32c9da333eeec1e4a [file] [log] [blame]
Patrick Williamsc124f4f2015-09-15 14:41:29 -05001# Class for generating signed RPM packages.
2#
3# Configuration variables used by this class:
Patrick Williamsd8c66bc2016-06-20 12:57:21 -05004# RPM_GPG_PASSPHRASE
5# The passphrase of the signing key.
Patrick Williamsc124f4f2015-09-15 14:41:29 -05006# RPM_GPG_NAME
Patrick Williamsf1e5d692016-03-30 15:21:19 -05007# Name of the key to sign with. May be key id or key name.
Patrick Williamsd8c66bc2016-06-20 12:57:21 -05008# RPM_GPG_BACKEND
9# Optional variable for specifying the backend to use for signing.
10# Currently the only available option is 'local', i.e. local signing
11# on the build host.
Brad Bishopd7bf8c12018-02-25 22:55:05 -050012# RPM_FILE_CHECKSUM_DIGEST
13# Optional variable for specifying the algorithm for generating file
14# checksum digest.
15# RPM_FSK_PATH
16# Optional variable for the file signing key.
17# RPM_FSK_PASSWORD
18# Optional variable for the file signing key password.
Patrick Williamsc124f4f2015-09-15 14:41:29 -050019# GPG_BIN
20# Optional variable for specifying the gpg binary/wrapper to use for
21# signing.
Brad Bishopd7bf8c12018-02-25 22:55:05 -050022# RPM_GPG_SIGN_CHUNK
23# Optional variable indicating the number of packages used per gpg
24# invocation
Patrick Williamsf1e5d692016-03-30 15:21:19 -050025# GPG_PATH
26# Optional variable for specifying the gnupg "home" directory:
Brad Bishopd7bf8c12018-02-25 22:55:05 -050027
Patrick Williamsc124f4f2015-09-15 14:41:29 -050028inherit sanity
29
30RPM_SIGN_PACKAGES='1'
Brad Bishopd7bf8c12018-02-25 22:55:05 -050031RPM_SIGN_FILES ?= '0'
Patrick Williamsd8c66bc2016-06-20 12:57:21 -050032RPM_GPG_BACKEND ?= 'local'
Brad Bishopd7bf8c12018-02-25 22:55:05 -050033# SHA-256 is used by default
34RPM_FILE_CHECKSUM_DIGEST ?= '8'
35RPM_GPG_SIGN_CHUNK ?= "${BB_NUMBER_THREADS}"
Patrick Williamsc124f4f2015-09-15 14:41:29 -050036
37
Patrick Williamsf1e5d692016-03-30 15:21:19 -050038python () {
Brad Bishop6e60e8b2018-02-01 10:27:11 -050039 if d.getVar('RPM_GPG_PASSPHRASE_FILE'):
Patrick Williamsd8c66bc2016-06-20 12:57:21 -050040 raise_sanity_error('RPM_GPG_PASSPHRASE_FILE is replaced by RPM_GPG_PASSPHRASE', d)
Patrick Williamsf1e5d692016-03-30 15:21:19 -050041 # Check configuration
Patrick Williamsd8c66bc2016-06-20 12:57:21 -050042 for var in ('RPM_GPG_NAME', 'RPM_GPG_PASSPHRASE'):
Brad Bishop6e60e8b2018-02-01 10:27:11 -050043 if not d.getVar(var):
Patrick Williamsf1e5d692016-03-30 15:21:19 -050044 raise_sanity_error("You need to define %s in the config" % var, d)
Brad Bishopd7bf8c12018-02-25 22:55:05 -050045
46 if d.getVar('RPM_SIGN_FILES') == '1':
47 for var in ('RPM_FSK_PATH', 'RPM_FSK_PASSWORD'):
48 if not d.getVar(var):
49 raise_sanity_error("You need to define %s in the config" % var, d)
Patrick Williamsc124f4f2015-09-15 14:41:29 -050050}
51
Patrick Williamsc124f4f2015-09-15 14:41:29 -050052python sign_rpm () {
53 import glob
Patrick Williamsd8c66bc2016-06-20 12:57:21 -050054 from oe.gpg_sign import get_signer
Patrick Williamsc124f4f2015-09-15 14:41:29 -050055
Brad Bishop6e60e8b2018-02-01 10:27:11 -050056 signer = get_signer(d, d.getVar('RPM_GPG_BACKEND'))
57 rpms = glob.glob(d.getVar('RPM_PKGWRITEDIR') + '/*')
Patrick Williamsc124f4f2015-09-15 14:41:29 -050058
Patrick Williamsd8c66bc2016-06-20 12:57:21 -050059 signer.sign_rpms(rpms,
Brad Bishop6e60e8b2018-02-01 10:27:11 -050060 d.getVar('RPM_GPG_NAME'),
Brad Bishopd7bf8c12018-02-25 22:55:05 -050061 d.getVar('RPM_GPG_PASSPHRASE'),
62 d.getVar('RPM_FILE_CHECKSUM_DIGEST'),
63 int(d.getVar('RPM_GPG_SIGN_CHUNK')),
64 d.getVar('RPM_FSK_PATH'),
65 d.getVar('RPM_FSK_PASSWORD'))
Patrick Williamsc124f4f2015-09-15 14:41:29 -050066}
Patrick Williamsf1e5d692016-03-30 15:21:19 -050067
Patrick Williamsd8c66bc2016-06-20 12:57:21 -050068do_package_index[depends] += "signing-keys:do_deploy"
69do_rootfs[depends] += "signing-keys:do_populate_sysroot"
Brad Bishopd7bf8c12018-02-25 22:55:05 -050070
71# Newer versions of gpg (at least 2.1.5 and 2.2.1) have issues when signing occurs in parallel
72# so unfortunately the signing must be done serially. Once the upstream problem is fixed,
73# the following line must be removed otherwise we loose all the intrinsic parallelism from
74# bitbake. For more information, check https://bugzilla.yoctoproject.org/show_bug.cgi?id=12022.
75do_package_write_rpm[lockfiles] += "${TMPDIR}/gpg.lock"