Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 1 | # Class for generating signed RPM packages. |
| 2 | # |
| 3 | # Configuration variables used by this class: |
Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 4 | # RPM_GPG_PASSPHRASE |
| 5 | # The passphrase of the signing key. |
Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 6 | # RPM_GPG_NAME |
Patrick Williams | f1e5d69 | 2016-03-30 15:21:19 -0500 | [diff] [blame] | 7 | # Name of the key to sign with. May be key id or key name. |
Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 8 | # RPM_GPG_BACKEND |
| 9 | # Optional variable for specifying the backend to use for signing. |
| 10 | # Currently the only available option is 'local', i.e. local signing |
| 11 | # on the build host. |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 12 | # RPM_FILE_CHECKSUM_DIGEST |
| 13 | # Optional variable for specifying the algorithm for generating file |
| 14 | # checksum digest. |
| 15 | # RPM_FSK_PATH |
| 16 | # Optional variable for the file signing key. |
| 17 | # RPM_FSK_PASSWORD |
| 18 | # Optional variable for the file signing key password. |
Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 19 | # GPG_BIN |
| 20 | # Optional variable for specifying the gpg binary/wrapper to use for |
| 21 | # signing. |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 22 | # RPM_GPG_SIGN_CHUNK |
| 23 | # Optional variable indicating the number of packages used per gpg |
| 24 | # invocation |
Patrick Williams | f1e5d69 | 2016-03-30 15:21:19 -0500 | [diff] [blame] | 25 | # GPG_PATH |
| 26 | # Optional variable for specifying the gnupg "home" directory: |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 27 | |
Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 28 | inherit sanity |
| 29 | |
| 30 | RPM_SIGN_PACKAGES='1' |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 31 | RPM_SIGN_FILES ?= '0' |
Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 32 | RPM_GPG_BACKEND ?= 'local' |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 33 | # SHA-256 is used by default |
| 34 | RPM_FILE_CHECKSUM_DIGEST ?= '8' |
| 35 | RPM_GPG_SIGN_CHUNK ?= "${BB_NUMBER_THREADS}" |
Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 36 | |
| 37 | |
Patrick Williams | f1e5d69 | 2016-03-30 15:21:19 -0500 | [diff] [blame] | 38 | python () { |
Brad Bishop | 6e60e8b | 2018-02-01 10:27:11 -0500 | [diff] [blame] | 39 | if d.getVar('RPM_GPG_PASSPHRASE_FILE'): |
Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 40 | raise_sanity_error('RPM_GPG_PASSPHRASE_FILE is replaced by RPM_GPG_PASSPHRASE', d) |
Patrick Williams | f1e5d69 | 2016-03-30 15:21:19 -0500 | [diff] [blame] | 41 | # Check configuration |
Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 42 | for var in ('RPM_GPG_NAME', 'RPM_GPG_PASSPHRASE'): |
Brad Bishop | 6e60e8b | 2018-02-01 10:27:11 -0500 | [diff] [blame] | 43 | if not d.getVar(var): |
Patrick Williams | f1e5d69 | 2016-03-30 15:21:19 -0500 | [diff] [blame] | 44 | raise_sanity_error("You need to define %s in the config" % var, d) |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 45 | |
| 46 | if d.getVar('RPM_SIGN_FILES') == '1': |
| 47 | for var in ('RPM_FSK_PATH', 'RPM_FSK_PASSWORD'): |
| 48 | if not d.getVar(var): |
| 49 | raise_sanity_error("You need to define %s in the config" % var, d) |
Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 50 | } |
| 51 | |
Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 52 | python sign_rpm () { |
| 53 | import glob |
Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 54 | from oe.gpg_sign import get_signer |
Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 55 | |
Brad Bishop | 6e60e8b | 2018-02-01 10:27:11 -0500 | [diff] [blame] | 56 | signer = get_signer(d, d.getVar('RPM_GPG_BACKEND')) |
| 57 | rpms = glob.glob(d.getVar('RPM_PKGWRITEDIR') + '/*') |
Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 58 | |
Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 59 | signer.sign_rpms(rpms, |
Brad Bishop | 6e60e8b | 2018-02-01 10:27:11 -0500 | [diff] [blame] | 60 | d.getVar('RPM_GPG_NAME'), |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 61 | d.getVar('RPM_GPG_PASSPHRASE'), |
| 62 | d.getVar('RPM_FILE_CHECKSUM_DIGEST'), |
| 63 | int(d.getVar('RPM_GPG_SIGN_CHUNK')), |
| 64 | d.getVar('RPM_FSK_PATH'), |
| 65 | d.getVar('RPM_FSK_PASSWORD')) |
Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 66 | } |
Patrick Williams | f1e5d69 | 2016-03-30 15:21:19 -0500 | [diff] [blame] | 67 | |
Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 68 | do_package_index[depends] += "signing-keys:do_deploy" |
| 69 | do_rootfs[depends] += "signing-keys:do_populate_sysroot" |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 70 | |
| 71 | # Newer versions of gpg (at least 2.1.5 and 2.2.1) have issues when signing occurs in parallel |
| 72 | # so unfortunately the signing must be done serially. Once the upstream problem is fixed, |
| 73 | # the following line must be removed otherwise we loose all the intrinsic parallelism from |
| 74 | # bitbake. For more information, check https://bugzilla.yoctoproject.org/show_bug.cgi?id=12022. |
| 75 | do_package_write_rpm[lockfiles] += "${TMPDIR}/gpg.lock" |