Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / d7bf8c17eca8f8c89898a7794462c773c449e983^! / . / import-layers / yocto-poky / meta / classes / sign_rpm.bbclass
commitd7bf8c17eca8f8c89898a7794462c773c449e983[log] [tgz]
authorBrad Bishop <bradleyb@fuzziesquirrel.com>Sun Feb 25 22:55:05 2018 -0500
committerBrad Bishop <bradleyb@fuzziesquirrel.com>Thu Mar 15 14:22:49 2018 +0000
treed18618fca85ca5f0c077032cc7b009344b60f663
parente2b5abdc9f28cdf8578e5b9be803c8e697443c20 [diff] [blame]
Yocto 2.4

Move OpenBMC to Yocto 2.4(rocko)

Tested: Built and verified Witherspoon and Palmetto images
Change-Id: I12057b18610d6fb0e6903c60213690301e9b0c67
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>

diff --git a/import-layers/yocto-poky/meta/classes/sign_rpm.bbclass b/import-layers/yocto-poky/meta/classes/sign_rpm.bbclass
index bc2e947..4961b03 100644
--- a/import-layers/yocto-poky/meta/classes/sign_rpm.bbclass
+++ b/import-layers/yocto-poky/meta/classes/sign_rpm.bbclass

@@ -9,16 +9,30 @@
 #           Optional variable for specifying the backend to use for signing.
 #           Currently the only available option is 'local', i.e. local signing
 #           on the build host.
+# RPM_FILE_CHECKSUM_DIGEST
+#           Optional variable for specifying the algorithm for generating file
+#           checksum digest.
+# RPM_FSK_PATH
+#           Optional variable for the file signing key.
+# RPM_FSK_PASSWORD
+#           Optional variable for the file signing key password.
 # GPG_BIN
 #           Optional variable for specifying the gpg binary/wrapper to use for
 #           signing.
+# RPM_GPG_SIGN_CHUNK
+#           Optional variable indicating the number of packages used per gpg
+#           invocation
 # GPG_PATH
 #           Optional variable for specifying the gnupg "home" directory:
-#
+
 inherit sanity
 
 RPM_SIGN_PACKAGES='1'
+RPM_SIGN_FILES ?= '0'
 RPM_GPG_BACKEND ?= 'local'
+# SHA-256 is used by default
+RPM_FILE_CHECKSUM_DIGEST ?= '8'
+RPM_GPG_SIGN_CHUNK ?= "${BB_NUMBER_THREADS}"
 
 
 python () {
@@ -28,6 +42,11 @@
     for var in ('RPM_GPG_NAME', 'RPM_GPG_PASSPHRASE'):
         if not d.getVar(var):
             raise_sanity_error("You need to define %s in the config" % var, d)
+
+    if d.getVar('RPM_SIGN_FILES') == '1':
+        for var in ('RPM_FSK_PATH', 'RPM_FSK_PASSWORD'):
+            if not d.getVar(var):
+                raise_sanity_error("You need to define %s in the config" % var, d)
 }
 
 python sign_rpm () {
@@ -39,8 +58,18 @@
 
     signer.sign_rpms(rpms,
                      d.getVar('RPM_GPG_NAME'),
-                     d.getVar('RPM_GPG_PASSPHRASE'))
+                     d.getVar('RPM_GPG_PASSPHRASE'),
+                     d.getVar('RPM_FILE_CHECKSUM_DIGEST'),
+                     int(d.getVar('RPM_GPG_SIGN_CHUNK')),
+                     d.getVar('RPM_FSK_PATH'),
+                     d.getVar('RPM_FSK_PASSWORD'))
 }
 
 do_package_index[depends] += "signing-keys:do_deploy"
 do_rootfs[depends] += "signing-keys:do_populate_sysroot"
+
+# Newer versions of gpg (at least 2.1.5 and 2.2.1) have issues when signing occurs in parallel
+# so unfortunately the signing must be done serially. Once the upstream problem is fixed,
+# the following line must be removed otherwise we loose all the intrinsic parallelism from
+# bitbake.  For more information, check https://bugzilla.yoctoproject.org/show_bug.cgi?id=12022.
+do_package_write_rpm[lockfiles] += "${TMPDIR}/gpg.lock"