Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 1 | """Helper module for GPG signing""" |
| 2 | import os |
| 3 | |
| 4 | import bb |
| 5 | import oe.utils |
| 6 | |
| 7 | class LocalSigner(object): |
| 8 | """Class for handling local (on the build host) signing""" |
| 9 | def __init__(self, d): |
Brad Bishop | 6e60e8b | 2018-02-01 10:27:11 -0500 | [diff] [blame] | 10 | self.gpg_bin = d.getVar('GPG_BIN') or \ |
Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 11 | bb.utils.which(os.getenv('PATH'), 'gpg') |
Brad Bishop | 6e60e8b | 2018-02-01 10:27:11 -0500 | [diff] [blame] | 12 | self.gpg_path = d.getVar('GPG_PATH') |
Brad Bishop | 37a0e4d | 2017-12-04 01:01:44 -0500 | [diff] [blame] | 13 | self.gpg_version = self.get_gpg_version() |
Brad Bishop | 6e60e8b | 2018-02-01 10:27:11 -0500 | [diff] [blame] | 14 | self.rpm_bin = bb.utils.which(os.getenv('PATH'), "rpmsign") |
Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 15 | |
| 16 | def export_pubkey(self, output_file, keyid, armor=True): |
| 17 | """Export GPG public key to a file""" |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 18 | cmd = '%s --no-permission-warning --batch --yes --export -o %s ' % \ |
Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 19 | (self.gpg_bin, output_file) |
| 20 | if self.gpg_path: |
| 21 | cmd += "--homedir %s " % self.gpg_path |
| 22 | if armor: |
| 23 | cmd += "--armor " |
| 24 | cmd += keyid |
| 25 | status, output = oe.utils.getstatusoutput(cmd) |
| 26 | if status: |
| 27 | raise bb.build.FuncFailed('Failed to export gpg public key (%s): %s' % |
| 28 | (keyid, output)) |
| 29 | |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 30 | def sign_rpms(self, files, keyid, passphrase, digest, sign_chunk, fsk=None, fsk_password=None): |
Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 31 | """Sign RPM files""" |
| 32 | |
| 33 | cmd = self.rpm_bin + " --addsign --define '_gpg_name %s' " % keyid |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 34 | gpg_args = '--no-permission-warning --batch --passphrase=%s' % passphrase |
Brad Bishop | 37a0e4d | 2017-12-04 01:01:44 -0500 | [diff] [blame] | 35 | if self.gpg_version > (2,1,): |
Brad Bishop | 6e60e8b | 2018-02-01 10:27:11 -0500 | [diff] [blame] | 36 | gpg_args += ' --pinentry-mode=loopback' |
| 37 | cmd += "--define '_gpg_sign_cmd_extra_args %s' " % gpg_args |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 38 | cmd += "--define '_binary_filedigest_algorithm %s' " % digest |
Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 39 | if self.gpg_bin: |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 40 | cmd += "--define '__gpg %s' " % self.gpg_bin |
Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 41 | if self.gpg_path: |
| 42 | cmd += "--define '_gpg_path %s' " % self.gpg_path |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 43 | if fsk: |
| 44 | cmd += "--signfiles --fskpath %s " % fsk |
| 45 | if fsk_password: |
| 46 | cmd += "--define '_file_signing_key_password %s' " % fsk_password |
Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 47 | |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 48 | # Sign in chunks |
| 49 | for i in range(0, len(files), sign_chunk): |
| 50 | status, output = oe.utils.getstatusoutput(cmd + ' '.join(files[i:i+sign_chunk])) |
Brad Bishop | 37a0e4d | 2017-12-04 01:01:44 -0500 | [diff] [blame] | 51 | if status: |
| 52 | raise bb.build.FuncFailed("Failed to sign RPM packages: %s" % output) |
Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 53 | |
| 54 | def detach_sign(self, input_file, keyid, passphrase_file, passphrase=None, armor=True): |
| 55 | """Create a detached signature of a file""" |
| 56 | import subprocess |
| 57 | |
| 58 | if passphrase_file and passphrase: |
| 59 | raise Exception("You should use either passphrase_file of passphrase, not both") |
| 60 | |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 61 | cmd = [self.gpg_bin, '--detach-sign', '--no-permission-warning', '--batch', |
| 62 | '--no-tty', '--yes', '--passphrase-fd', '0', '-u', keyid] |
Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 63 | |
| 64 | if self.gpg_path: |
| 65 | cmd += ['--homedir', self.gpg_path] |
| 66 | if armor: |
| 67 | cmd += ['--armor'] |
| 68 | |
| 69 | #gpg > 2.1 supports password pipes only through the loopback interface |
| 70 | #gpg < 2.1 errors out if given unknown parameters |
Brad Bishop | 37a0e4d | 2017-12-04 01:01:44 -0500 | [diff] [blame] | 71 | if self.gpg_version > (2,1,): |
Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 72 | cmd += ['--pinentry-mode', 'loopback'] |
| 73 | |
| 74 | cmd += [input_file] |
| 75 | |
| 76 | try: |
| 77 | if passphrase_file: |
| 78 | with open(passphrase_file) as fobj: |
| 79 | passphrase = fobj.readline(); |
| 80 | |
| 81 | job = subprocess.Popen(cmd, stdin=subprocess.PIPE, stderr=subprocess.PIPE) |
Patrick Williams | c0f7c04 | 2017-02-23 20:41:17 -0600 | [diff] [blame] | 82 | (_, stderr) = job.communicate(passphrase.encode("utf-8")) |
Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 83 | |
| 84 | if job.returncode: |
| 85 | raise bb.build.FuncFailed("GPG exited with code %d: %s" % |
Patrick Williams | c0f7c04 | 2017-02-23 20:41:17 -0600 | [diff] [blame] | 86 | (job.returncode, stderr.decode("utf-8"))) |
Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 87 | |
| 88 | except IOError as e: |
| 89 | bb.error("IO error (%s): %s" % (e.errno, e.strerror)) |
| 90 | raise Exception("Failed to sign '%s'" % input_file) |
| 91 | |
| 92 | except OSError as e: |
| 93 | bb.error("OS error (%s): %s" % (e.errno, e.strerror)) |
| 94 | raise Exception("Failed to sign '%s" % input_file) |
| 95 | |
| 96 | |
| 97 | def get_gpg_version(self): |
Brad Bishop | 37a0e4d | 2017-12-04 01:01:44 -0500 | [diff] [blame] | 98 | """Return the gpg version as a tuple of ints""" |
Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 99 | import subprocess |
| 100 | try: |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 101 | ver_str = subprocess.check_output((self.gpg_bin, "--version", "--no-permission-warning")).split()[2].decode("utf-8") |
Brad Bishop | 37a0e4d | 2017-12-04 01:01:44 -0500 | [diff] [blame] | 102 | return tuple([int(i) for i in ver_str.split('.')]) |
Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 103 | except subprocess.CalledProcessError as e: |
| 104 | raise bb.build.FuncFailed("Could not get gpg version: %s" % e) |
| 105 | |
| 106 | |
| 107 | def verify(self, sig_file): |
| 108 | """Verify signature""" |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 109 | cmd = self.gpg_bin + " --verify --no-permission-warning " |
Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 110 | if self.gpg_path: |
| 111 | cmd += "--homedir %s " % self.gpg_path |
| 112 | cmd += sig_file |
| 113 | status, _ = oe.utils.getstatusoutput(cmd) |
| 114 | ret = False if status else True |
| 115 | return ret |
| 116 | |
| 117 | |
| 118 | def get_signer(d, backend): |
| 119 | """Get signer object for the specified backend""" |
| 120 | # Use local signing by default |
| 121 | if backend == 'local': |
| 122 | return LocalSigner(d) |
| 123 | else: |
| 124 | bb.fatal("Unsupported signing backend '%s'" % backend) |