Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / refs/heads/master / . / poky / meta / classes / sign_rpm.bbclass
blob: ee0c4808fa121ce4342f40b68f3b45041601a614 [file] [log] [blame]
Patrick Williams92b42cb2022-09-03 06:53:57 -0500[diff] [blame]1#
2# Copyright OpenEmbedded Contributors
3#
4# SPDX-License-Identifier: MIT
5#
6
Patrick Williamsc124f4f2015-09-15 14:41:29 -0500[diff] [blame]7# Class for generating signed RPM packages.
8#
9# Configuration variables used by this class:
Patrick Williamsd8c66bc2016-06-20 12:57:21 -0500[diff] [blame]10# RPM_GPG_PASSPHRASE
11# The passphrase of the signing key.
Patrick Williamsc124f4f2015-09-15 14:41:29 -0500[diff] [blame]12# RPM_GPG_NAME
Patrick Williamsf1e5d692016-03-30 15:21:19 -0500[diff] [blame]13# Name of the key to sign with. May be key id or key name.
Patrick Williamsd8c66bc2016-06-20 12:57:21 -0500[diff] [blame]14# RPM_GPG_BACKEND
15# Optional variable for specifying the backend to use for signing.
16# Currently the only available option is 'local', i.e. local signing
17# on the build host.
Brad Bishopd7bf8c12018-02-25 22:55:05 -0500[diff] [blame]18# RPM_FILE_CHECKSUM_DIGEST
19# Optional variable for specifying the algorithm for generating file
20# checksum digest.
21# RPM_FSK_PATH
22# Optional variable for the file signing key.
23# RPM_FSK_PASSWORD
24# Optional variable for the file signing key password.
Patrick Williamsc124f4f2015-09-15 14:41:29 -0500[diff] [blame]25# GPG_BIN
26# Optional variable for specifying the gpg binary/wrapper to use for
27# signing.
Brad Bishopd7bf8c12018-02-25 22:55:05 -0500[diff] [blame]28# RPM_GPG_SIGN_CHUNK
29# Optional variable indicating the number of packages used per gpg
30# invocation
Patrick Williamsf1e5d692016-03-30 15:21:19 -0500[diff] [blame]31# GPG_PATH
32# Optional variable for specifying the gnupg "home" directory:
Brad Bishopd7bf8c12018-02-25 22:55:05 -0500[diff] [blame]33
Patrick Williamsc124f4f2015-09-15 14:41:29 -0500[diff] [blame]34inherit sanity
35
36RPM_SIGN_PACKAGES='1'
Brad Bishopd7bf8c12018-02-25 22:55:05 -0500[diff] [blame]37RPM_SIGN_FILES ?= '0'
Patrick Williamsd8c66bc2016-06-20 12:57:21 -0500[diff] [blame]38RPM_GPG_BACKEND ?= 'local'
Brad Bishopd7bf8c12018-02-25 22:55:05 -0500[diff] [blame]39# SHA-256 is used by default
40RPM_FILE_CHECKSUM_DIGEST ?= '8'
41RPM_GPG_SIGN_CHUNK ?= "${BB_NUMBER_THREADS}"
Patrick Williamsc124f4f2015-09-15 14:41:29 -0500[diff] [blame]42
43
Patrick Williamsf1e5d692016-03-30 15:21:19 -0500[diff] [blame]44python () {
Brad Bishop6e60e8b2018-02-01 10:27:11 -0500[diff] [blame]45 if d.getVar('RPM_GPG_PASSPHRASE_FILE'):
Patrick Williamsd8c66bc2016-06-20 12:57:21 -0500[diff] [blame]46 raise_sanity_error('RPM_GPG_PASSPHRASE_FILE is replaced by RPM_GPG_PASSPHRASE', d)
Patrick Williamsf1e5d692016-03-30 15:21:19 -0500[diff] [blame]47 # Check configuration
Patrick Williamsd8c66bc2016-06-20 12:57:21 -0500[diff] [blame]48 for var in ('RPM_GPG_NAME', 'RPM_GPG_PASSPHRASE'):
Brad Bishop6e60e8b2018-02-01 10:27:11 -0500[diff] [blame]49 if not d.getVar(var):
Patrick Williamsf1e5d692016-03-30 15:21:19 -0500[diff] [blame]50 raise_sanity_error("You need to define %s in the config" % var, d)
Brad Bishopd7bf8c12018-02-25 22:55:05 -0500[diff] [blame]51
52 if d.getVar('RPM_SIGN_FILES') == '1':
53 for var in ('RPM_FSK_PATH', 'RPM_FSK_PASSWORD'):
54 if not d.getVar(var):
55 raise_sanity_error("You need to define %s in the config" % var, d)
Patrick Williamsc124f4f2015-09-15 14:41:29 -0500[diff] [blame]56}
57
Patrick Williamsc124f4f2015-09-15 14:41:29 -0500[diff] [blame]58python sign_rpm () {
59 import glob
Patrick Williamsd8c66bc2016-06-20 12:57:21 -0500[diff] [blame]60 from oe.gpg_sign import get_signer
Patrick Williamsc124f4f2015-09-15 14:41:29 -0500[diff] [blame]61
Brad Bishop6e60e8b2018-02-01 10:27:11 -0500[diff] [blame]62 signer = get_signer(d, d.getVar('RPM_GPG_BACKEND'))
63 rpms = glob.glob(d.getVar('RPM_PKGWRITEDIR') + '/*')
Patrick Williamsc124f4f2015-09-15 14:41:29 -0500[diff] [blame]64
Patrick Williamsd8c66bc2016-06-20 12:57:21 -0500[diff] [blame]65 signer.sign_rpms(rpms,
Brad Bishop6e60e8b2018-02-01 10:27:11 -0500[diff] [blame]66 d.getVar('RPM_GPG_NAME'),
Brad Bishopd7bf8c12018-02-25 22:55:05 -0500[diff] [blame]67 d.getVar('RPM_GPG_PASSPHRASE'),
68 d.getVar('RPM_FILE_CHECKSUM_DIGEST'),
69 int(d.getVar('RPM_GPG_SIGN_CHUNK')),
70 d.getVar('RPM_FSK_PATH'),
71 d.getVar('RPM_FSK_PASSWORD'))
Patrick Williamsc124f4f2015-09-15 14:41:29 -0500[diff] [blame]72}
Andrew Geisslerd25ed322020-06-27 00:28:28 -0500[diff] [blame]73sign_rpm[vardepsexclude] += "RPM_GPG_SIGN_CHUNK"
Patrick Williamsf1e5d692016-03-30 15:21:19 -0500[diff] [blame]74
Patrick Williamsd8c66bc2016-06-20 12:57:21 -0500[diff] [blame]75do_package_index[depends] += "signing-keys:do_deploy"
76do_rootfs[depends] += "signing-keys:do_populate_sysroot"
Brad Bishopd7bf8c12018-02-25 22:55:05 -0500[diff] [blame]77
Brad Bishop316dfdd2018-06-25 12:45:53 -0400[diff] [blame]78PACKAGE_WRITE_DEPS += "gnupg-native"