On Tue, 5 Jan 2016 10:38:51 +0200 Ioan-Adrian Ratiu <[email protected]> wrote:
> Minimum required opkg version: 3.0 (already in master/jethro). > > Add a new bbclass for creating signatures for ipk files. > The signing process is very similar to the existing rpm signing, > but different in some important ways: > - Signatures are stored outside the ipk files, opkg connects > to a feed server and downloads them as separate files which are > used to verify ipk's. These files go everywhere alongside the ipk. > - Signatures can be of two types: binary (.sig) and ascii-armored > (.asc). By default OE and opkg use binary, can be configured by using > IPK_SIGNATURE_TYPE (in OE) and "option signature_type gpg-asc" in > opkg. > - The public key is stored on device and the keyring managed > by the opkg-keyrings package. See its recipe for more details. > > Signed-off-by: Ioan-Adrian Ratiu <[email protected]> > Signed-off-by: Alejandro del Castillo <[email protected]> > --- > meta/classes/package_ipk.bbclass | 6 ++++ > meta/classes/sign_ipk.bbclass | 73 > ++++++++++++++++++++++++++++++++++++++++ > 2 files changed, 79 insertions(+) > create mode 100644 meta/classes/sign_ipk.bbclass > > diff --git a/meta/classes/package_ipk.bbclass > b/meta/classes/package_ipk.bbclass > index 51bee28..4f5bbd0 100644 > --- a/meta/classes/package_ipk.bbclass > +++ b/meta/classes/package_ipk.bbclass > @@ -246,6 +246,12 @@ python do_package_ipk () { > bb.utils.unlockfile(lf) > raise bb.build.FuncFailed("opkg-build execution failed") > > + if d.getVar('IPK_SIGN_PACKAGES', True) == '1': > + ipkver = "%s-%s" % (d.getVar('PKGV'), d.getVar('PKGR')) > + ipk_to_sign = "%s/%s_%s_%s.ipk" % (pkgoutdir, pkgname, ipkver, > d.getVar('PACKAGE_ARCH', True)) > + d.setVar('IPK_TO_SIGN', ipk_to_sign) > + bb.build.exec_func("sign_ipk", d) > + > cleanupcontrol(root) > bb.utils.unlockfile(lf) > > diff --git a/meta/classes/sign_ipk.bbclass b/meta/classes/sign_ipk.bbclass > new file mode 100644 > index 0000000..a4f1f3a > --- /dev/null > +++ b/meta/classes/sign_ipk.bbclass > @@ -0,0 +1,73 @@ > +# Class for generating signed IPK packages. > +# > +# Configuration variables used by this class: > +# IPK_GPG_PASSPHRASE_FILE > +# Path to a file containing the passphrase of the signing key. > +# IPK_GPG_NAME > +# Name of the key to sign with. > +# IPK_SIGNATURE_TYPE > +# Optional type of signature to accompany IPK files, can be: > +# 1. Ascii armored (ASC) > +# 2. Binary (BIN), default > +# GPG_BIN > +# Optional variable for specifying the gpg binary/wrapper to use > for > +# signing. > +# > + > +inherit sanity > + > +IPK_SIGN_PACKAGES = '1' > + > +def ipksign_wrapper(d, ipk_file, passphrase, gpg_name=None, sigtype="BIN"): > + import subprocess > + from subprocess import Popen > + > + keypipe = os.pipe() > + os.write(keypipe[1], passphrase + '\n') > + > + # use gpg from host PATH if user did not define a specific binary > + cmd = [d.getVar('GPG_BIN', True) or bb.utils.which(os.getenv('PATH'), > "gpg")] > + > + if gpg_name: > + cmd += ["-q", "--batch", "--yes", "-b", "-u", gpg_name] > + else: > + raise_sanity_error("You need to define IPK_GPG_NAME in bitbake > config", d) > + > + # transmit using pipes for security > + cmd += ["--passphrase-fd", str(keypipe[0])] > + > + # ascii armored or binary signatures > + if sigtype.lower() == "ASC".lower(): > + cmd += ["-a"] > + elif sigtype.lower() != "BIN".lower(): > + raise_sanity_error("Invalid IPK_SIGNATURE_TYPE in bitbake config", d) > + > + cmd += [ipk_file] > + > + p = Popen(cmd, stdin=subprocess.PIPE) > + p.wait() > + > + os.close(keypipe[1]) > + os.close(keypipe[0]) > + > + return p.returncode > + > + > +python sign_ipk () { > + ipk_gpg_pass_file = (d.getVar("IPK_GPG_PASSPHRASE_FILE", True) or "") > + if ipk_gpg_pass_file: > + with open(ipk_gpg_pass_file) as fobj: > + ipk_gpg_passphrase = fobj.readlines()[0].rstrip('\n') > + else: > + raise_sanity_error("You need to define IPK_GPG_PASSPHRASE_FILE in > the config", d) > + > + ipk_gpg_name = (d.getVar("IPK_GPG_NAME", True) or "") > + > + ipk_file = d.getVar('IPK_TO_SIGN') > + bb.debug(1, 'IPK_TO_SIGN: %s' % ipk_file) > + > + sigtype = (d.getVar("IPK_SIGNATURE_TYPE", True) or "") > + > + if ipksign_wrapper(d, ipk_file, ipk_gpg_passphrase, ipk_gpg_name, > sigtype) != 0: > + raise bb.build.FuncFailed("IPK signing failed") > +} ping? -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
