On Fri, 19 Feb 2016 13:18:12 +0200 Ioan-Adrian Ratiu <[email protected]> wrote:
> On Thu, 18 Feb 2016 11:28:58 +0200 > Ioan-Adrian Ratiu <[email protected]> wrote: > > > Hello > > > > On Thu, 18 Feb 2016 11:04:22 +0200 > > Markus Lehtonen <[email protected]> wrote: > > > > > Hi, > > > > > > > > > > > > On 17/02/16 17:41, "Ioan-Adrian Ratiu" > > > <[email protected] on behalf of > > > [email protected]> wrote: > > > > > > >Implement local ipk signing logic inside the gpg backend and add a new > > > >bbclass which configures signing similar to how rpm does it. > > > > > > > >The ipk signing process is a bit different from rpm: > > > > - Signatures are stored outside ipk files; opkg connects to a feed > > > >server and downloads them to verify a package. > > > > - Signatures are of two types (both supported by opkg): binary or > > > >ascii armoured. By default we sign using ascii armoured. > > > > - Public keys are stored on targets to verify ipks using the > > > >opkg-keyrings recipe. > > > > > > > >Signed-off-by: Ioan-Adrian Ratiu <[email protected]> > > > >--- > > > > meta/classes/package_ipk.bbclass | 6 +++++ > > > > meta/classes/sign_ipk.bbclass | 55 > > > > ++++++++++++++++++++++++++++++++++++++++ > > > > meta/lib/oe/gpg_sign.py | 39 ++++++++++++++++++++++++++++ > > > > 3 files changed, 100 insertions(+) > > > > create mode 100644 meta/classes/sign_ipk.bbclass > > > > > > > >diff --git a/meta/classes/package_ipk.bbclass > > > >b/meta/classes/package_ipk.bbclass > > > >index 51bee28..4f5bbd0 100644 > > > >--- a/meta/classes/package_ipk.bbclass > > > >+++ b/meta/classes/package_ipk.bbclass > > > >@@ -246,6 +246,12 @@ python do_package_ipk () { > > > > bb.utils.unlockfile(lf) > > > > raise bb.build.FuncFailed("opkg-build execution failed") > > > > > > > >+ if d.getVar('IPK_SIGN_PACKAGES', True) == '1': > > > >+ ipkver = "%s-%s" % (d.getVar('PKGV'), d.getVar('PKGR')) > > > >+ ipk_to_sign = "%s/%s_%s_%s.ipk" % (pkgoutdir, pkgname, > > > >ipkver, d.getVar('PACKAGE_ARCH', True)) > > > >+ d.setVar('IPK_TO_SIGN', ipk_to_sign) > > > >+ bb.build.exec_func("sign_ipk", d) > > > >+ > > > > cleanupcontrol(root) > > > > bb.utils.unlockfile(lf) > > > > > > > >diff --git a/meta/classes/sign_ipk.bbclass > > > >b/meta/classes/sign_ipk.bbclass > > > >new file mode 100644 > > > >index 0000000..cb22bb4 > > > >--- /dev/null > > > >+++ b/meta/classes/sign_ipk.bbclass > > > >@@ -0,0 +1,55 @@ > > > >+# Class for generating signed IPK packages. > > > >+# > > > >+# Configuration variables used by this class: > > > >+# IPK_GPG_PASSPHRASE_FILE > > > >+# Path to a file containing the passphrase of the signing key. > > > >+# IPK_GPG_NAME > > > >+# Name of the key to sign with. > > > >+# IPK_GPG_BACKEND > > > >+# Optional variable for specifying the backend to use for > > > >signing. > > > >+# Currently the only available option is 'local', i.e. local > > > >signing > > > >+# on the build host. > > > >+# IPK_GPG_SIGNATURE_TYPE > > > >+# Optional variable for specifying the type of gpg > > > >signatures, can be: > > > >+# 1. Ascii armored (ASC), default if not set > > > >+# 2. Binary (BIN) > > > >+# GPG_BIN > > > >+# Optional variable for specifying the gpg binary/wrapper to > > > >use for > > > >+# signing. > > > >+# GPG_PATH > > > >+# Optional variable for specifying the gnupg "home" directory: > > > >+# > > > >+ > > > >+inherit sanity > > > >+ > > > >+IPK_SIGN_PACKAGES = '1' > > > >+IPK_GPG_BACKEND ?= 'local' > > > >+IPK_GPG_SIGNATURE_TYPE ?= 'ASC' > > > >+ > > > >+python () { > > > >+ # Check configuration > > > >+ for var in ('IPK_GPG_NAME', 'IPK_GPG_PASSPHRASE_FILE'): > > > >+ if not d.getVar(var, True): > > > >+ raise_sanity_error("You need to define %s in the config" % > > > >var, d) > > > >+ > > > >+ sigtype = d.getVar("IPK_GPG_SIGNATURE_TYPE", True) > > > >+ if sigtype.upper() != "ASC" and sigtype.upper() != "BIN": > > > >+ raise_sanity_error("Bad value for IPK_GPG_SIGNATURE_TYPE (%s), > > > >use either ASC or BIN" % sigtype) > > > >+} > > > >+ > > > >+python sign_ipk () { > > > >+ from oe.gpg_sign import get_signer > > > >+ > > > >+ ipk_file = d.getVar('IPK_TO_SIGN') > > > >+ bb.debug(1, 'Signing ipk: %s' % ipk_file) > > > >+ > > > >+ signer = get_signer(d, d.getVar('IPK_GPG_BACKEND', True)) > > > >+ > > > >+ sig_type = d.getVar('IPK_GPG_SIGNATURE_TYPE', True) > > > >+ is_ascii_sig = (sig_type.upper() != "BIN") > > > >+ > > > >+ signer.sign_ipk(ipk_file, > > > >+ d.getVar('IPK_GPG_NAME', True), > > > >+ d.getVar('IPK_GPG_PASSPHRASE_FILE', True), > > > >+ is_ascii_sig) > > > >+} > > > > > > To me, it would be seem more straightforward to not circulate ipk_to_sign > > > through 'd'. Just define a regular python function like > > > def sign_ipk(d, ipk_to_sign): > > > ... > > > > > > And then in package_ipk.bbclass just do "sign_ipk(d, ipk_to_sign)" > > > instead of bb.build.exec_func("sign_ipk", d)" > > > > > > > > > > > > > > > >diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py > > > >index ada1b2f..138499b 100644 > > > >--- a/meta/lib/oe/gpg_sign.py > > > >+++ b/meta/lib/oe/gpg_sign.py > > > >@@ -1,5 +1,6 @@ > > > > """Helper module for GPG signing""" > > > > import os > > > >+import sys > > > > > > > > import bb > > > > import oe.utils > > > >@@ -50,6 +51,44 @@ class LocalSigner(object): > > > > bb.error('rpmsign failed: %s' % proc.before.strip()) > > > > raise bb.build.FuncFailed("Failed to sign RPM packages") > > > > > > > >+ def sign_ipk(self, ipkfile, keyid, passphrase_file, armor=True): > > > >+ """Sign IPK files""" > > > >+ import subprocess > > > >+ from subprocess import Popen > > > >+ > > > >+ cmd = [self.gpg_bin, "-q", "--batch", "--yes", "-b", "-u", > > > >keyid] > > > >+ if self.gpg_path: > > > >+ cmd += ["--homedir", self.gpg_path] > > > >+ if armor: > > > >+ cmd += ["--armor"] > > > >+ > > > >+ try: > > > >+ keypipe = os.pipe() > > > >+ > > > >+ # Need to add '\n' in case the passfile does not have it > > > >+ with open(passphrase_file) as fobj: > > > >+ os.write(keypipe[1], fobj.readline() + '\n') > > > >+ > > > >+ cmd += ["--passphrase-fd", str(keypipe[0])] > > > >+ cmd += [ipkfile] > > > >+ > > > >+ gpg_proc = Popen(cmd, stdin=subprocess.PIPE) > > > >+ gpg_proc.wait() > > > >+ > > > >+ os.close(keypipe[1]); > > > >+ os.close(keypipe[0]); > > > >+ > > > >+ except IOError as e: > > > >+ bb.error("IO error ({0}): {1}".format(e.errno, e.strerror)) > > > >+ raise bb.build.FuncFailed("Failed to sign IPK packages") > > > >+ except OSError as e: > > > >+ bb.error("OS error ({0}): {1}".format(e.errno, e.strerror)) > > > >+ raise bb.build.FuncFailed("Failed to sign IPK packages") > > > >+ except: > > > >+ bb.error("Unexpected error: {1}".format(sys.exc_info()[0])) > > > >+ raise bb.build.FuncFailed("Failed to sign IPK packages") > > > >+ > > > >+ > > > > def detach_sign(self, input_file, keyid, passphrase_file, > > > > passphrase=None, armor=True): > > > > """Create a detached signature of a file""" > > > > import subprocess > > > > > > Couldn't you just use detach_sign() instead of introducing sign_ipk(). To > > > me the functionality seems identical. > > > > The functionality is almost identical, yes, and consolidating it into one > > function is a very good idea. I'll do it but I have one question. > > > > The only diference between them is the usage in detach-sign of gpg's > > "--with-passphrase" arg, and that arg seems to cause some errors on my > > system: > > "gpg: signing failed: Inappropriate ioctl for device" > > > > I have not managed to reliably reproduce and find the cause of this issue. > > However, if we always open the file in python and read directly in a pipe > > which > > we always pass to gpg using "--passphrase-fd", the error goes away. > > > > Is using something like the following in detach_sign() ok with you? > > > > with open(passphrase_file) as fobj: > > os.write(keypipe[1], fobj.readline() + '\n') > > > > cmd += ["--passphrase-fd", str(keypipe[0])] > > Good news: I managed to reproduce and find the cause of the problem: pinentry > mode. > Gpg has a parameter "--pinentry-mode" which by default is set to ask, but > when doing > batch singing and sending the passphrases through pipes it needs to be set to > cancel. > > So now both methods work! :) I'll go with your method of using > --passphrase-file and > --passphrase-fd 0 because it is more clearer. *facepalm* I mistyped the value of the pinentry-mode parameter it's loopback not cancel. More info at https://wiki.archlinux.org/index.php/GnuPG#Unattended_passphrase > > > > > > > > > > > > Thanks, > > > Markus > > > > > > > > > -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
