1*4882a593Smuzhiyun# Class for generating signed RPM packages. 2*4882a593Smuzhiyun# 3*4882a593Smuzhiyun# Configuration variables used by this class: 4*4882a593Smuzhiyun# RPM_GPG_PASSPHRASE 5*4882a593Smuzhiyun# The passphrase of the signing key. 6*4882a593Smuzhiyun# RPM_GPG_NAME 7*4882a593Smuzhiyun# Name of the key to sign with. May be key id or key name. 8*4882a593Smuzhiyun# RPM_GPG_BACKEND 9*4882a593Smuzhiyun# Optional variable for specifying the backend to use for signing. 10*4882a593Smuzhiyun# Currently the only available option is 'local', i.e. local signing 11*4882a593Smuzhiyun# on the build host. 12*4882a593Smuzhiyun# RPM_FILE_CHECKSUM_DIGEST 13*4882a593Smuzhiyun# Optional variable for specifying the algorithm for generating file 14*4882a593Smuzhiyun# checksum digest. 15*4882a593Smuzhiyun# RPM_FSK_PATH 16*4882a593Smuzhiyun# Optional variable for the file signing key. 17*4882a593Smuzhiyun# RPM_FSK_PASSWORD 18*4882a593Smuzhiyun# Optional variable for the file signing key password. 19*4882a593Smuzhiyun# GPG_BIN 20*4882a593Smuzhiyun# Optional variable for specifying the gpg binary/wrapper to use for 21*4882a593Smuzhiyun# signing. 22*4882a593Smuzhiyun# RPM_GPG_SIGN_CHUNK 23*4882a593Smuzhiyun# Optional variable indicating the number of packages used per gpg 24*4882a593Smuzhiyun# invocation 25*4882a593Smuzhiyun# GPG_PATH 26*4882a593Smuzhiyun# Optional variable for specifying the gnupg "home" directory: 27*4882a593Smuzhiyun 28*4882a593Smuzhiyuninherit sanity 29*4882a593Smuzhiyun 30*4882a593SmuzhiyunRPM_SIGN_PACKAGES='1' 31*4882a593SmuzhiyunRPM_SIGN_FILES ?= '0' 32*4882a593SmuzhiyunRPM_GPG_BACKEND ?= 'local' 33*4882a593Smuzhiyun# SHA-256 is used by default 34*4882a593SmuzhiyunRPM_FILE_CHECKSUM_DIGEST ?= '8' 35*4882a593SmuzhiyunRPM_GPG_SIGN_CHUNK ?= "${BB_NUMBER_THREADS}" 36*4882a593Smuzhiyun 37*4882a593Smuzhiyun 38*4882a593Smuzhiyunpython () { 39*4882a593Smuzhiyun if d.getVar('RPM_GPG_PASSPHRASE_FILE'): 40*4882a593Smuzhiyun raise_sanity_error('RPM_GPG_PASSPHRASE_FILE is replaced by RPM_GPG_PASSPHRASE', d) 41*4882a593Smuzhiyun # Check configuration 42*4882a593Smuzhiyun for var in ('RPM_GPG_NAME', 'RPM_GPG_PASSPHRASE'): 43*4882a593Smuzhiyun if not d.getVar(var): 44*4882a593Smuzhiyun raise_sanity_error("You need to define %s in the config" % var, d) 45*4882a593Smuzhiyun 46*4882a593Smuzhiyun if d.getVar('RPM_SIGN_FILES') == '1': 47*4882a593Smuzhiyun for var in ('RPM_FSK_PATH', 'RPM_FSK_PASSWORD'): 48*4882a593Smuzhiyun if not d.getVar(var): 49*4882a593Smuzhiyun raise_sanity_error("You need to define %s in the config" % var, d) 50*4882a593Smuzhiyun} 51*4882a593Smuzhiyun 52*4882a593Smuzhiyunpython sign_rpm () { 53*4882a593Smuzhiyun import glob 54*4882a593Smuzhiyun from oe.gpg_sign import get_signer 55*4882a593Smuzhiyun 56*4882a593Smuzhiyun signer = get_signer(d, d.getVar('RPM_GPG_BACKEND')) 57*4882a593Smuzhiyun rpms = glob.glob(d.getVar('RPM_PKGWRITEDIR') + '/*') 58*4882a593Smuzhiyun 59*4882a593Smuzhiyun signer.sign_rpms(rpms, 60*4882a593Smuzhiyun d.getVar('RPM_GPG_NAME'), 61*4882a593Smuzhiyun d.getVar('RPM_GPG_PASSPHRASE'), 62*4882a593Smuzhiyun d.getVar('RPM_FILE_CHECKSUM_DIGEST'), 63*4882a593Smuzhiyun int(d.getVar('RPM_GPG_SIGN_CHUNK')), 64*4882a593Smuzhiyun d.getVar('RPM_FSK_PATH'), 65*4882a593Smuzhiyun d.getVar('RPM_FSK_PASSWORD')) 66*4882a593Smuzhiyun} 67*4882a593Smuzhiyunsign_rpm[vardepsexclude] += "RPM_GPG_SIGN_CHUNK" 68*4882a593Smuzhiyun 69*4882a593Smuzhiyundo_package_index[depends] += "signing-keys:do_deploy" 70*4882a593Smuzhiyundo_rootfs[depends] += "signing-keys:do_populate_sysroot" 71*4882a593Smuzhiyun 72*4882a593SmuzhiyunPACKAGE_WRITE_DEPS += "gnupg-native" 73