diff options
| author | Ovidiu Panait <ovidiu.panait@windriver.com> | 2020-02-29 20:49:49 +0200 |
|---|---|---|
| committer | Jia Zhang <zhang.jia@linux.alibaba.com> | 2020-03-01 19:26:24 +0800 |
| commit | b1dee36ce6d74e5e9032e67bd037d5519eb784ca (patch) | |
| tree | f57e6f9e851f558744530808c7e6b0495613dbd5 | |
| parent | 8853e39b1e1d1103dbbb252288989c7466968690 (diff) | |
| download | meta-secure-core-b1dee36ce6d74e5e9032e67bd037d5519eb784ca.tar.gz | |
sign_rpm_ext: Use socket redirection to avoid GPG_PATH length limitation
Currently, an error will be thrown when trying to use a GPG homedir whose path
length exceeds 80 characters. This limitation can be worked around by providing
libassuan socket redirection files for "S.gpg-agent.yocto-native",
"S.gpg-agent.ssh", "S.gpg-agent.browser" and "S.gpg-agent.extra"
sockets. The redirection files will point to the real sockets in /tmp
directory. The sockets will be automatically cleaned up by gpg agent.
References:
[1] https://dev.gnupg.org/T1752
[2] https://gnupg.org/documentation/manuals/assuan.pdf
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
| -rw-r--r-- | meta-integrity/classes/sign_rpm_ext.bbclass | 5 | ||||
| -rw-r--r-- | meta-signing-key/classes/user-key-store.bbclass | 11 |
2 files changed, 11 insertions, 5 deletions
diff --git a/meta-integrity/classes/sign_rpm_ext.bbclass b/meta-integrity/classes/sign_rpm_ext.bbclass index 855d6b3..4da64bd 100644 --- a/meta-integrity/classes/sign_rpm_ext.bbclass +++ b/meta-integrity/classes/sign_rpm_ext.bbclass | |||
| @@ -34,9 +34,4 @@ python () { | |||
| 34 | if not gpg_path: | 34 | if not gpg_path: |
| 35 | gpg_path = d.getVar('TMPDIR', True) + '/.gnupg' | 35 | gpg_path = d.getVar('TMPDIR', True) + '/.gnupg' |
| 36 | d.setVar('GPG_PATH', gpg_path) | 36 | d.setVar('GPG_PATH', gpg_path) |
| 37 | |||
| 38 | if len(gpg_path) > 80: | ||
| 39 | msg = "The default GPG_PATH {} of {} characters is too long. Due to GPG homedir path length limit, please set GPG_PATH shorter than 80 characters.".format(gpg_path, len(gpg_path)) | ||
| 40 | raise bb.parse.SkipRecipe(msg) | ||
| 41 | |||
| 42 | } | 37 | } |
diff --git a/meta-signing-key/classes/user-key-store.bbclass b/meta-signing-key/classes/user-key-store.bbclass index 982bd18..313f340 100644 --- a/meta-signing-key/classes/user-key-store.bbclass +++ b/meta-signing-key/classes/user-key-store.bbclass | |||
| @@ -481,6 +481,15 @@ def check_gpg_key(basekeyname, keydirfunc, d): | |||
| 481 | f.write('allow-loopback-pinentry\n') | 481 | f.write('allow-loopback-pinentry\n') |
| 482 | f.write('auto-expand-secmem\n') | 482 | f.write('auto-expand-secmem\n') |
| 483 | f.close() | 483 | f.close() |
| 484 | |||
| 485 | bn = d.getVar('BUILDNAME', True) | ||
| 486 | socklist = ["yocto-native", "browser", "ssh", "extra"] | ||
| 487 | for sock in socklist: | ||
| 488 | f = open(os.path.join(gpg_path, 'S.gpg-agent.' + sock), 'w') | ||
| 489 | f.write('%Assuan%\n') | ||
| 490 | f.write('socket=/tmp/S.gpg-agent.%s-%s\n' % (sock, bn)) | ||
| 491 | f.close() | ||
| 492 | |||
| 484 | gpg_bin = d.getVar('GPG_BIN', True) or \ | 493 | gpg_bin = d.getVar('GPG_BIN', True) or \ |
| 485 | bb.utils.which(os.getenv('PATH'), 'gpg') | 494 | bb.utils.which(os.getenv('PATH'), 'gpg') |
| 486 | gpg_keyid = d.getVar(basekeyname + '_GPG_NAME', True) | 495 | gpg_keyid = d.getVar(basekeyname + '_GPG_NAME', True) |
| @@ -500,6 +509,8 @@ def check_gpg_key(basekeyname, keydirfunc, d): | |||
| 500 | if status: | 509 | if status: |
| 501 | bb.fatal('Failed to import gpg key (%s): %s' % (gpg_key, output)) | 510 | bb.fatal('Failed to import gpg key (%s): %s' % (gpg_key, output)) |
| 502 | 511 | ||
| 512 | check_gpg_key[vardepsexclude] = "BUILDNAME" | ||
| 513 | |||
| 503 | python check_boot_public_key () { | 514 | python check_boot_public_key () { |
| 504 | check_gpg_key('BOOT', uks_boot_keys_dir, d) | 515 | check_gpg_key('BOOT', uks_boot_keys_dir, d) |
| 505 | } | 516 | } |