From c2962bba6dcc039775a78248b21e558c824d986d Mon Sep 17 00:00:00 2001
From: Jia Zhang <lans.zhang2008@gmail.com>
Date: Thu, 24 Aug 2017 08:18:01 +0800
Subject: sign_rpm_ext: make sure all target recipes are signed

Placing the key import logic under signing-keys cannot ensure all
target recipes are always signed. Instead, place it before
do_package_write_rpm.

Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
---
 meta-integrity/classes/sign_rpm_ext.bbclass        | 26 ++++++++++++++++++++++
 .../recipes-core/meta/signing-keys.bbappend        | 24 --------------------
 2 files changed, 26 insertions(+), 24 deletions(-)
 delete mode 100644 meta-integrity/recipes-core/meta/signing-keys.bbappend

diff --git a/meta-integrity/classes/sign_rpm_ext.bbclass b/meta-integrity/classes/sign_rpm_ext.bbclass
index 865b606..2a8dedc 100644
--- a/meta-integrity/classes/sign_rpm_ext.bbclass
+++ b/meta-integrity/classes/sign_rpm_ext.bbclass
@@ -10,6 +10,32 @@ RPM_FSK_PASSWORD ?= "password"
 
 inherit sign_rpm user-key-store
 
+python check_rpm_public_key () {
+    gpg_path = d.getVar('GPG_PATH', True)
+    gpg_bin = d.getVar('GPG_BIN', True) or \
+              bb.utils.which(os.getenv('PATH'), 'gpg')
+    gpg_keyid = d.getVar('RPM_GPG_NAME', True)
+
+    # Check RPM_GPG_NAME and RPM_GPG_PASSPHRASE
+    cmd = "%s --homedir %s --list-keys %s" % \
+            (gpg_bin, gpg_path, gpg_keyid)
+    status, output = oe.utils.getstatusoutput(cmd)
+    if not status:
+        return
+
+    # Import RPM_GPG_NAME if not found
+    gpg_key = uks_rpm_keys_dir(d) + 'RPM-GPG-PRIVKEY-' + gpg_keyid
+    cmd = '%s --batch --homedir %s --passphrase %s --import %s' % \
+            (gpg_bin, gpg_path, d.getVar('RPM_GPG_PASSPHRASE', True), gpg_key)
+    status, output = oe.utils.getstatusoutput(cmd)
+    if status:
+        raise bb.build.FuncFailed('Failed to import gpg key (%s): %s' %
+                                  (gpg_key, output))
+}
+check_rpm_public_key[lockfiles] = "${TMPDIR}/check_rpm_public_key.lock"
+do_package_write_rpm[prefuncs] += "check_rpm_public_key"
+check_rpm_public_key[prefuncs] += "check_deploy_keys"
+
 python () {
     gpg_path = d.getVar('GPG_PATH', True)
     if not gpg_path:
diff --git a/meta-integrity/recipes-core/meta/signing-keys.bbappend b/meta-integrity/recipes-core/meta/signing-keys.bbappend
deleted file mode 100644
index 058d050..0000000
--- a/meta-integrity/recipes-core/meta/signing-keys.bbappend
+++ /dev/null
@@ -1,24 +0,0 @@
-python check_public_keys () {
-    gpg_path = d.getVar('GPG_PATH', True)
-    gpg_bin = d.getVar('GPG_BIN', True) or \
-              bb.utils.which(os.getenv('PATH'), 'gpg')
-    gpg_keyid = d.getVar('RPM_GPG_NAME', True)
-
-    # Check RPM_GPG_NAME and RPM_GPG_PASSPHRASE
-    cmd = "%s --homedir %s --list-keys %s" % \
-            (gpg_bin, gpg_path, gpg_keyid)
-    status, output = oe.utils.getstatusoutput(cmd)
-    if not status:
-        return
-
-    # Import RPM_GPG_NAME if not found
-    gpg_key = uks_rpm_keys_dir(d) + 'RPM-GPG-PRIVKEY-' + gpg_keyid
-    cmd = '%s --batch --homedir %s --passphrase %s --import %s' % \
-            (gpg_bin, gpg_path, d.getVar('RPM_GPG_PASSPHRASE', True), gpg_key)
-    status, output = oe.utils.getstatusoutput(cmd)
-    if status:
-        raise bb.build.FuncFailed('Failed to import gpg key (%s): %s' %
-                                  (gpg_key, output))
-}
-check_public_keys[lockfiles] = "${TMPDIR}/check_public_keys.lock"
-do_get_public_keys[prefuncs] += "check_public_keys"
-- 
cgit v1.2.3-54-g00ecf