3 files changed, 83 insertions, 12 deletions
diff --git a/meta/classes/package_ipk.bbclass b/meta/classes/package_ipk.bbclass
index 51bee2890b..f1ad1d5c17 100644
--- a/meta/classes/package_ipk.bbclass
+++ b/meta/classes/package_ipk.bbclass
@@ -246,6 +246,11 @@ python do_package_ipk () {
            bb.utils.unlockfile(lf)
            raise bb.build.FuncFailed("opkg-build execution failed")
+        if d.getVar('IPK_SIGN_PACKAGES', True) == '1':
+            ipkver = "%s-%s" % (d.getVar('PKGV', True), d.getVar('PKGR', True))
+            ipk_to_sign = "%s/%s_%s_%s.ipk" % (pkgoutdir, pkgname, ipkver, d.getVar('PACKAGE_ARCH', True))
+            sign_ipk(d, ipk_to_sign)
        cleanupcontrol(root)
        bb.utils.unlockfile(lf)
diff --git a/meta/classes/sign_ipk.bbclass b/meta/classes/sign_ipk.bbclass
new file mode 100644
index 0000000000..a481f6d9a8
--- /dev/null
+++ b/meta/classes/sign_ipk.bbclass
@@ -0,0 +1,52 @@
+# Class for generating signed IPK packages.
+#
+# Configuration variables used by this class:
+# IPK_GPG_PASSPHRASE_FILE
+#           Path to a file containing the passphrase of the signing key.
+# IPK_GPG_NAME
+#           Name of the key to sign with.
+# IPK_GPG_BACKEND
+#           Optional variable for specifying the backend to use for signing.
+#           Currently the only available option is 'local', i.e. local signing
+#           on the build host.
+# IPK_GPG_SIGNATURE_TYPE
+#           Optional variable for specifying the type of gpg signatures, can be:
+#                     1. Ascii armored (ASC), default if not set
+#                     2. Binary (BIN)
+# GPG_BIN
+#           Optional variable for specifying the gpg binary/wrapper to use for
+#           signing.
+# GPG_PATH
+#           Optional variable for specifying the gnupg "home" directory:
+#
+inherit sanity
+IPK_SIGN_PACKAGES = '1'
+IPK_GPG_BACKEND ?= 'local'
+IPK_GPG_SIGNATURE_TYPE ?= 'ASC'
+python () {
+    # Check configuration
+    for var in ('IPK_GPG_NAME', 'IPK_GPG_PASSPHRASE_FILE'):
+        if not d.getVar(var, True):
+            raise_sanity_error("You need to define %s in the config" % var, d)
+    sigtype = d.getVar("IPK_GPG_SIGNATURE_TYPE", True)
+    if sigtype.upper() != "ASC" and sigtype.upper() != "BIN":
+        raise_sanity_error("Bad value for IPK_GPG_SIGNATURE_TYPE (%s), use either ASC or BIN" % sigtype)
+}
+def sign_ipk(d, ipk_to_sign):
+    from oe.gpg_sign import get_signer
+    bb.debug(1, 'Signing ipk: %s' % ipk_to_sign)
+    signer = get_signer(d, d.getVar('IPK_GPG_BACKEND', True))
+    sig_type = d.getVar('IPK_GPG_SIGNATURE_TYPE', True)
+    is_ascii_sig = (sig_type.upper() != "BIN")
+    signer.detach_sign(ipk_to_sign,
+                       d.getVar('IPK_GPG_NAME', True),
+                       d.getVar('IPK_GPG_PASSPHRASE_FILE', True),
+                       armor=is_ascii_sig)
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index ada1b2f408..059381d5e3 100644
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -50,6 +50,7 @@ class LocalSigner(object):
            bb.error('rpmsign failed: %s' % proc.before.strip())
            raise bb.build.FuncFailed("Failed to sign RPM packages")
    def detach_sign(self, input_file, keyid, passphrase_file, passphrase=None, armor=True):
        """Create a detached signature of a file"""
        import subprocess
@@ -58,22 +59,35 @@ class LocalSigner(object):
            raise Exception("You should use either passphrase_file of passphrase, not both")
        cmd = [self.gpg_bin, '--detach-sign', '--batch', '--no-tty', '--yes',
-               '-u', keyid]
+               '--passphrase-fd', '0', '-u', keyid]
-        if passphrase_file:
-            cmd += ['--passphrase-file', passphrase_file]
-        else:
-            cmd += ['--passphrase-fd', '0']
        if self.gpg_path:
            cmd += ['--homedir', self.gpg_path]
        if armor:
            cmd += ['--armor']
-        cmd.append(input_file)
-        job = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE,
+        cmd += [input_file]
-                               stderr=subprocess.PIPE)
-        _, stderr = job.communicate(passphrase)
+        try:
-        if job.returncode:
+            if passphrase_file:
-            raise bb.build.FuncFailed("Failed to create signature for '%s': %s" %
+                with open(passphrase_file) as fobj:
-                                      (input_file, stderr))
+                    passphrase = fobj.readline();
+            job = subprocess.Popen(cmd, stdin=subprocess.PIPE, stderr=subprocess.PIPE)
+            (_, stderr) = job.communicate(passphrase)
+            if job.returncode:
+                raise bb.build.FuncFailed("GPG exited with code %d: %s" %
+                                          (job.returncode, stderr))
+        except IOError as e:
+            bb.error("IO error (%s): %s" % (e.errno, e.strerror))
+            raise Exception("Failed to sign '%s'" % input_file)
+        except OSError as e:
+            bb.error("OS error (%s): %s" % (e.errno, e.strerror))
+            raise Exception("Failed to sign '%s" % input_file)
    def verify(self, sig_file):
        """Verify signature"""

diff --git a/meta/classes/package_ipk.bbclass b/meta/classes/package_ipk.bbclass index 51bee2890b..f1ad1d5c17 100644 --- a/meta/classes/package_ipk.bbclass +++ b/meta/classes/package_ipk.bbclass
@@ -246,6 +246,11 @@ python do_package_ipk () {
246	bb.utils.unlockfile(lf)	246	bb.utils.unlockfile(lf)
247	raise bb.build.FuncFailed("opkg-build execution failed")	247	raise bb.build.FuncFailed("opkg-build execution failed")
248		248
		249	if d.getVar('IPK_SIGN_PACKAGES', True) == '1':
		250	ipkver = "%s-%s" % (d.getVar('PKGV', True), d.getVar('PKGR', True))
		251	ipk_to_sign = "%s/%s_%s_%s.ipk" % (pkgoutdir, pkgname, ipkver, d.getVar('PACKAGE_ARCH', True))
		252	sign_ipk(d, ipk_to_sign)
		253
249	cleanupcontrol(root)	254	cleanupcontrol(root)
250	bb.utils.unlockfile(lf)	255	bb.utils.unlockfile(lf)
251		256


diff --git a/meta/classes/sign_ipk.bbclass b/meta/classes/sign_ipk.bbclass new file mode 100644 index 0000000000..a481f6d9a8 --- /dev/null +++ b/meta/classes/sign_ipk.bbclass
@@ -0,0 +1,52 @@
		1	# Class for generating signed IPK packages.
		2	#
		3	# Configuration variables used by this class:
		4	# IPK_GPG_PASSPHRASE_FILE
		5	# Path to a file containing the passphrase of the signing key.
		6	# IPK_GPG_NAME
		7	# Name of the key to sign with.
		8	# IPK_GPG_BACKEND
		9	# Optional variable for specifying the backend to use for signing.
		10	# Currently the only available option is 'local', i.e. local signing
		11	# on the build host.
		12	# IPK_GPG_SIGNATURE_TYPE
		13	# Optional variable for specifying the type of gpg signatures, can be:
		14	# 1. Ascii armored (ASC), default if not set
		15	# 2. Binary (BIN)
		16	# GPG_BIN
		17	# Optional variable for specifying the gpg binary/wrapper to use for
		18	# signing.
		19	# GPG_PATH
		20	# Optional variable for specifying the gnupg "home" directory:
		21	#
		22
		23	inherit sanity
		24
		25	IPK_SIGN_PACKAGES = '1'
		26	IPK_GPG_BACKEND ?= 'local'
		27	IPK_GPG_SIGNATURE_TYPE ?= 'ASC'
		28
		29	python () {
		30	# Check configuration
		31	for var in ('IPK_GPG_NAME', 'IPK_GPG_PASSPHRASE_FILE'):
		32	if not d.getVar(var, True):
		33	raise_sanity_error("You need to define %s in the config" % var, d)
		34
		35	sigtype = d.getVar("IPK_GPG_SIGNATURE_TYPE", True)
		36	if sigtype.upper() != "ASC" and sigtype.upper() != "BIN":
		37	raise_sanity_error("Bad value for IPK_GPG_SIGNATURE_TYPE (%s), use either ASC or BIN" % sigtype)
		38	}
		39
		40	def sign_ipk(d, ipk_to_sign):
		41	from oe.gpg_sign import get_signer
		42
		43	bb.debug(1, 'Signing ipk: %s' % ipk_to_sign)
		44
		45	signer = get_signer(d, d.getVar('IPK_GPG_BACKEND', True))
		46	sig_type = d.getVar('IPK_GPG_SIGNATURE_TYPE', True)
		47	is_ascii_sig = (sig_type.upper() != "BIN")
		48
		49	signer.detach_sign(ipk_to_sign,
		50	d.getVar('IPK_GPG_NAME', True),
		51	d.getVar('IPK_GPG_PASSPHRASE_FILE', True),
		52	armor=is_ascii_sig)


diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py index ada1b2f408..059381d5e3 100644 --- a/meta/lib/oe/gpg_sign.py +++ b/meta/lib/oe/gpg_sign.py
@@ -50,6 +50,7 @@ class LocalSigner(object):
50	bb.error('rpmsign failed: %s' % proc.before.strip())	50	bb.error('rpmsign failed: %s' % proc.before.strip())
51	raise bb.build.FuncFailed("Failed to sign RPM packages")	51	raise bb.build.FuncFailed("Failed to sign RPM packages")
52		52
		53
53	def detach_sign(self, input_file, keyid, passphrase_file, passphrase=None, armor=True):	54	def detach_sign(self, input_file, keyid, passphrase_file, passphrase=None, armor=True):
54	"""Create a detached signature of a file"""	55	"""Create a detached signature of a file"""
55	import subprocess	56	import subprocess
@@ -58,22 +59,35 @@ class LocalSigner(object):
58	raise Exception("You should use either passphrase_file of passphrase, not both")	59	raise Exception("You should use either passphrase_file of passphrase, not both")
59		60
60	cmd = [self.gpg_bin, '--detach-sign', '--batch', '--no-tty', '--yes',	61	cmd = [self.gpg_bin, '--detach-sign', '--batch', '--no-tty', '--yes',
61	'-u', keyid]	62	'--passphrase-fd', '0', '-u', keyid]
62	if passphrase_file:	63
63	cmd += ['--passphrase-file', passphrase_file]
64	else:
65	cmd += ['--passphrase-fd', '0']
66	if self.gpg_path:	64	if self.gpg_path:
67	cmd += ['--homedir', self.gpg_path]	65	cmd += ['--homedir', self.gpg_path]
68	if armor:	66	if armor:
69	cmd += ['--armor']	67	cmd += ['--armor']
70	cmd.append(input_file)	68
71	job = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE,	69	cmd += [input_file]
72	stderr=subprocess.PIPE)	70
73	_, stderr = job.communicate(passphrase)	71	try:
74	if job.returncode:	72	if passphrase_file:
75	raise bb.build.FuncFailed("Failed to create signature for '%s': %s" %	73	with open(passphrase_file) as fobj:
76	(input_file, stderr))	74	passphrase = fobj.readline();
		75
		76	job = subprocess.Popen(cmd, stdin=subprocess.PIPE, stderr=subprocess.PIPE)
		77	(_, stderr) = job.communicate(passphrase)
		78
		79	if job.returncode:
		80	raise bb.build.FuncFailed("GPG exited with code %d: %s" %
		81	(job.returncode, stderr))
		82
		83	except IOError as e:
		84	bb.error("IO error (%s): %s" % (e.errno, e.strerror))
		85	raise Exception("Failed to sign '%s'" % input_file)
		86
		87	except OSError as e:
		88	bb.error("OS error (%s): %s" % (e.errno, e.strerror))
		89	raise Exception("Failed to sign '%s" % input_file)
		90
77		91
78	def verify(self, sig_file):	92	def verify(self, sig_file):
79	"""Verify signature"""	93	"""Verify signature"""