mirror of
git://git.yoctoproject.org/poky.git
synced 2025-07-19 21:09:03 +02:00
0f49d9182f
Using host gpg has been problematic, and particularly this removes the need to serialize package creation, as long as --auto-expand-secmem is passed to gpg-agent, and gnupg >= 2.2.4 is in use (https://dev.gnupg.org/T3530). Sadly, gpg-agent itself is single-threaded, so in the longer run we might want to seek alternatives: https://lwn.net/Articles/742542/ (a smaller issue is that rpm itself runs the gpg fronted in a serial fashion, which slows down the build in cases of recipes with very large amount of packages, e.g. glibc-locale) Note that sstate signing and verification continues to use host gpg, as depending on native gpg would create circular dependencies. [YOCTO #12022] (From OE-Core rev: 08fef6198122fe79d4c1213f9a64b862162ed6cd) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
47 lines
1.9 KiB
Plaintext
47 lines
1.9 KiB
Plaintext
# Class for signing package feeds
|
|
#
|
|
# Related configuration variables that will be used after this class is
|
|
# iherited:
|
|
# PACKAGE_FEED_PASSPHRASE_FILE
|
|
# Path to a file containing the passphrase of the signing key.
|
|
# PACKAGE_FEED_GPG_NAME
|
|
# Name of the key to sign with. May be key id or key name.
|
|
# PACKAGE_FEED_GPG_BACKEND
|
|
# Optional variable for specifying the backend to use for signing.
|
|
# Currently the only available option is 'local', i.e. local signing
|
|
# on the build host.
|
|
# PACKAGE_FEED_GPG_SIGNATURE_TYPE
|
|
# Optional variable for specifying the type of gpg signature, can be:
|
|
# 1. Ascii armored (ASC), default if not set
|
|
# 2. Binary (BIN)
|
|
# This variable is only available for IPK feeds. It is ignored on
|
|
# other packaging backends.
|
|
# GPG_BIN
|
|
# Optional variable for specifying the gpg binary/wrapper to use for
|
|
# signing.
|
|
# GPG_PATH
|
|
# Optional variable for specifying the gnupg "home" directory:
|
|
#
|
|
inherit sanity
|
|
|
|
PACKAGE_FEED_SIGN = '1'
|
|
PACKAGE_FEED_GPG_BACKEND ?= 'local'
|
|
PACKAGE_FEED_GPG_SIGNATURE_TYPE ?= 'ASC'
|
|
|
|
# Make feed signing key to be present in rootfs
|
|
FEATURE_PACKAGES_package-management_append = " signing-keys-packagefeed"
|
|
|
|
python () {
|
|
# Check sanity of configuration
|
|
for var in ('PACKAGE_FEED_GPG_NAME', 'PACKAGE_FEED_GPG_PASSPHRASE_FILE'):
|
|
if not d.getVar(var):
|
|
raise_sanity_error("You need to define %s in the config" % var, d)
|
|
|
|
sigtype = d.getVar("PACKAGE_FEED_GPG_SIGNATURE_TYPE")
|
|
if sigtype.upper() != "ASC" and sigtype.upper() != "BIN":
|
|
raise_sanity_error("Bad value for PACKAGE_FEED_GPG_SIGNATURE_TYPE (%s), use either ASC or BIN" % sigtype)
|
|
}
|
|
|
|
do_package_index[depends] += "signing-keys:do_deploy"
|
|
do_rootfs[depends] += "signing-keys:do_populate_sysroot gnupg-native:do_populate_sysroot"
|