* [PATCH 0/3] Fix rpm signing with GPG v2.1
@ 2017-02-23 10:24 Markus Lehtonen
2017-02-23 10:24 ` [PATCH 1/3] rpm: support customizing gpg command line Markus Lehtonen
` (3 more replies)
0 siblings, 4 replies; 7+ messages in thread
From: Markus Lehtonen @ 2017-02-23 10:24 UTC (permalink / raw)
To: openembedded-core
This patchset makes signing work with all versions of GPG. Previously, rpm
package signing in oe-core was not working with GPG v2.1 (which is becoming
more widespread). This was caused by a change in passphrase dialogue handling
of GPG.
[YOCTO #11054]
Markus Lehtonen (3):
rpm: support customizing gpg command line
lib/oe/gpg_sign: make gpg version a property of the signer
lib/oe/gpg_sign: fix rpm signing with gpg > 2.1
meta/lib/oe/gpg_sign.py | 12 +++---
.../0001-macros-add-_gpg_sign_cmd_extra_args.patch | 43 ++++++++++++++++++++++
meta/recipes-devtools/rpm/rpm_5.4.16.bb | 1 +
3 files changed, 51 insertions(+), 5 deletions(-)
create mode 100644 meta/recipes-devtools/rpm/rpm/0001-macros-add-_gpg_sign_cmd_extra_args.patch
--
2.6.6
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/3] rpm: support customizing gpg command line
2017-02-23 10:24 [PATCH 0/3] Fix rpm signing with GPG v2.1 Markus Lehtonen
@ 2017-02-23 10:24 ` Markus Lehtonen
2017-02-23 10:24 ` [PATCH 2/3] lib/oe/gpg_sign: make gpg version a property of the signer Markus Lehtonen
` (2 subsequent siblings)
3 siblings, 0 replies; 7+ messages in thread
From: Markus Lehtonen @ 2017-02-23 10:24 UTC (permalink / raw)
To: openembedded-core
Add a new %_gpg_sign_cmd_extra_args macro that allows customizing the
gpg options used when signing rpm packages. This is needed to be able to
sign packages with gpg 2.1 which requires "--pinentry-mode loopback" to
allow non-interactive signing.
[YOCTO #11054]
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
---
| 43 ++++++++++++++++++++++
meta/recipes-devtools/rpm/rpm_5.4.16.bb | 1 +
2 files changed, 44 insertions(+)
create mode 100644 meta/recipes-devtools/rpm/rpm/0001-macros-add-_gpg_sign_cmd_extra_args.patch
--git a/meta/recipes-devtools/rpm/rpm/0001-macros-add-_gpg_sign_cmd_extra_args.patch b/meta/recipes-devtools/rpm/rpm/0001-macros-add-_gpg_sign_cmd_extra_args.patch
new file mode 100644
index 0000000..eb43a87
--- /dev/null
+++ b/meta/recipes-devtools/rpm/rpm/0001-macros-add-_gpg_sign_cmd_extra_args.patch
@@ -0,0 +1,43 @@
+From fa9726ff69f86d6a87c4c4bd7e3d2881999a872a Mon Sep 17 00:00:00 2001
+From: Markus Lehtonen <markus.lehtonen@linux.intel.com>
+Date: Thu, 23 Feb 2017 11:14:20 +0200
+Subject: [PATCH] macros: add %_gpg_sign_cmd_extra_args
+
+Similar to what rpm4 has. This macro can be used to customize the
+gpg command line options when signing packages. This is needed for
+gpg 2.1 which requires "--pinentry-mode loopback" to allow
+non-interactive signing.
+
+Upstream-Status: Pending
+
+Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
+---
+ macros/macros.in | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/macros/macros.in b/macros/macros.in
+index 8bc5840..fda3c66 100644
+--- a/macros/macros.in
++++ b/macros/macros.in
+@@ -524,7 +524,9 @@ $_arbitrary_tags_tests Foo:Bar
+ %_gpg_passphrase_way %{?_gpg_passphrase:--passphrase "%{_gpg_passphrase}"}%{!?_gpg_passphrase:--passphrase-fd 3}
+
+ %__gpg_check_password_cmd %{__gpg} \
+- gpg --batch --no-verbose %{_gpg_passphrase_way} -u "%{_gpg_name}" -so -
++ gpg --batch --no-verbose %{_gpg_passphrase_way} \
++ %{?_gpg_sign_cmd_extra_args:%{_gpg_sign_cmd_extra_args}} \
++ -u "%{_gpg_name}" -so -
+ #%__pgp_check_password_cmd %{__pgp} \
+ # pgp +batchmode=on +verbose=0 "%{_pgp_name}" -sf
+ #%__pgp5_check_password_cmd %{__pgp} \
+@@ -532,6 +534,7 @@ $_arbitrary_tags_tests Foo:Bar
+
+ %__gpg_sign_cmd %{__gpg} \
+ gpg --batch --no-verbose --no-armor %{_gpg_passphrase_way} --no-secmem-warning \
++ %{?_gpg_sign_cmd_extra_args:%{_gpg_sign_cmd_extra_args}} \
+ -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}
+ #%__pgp_sign_cmd %{__pgp} \
+ # pgp +batchmode=on +verbose=0 +armor=off \
+--
+2.10.2
+
diff --git a/meta/recipes-devtools/rpm/rpm_5.4.16.bb b/meta/recipes-devtools/rpm/rpm_5.4.16.bb
index 883dbc7..17c5818 100644
--- a/meta/recipes-devtools/rpm/rpm_5.4.16.bb
+++ b/meta/recipes-devtools/rpm/rpm_5.4.16.bb
@@ -119,6 +119,7 @@ SRC_URI += " \
file://gcc6-stdlib.patch \
file://0001-system.h-query.c-support-nosignature.patch \
file://rpm-ensure-rpm2cpio-call-rpm-relocation-code.patch \
+ file://0001-macros-add-_gpg_sign_cmd_extra_args.patch \
"
# OE specific changes
--
2.6.6
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 2/3] lib/oe/gpg_sign: make gpg version a property of the signer
2017-02-23 10:24 [PATCH 0/3] Fix rpm signing with GPG v2.1 Markus Lehtonen
2017-02-23 10:24 ` [PATCH 1/3] rpm: support customizing gpg command line Markus Lehtonen
@ 2017-02-23 10:24 ` Markus Lehtonen
2017-02-23 10:24 ` [PATCH 3/3] lib/oe/gpg_sign: fix rpm signing with gpg > 2.1 Markus Lehtonen
2017-02-23 15:58 ` [PATCH 0/3] Fix rpm signing with GPG v2.1 akuster808
3 siblings, 0 replies; 7+ messages in thread
From: Markus Lehtonen @ 2017-02-23 10:24 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
---
meta/lib/oe/gpg_sign.py | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index dcd1990..21dc5ea 100644
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -10,6 +10,7 @@ class LocalSigner(object):
self.gpg_bin = d.getVar('GPG_BIN') or \
bb.utils.which(os.getenv('PATH'), 'gpg')
self.gpg_path = d.getVar('GPG_PATH')
+ self.gpg_version = self.get_gpg_version()
self.rpm_bin = bb.utils.which(os.getenv('PATH'), "rpm")
def export_pubkey(self, output_file, keyid, armor=True):
@@ -58,9 +59,7 @@ class LocalSigner(object):
#gpg > 2.1 supports password pipes only through the loopback interface
#gpg < 2.1 errors out if given unknown parameters
- dots = self.get_gpg_version().split('.')
- assert len(dots) >= 2
- if int(dots[0]) >= 2 and int(dots[1]) >= 1:
+ if self.gpg_version > (2,1,):
cmd += ['--pinentry-mode', 'loopback']
cmd += [input_file]
@@ -87,10 +86,11 @@ class LocalSigner(object):
def get_gpg_version(self):
- """Return the gpg version"""
+ """Return the gpg version as a tuple of ints"""
import subprocess
try:
- return subprocess.check_output((self.gpg_bin, "--version")).split()[2].decode("utf-8")
+ ver_str = subprocess.check_output((self.gpg_bin, "--version")).split()[2].decode("utf-8")
+ return tuple([int(i) for i in ver_str.split('.')])
except subprocess.CalledProcessError as e:
raise bb.build.FuncFailed("Could not get gpg version: %s" % e)
--
2.6.6
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 3/3] lib/oe/gpg_sign: fix rpm signing with gpg > 2.1
2017-02-23 10:24 [PATCH 0/3] Fix rpm signing with GPG v2.1 Markus Lehtonen
2017-02-23 10:24 ` [PATCH 1/3] rpm: support customizing gpg command line Markus Lehtonen
2017-02-23 10:24 ` [PATCH 2/3] lib/oe/gpg_sign: make gpg version a property of the signer Markus Lehtonen
@ 2017-02-23 10:24 ` Markus Lehtonen
2017-02-23 15:58 ` [PATCH 0/3] Fix rpm signing with GPG v2.1 akuster808
3 siblings, 0 replies; 7+ messages in thread
From: Markus Lehtonen @ 2017-02-23 10:24 UTC (permalink / raw)
To: openembedded-core
We need to check the gpg version and alter its command line options
accordingly.
[YOCTO #11054]
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
---
meta/lib/oe/gpg_sign.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index 21dc5ea..b635d8b 100644
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -32,6 +32,8 @@ class LocalSigner(object):
cmd = self.rpm_bin + " --addsign --define '_gpg_name %s' " % keyid
cmd += "--define '_gpg_passphrase %s' " % passphrase
+ if self.gpg_version > (2,1,):
+ cmd += "--define '_gpg_sign_cmd_extra_args --pinentry-mode=loopback' "
if self.gpg_bin:
cmd += "--define '%%__gpg %s' " % self.gpg_bin
if self.gpg_path:
--
2.6.6
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 0/3] Fix rpm signing with GPG v2.1
2017-02-23 10:24 [PATCH 0/3] Fix rpm signing with GPG v2.1 Markus Lehtonen
` (2 preceding siblings ...)
2017-02-23 10:24 ` [PATCH 3/3] lib/oe/gpg_sign: fix rpm signing with gpg > 2.1 Markus Lehtonen
@ 2017-02-23 15:58 ` akuster808
2017-02-24 7:31 ` Markus Lehtonen
3 siblings, 1 reply; 7+ messages in thread
From: akuster808 @ 2017-02-23 15:58 UTC (permalink / raw)
To: Markus Lehtonen, openembedded-core
Markus,
On 02/23/2017 02:24 AM, Markus Lehtonen wrote:
> This patchset makes signing work with all versions of GPG. Previously, rpm
> package signing in oe-core was not working with GPG v2.1 (which is becoming
> more widespread). This was caused by a change in passphrase dialogue handling
> of GPG.
Off hand, do you know if Morty would benefit from this?
- armin
>
> [YOCTO #11054]
>
> Markus Lehtonen (3):
> rpm: support customizing gpg command line
> lib/oe/gpg_sign: make gpg version a property of the signer
> lib/oe/gpg_sign: fix rpm signing with gpg > 2.1
>
> meta/lib/oe/gpg_sign.py | 12 +++---
> .../0001-macros-add-_gpg_sign_cmd_extra_args.patch | 43 ++++++++++++++++++++++
> meta/recipes-devtools/rpm/rpm_5.4.16.bb | 1 +
> 3 files changed, 51 insertions(+), 5 deletions(-)
> create mode 100644 meta/recipes-devtools/rpm/rpm/0001-macros-add-_gpg_sign_cmd_extra_args.patch
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 0/3] Fix rpm signing with GPG v2.1
2017-02-23 15:58 ` [PATCH 0/3] Fix rpm signing with GPG v2.1 akuster808
@ 2017-02-24 7:31 ` Markus Lehtonen
0 siblings, 0 replies; 7+ messages in thread
From: Markus Lehtonen @ 2017-02-24 7:31 UTC (permalink / raw)
To: akuster808, openembedded-core
On 23/02/2017, 17.58, "akuster808" <akuster808@gmail.com> wrote:
Markus,
On 02/23/2017 02:24 AM, Markus Lehtonen wrote:
> This patchset makes signing work with all versions of GPG. Previously, rpm
> package signing in oe-core was not working with GPG v2.1 (which is becoming
> more widespread). This was caused by a change in passphrase dialogue handling
> of GPG.
Off hand, do you know if Morty would benefit from this?
Yes it would. Same problem with GPG 2.1 there
- Markus
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 2/3] lib/oe/gpg_sign: make gpg version a property of the signer
2017-02-23 10:22 Markus Lehtonen
@ 2017-02-23 10:22 ` Markus Lehtonen
0 siblings, 0 replies; 7+ messages in thread
From: Markus Lehtonen @ 2017-02-23 10:22 UTC (permalink / raw)
To: bitbake-devel
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
---
meta/lib/oe/gpg_sign.py | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index dcd1990..21dc5ea 100644
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -10,6 +10,7 @@ class LocalSigner(object):
self.gpg_bin = d.getVar('GPG_BIN') or \
bb.utils.which(os.getenv('PATH'), 'gpg')
self.gpg_path = d.getVar('GPG_PATH')
+ self.gpg_version = self.get_gpg_version()
self.rpm_bin = bb.utils.which(os.getenv('PATH'), "rpm")
def export_pubkey(self, output_file, keyid, armor=True):
@@ -58,9 +59,7 @@ class LocalSigner(object):
#gpg > 2.1 supports password pipes only through the loopback interface
#gpg < 2.1 errors out if given unknown parameters
- dots = self.get_gpg_version().split('.')
- assert len(dots) >= 2
- if int(dots[0]) >= 2 and int(dots[1]) >= 1:
+ if self.gpg_version > (2,1,):
cmd += ['--pinentry-mode', 'loopback']
cmd += [input_file]
@@ -87,10 +86,11 @@ class LocalSigner(object):
def get_gpg_version(self):
- """Return the gpg version"""
+ """Return the gpg version as a tuple of ints"""
import subprocess
try:
- return subprocess.check_output((self.gpg_bin, "--version")).split()[2].decode("utf-8")
+ ver_str = subprocess.check_output((self.gpg_bin, "--version")).split()[2].decode("utf-8")
+ return tuple([int(i) for i in ver_str.split('.')])
except subprocess.CalledProcessError as e:
raise bb.build.FuncFailed("Could not get gpg version: %s" % e)
--
2.6.6
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2017-02-24 7:31 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-02-23 10:24 [PATCH 0/3] Fix rpm signing with GPG v2.1 Markus Lehtonen
2017-02-23 10:24 ` [PATCH 1/3] rpm: support customizing gpg command line Markus Lehtonen
2017-02-23 10:24 ` [PATCH 2/3] lib/oe/gpg_sign: make gpg version a property of the signer Markus Lehtonen
2017-02-23 10:24 ` [PATCH 3/3] lib/oe/gpg_sign: fix rpm signing with gpg > 2.1 Markus Lehtonen
2017-02-23 15:58 ` [PATCH 0/3] Fix rpm signing with GPG v2.1 akuster808
2017-02-24 7:31 ` Markus Lehtonen
-- strict thread matches above, loose matches on Subject: below --
2017-02-23 10:22 Markus Lehtonen
2017-02-23 10:22 ` [PATCH 2/3] lib/oe/gpg_sign: make gpg version a property of the signer Markus Lehtonen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.