* [PATCH 0/3] Fix rpm signing with GPG v2.1
@ 2017-02-23 10:24 Markus Lehtonen
2017-02-23 10:24 ` [PATCH 1/3] rpm: support customizing gpg command line Markus Lehtonen
` (3 more replies)
0 siblings, 4 replies; 8+ messages in thread
From: Markus Lehtonen @ 2017-02-23 10:24 UTC (permalink / raw)
To: openembedded-core
This patchset makes signing work with all versions of GPG. Previously, rpm
package signing in oe-core was not working with GPG v2.1 (which is becoming
more widespread). This was caused by a change in passphrase dialogue handling
of GPG.
[YOCTO #11054]
Markus Lehtonen (3):
rpm: support customizing gpg command line
lib/oe/gpg_sign: make gpg version a property of the signer
lib/oe/gpg_sign: fix rpm signing with gpg > 2.1
meta/lib/oe/gpg_sign.py | 12 +++---
.../0001-macros-add-_gpg_sign_cmd_extra_args.patch | 43 ++++++++++++++++++++++
meta/recipes-devtools/rpm/rpm_5.4.16.bb | 1 +
3 files changed, 51 insertions(+), 5 deletions(-)
create mode 100644 meta/recipes-devtools/rpm/rpm/0001-macros-add-_gpg_sign_cmd_extra_args.patch
--
2.6.6
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 1/3] rpm: support customizing gpg command line
2017-02-23 10:24 [PATCH 0/3] Fix rpm signing with GPG v2.1 Markus Lehtonen
@ 2017-02-23 10:24 ` Markus Lehtonen
2017-02-23 10:24 ` [PATCH 2/3] lib/oe/gpg_sign: make gpg version a property of the signer Markus Lehtonen
` (2 subsequent siblings)
3 siblings, 0 replies; 8+ messages in thread
From: Markus Lehtonen @ 2017-02-23 10:24 UTC (permalink / raw)
To: openembedded-core
Add a new %_gpg_sign_cmd_extra_args macro that allows customizing the
gpg options used when signing rpm packages. This is needed to be able to
sign packages with gpg 2.1 which requires "--pinentry-mode loopback" to
allow non-interactive signing.
[YOCTO #11054]
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
---
| 43 ++++++++++++++++++++++
meta/recipes-devtools/rpm/rpm_5.4.16.bb | 1 +
2 files changed, 44 insertions(+)
create mode 100644 meta/recipes-devtools/rpm/rpm/0001-macros-add-_gpg_sign_cmd_extra_args.patch
--git a/meta/recipes-devtools/rpm/rpm/0001-macros-add-_gpg_sign_cmd_extra_args.patch b/meta/recipes-devtools/rpm/rpm/0001-macros-add-_gpg_sign_cmd_extra_args.patch
new file mode 100644
index 0000000..eb43a87
--- /dev/null
+++ b/meta/recipes-devtools/rpm/rpm/0001-macros-add-_gpg_sign_cmd_extra_args.patch
@@ -0,0 +1,43 @@
+From fa9726ff69f86d6a87c4c4bd7e3d2881999a872a Mon Sep 17 00:00:00 2001
+From: Markus Lehtonen <markus.lehtonen@linux.intel.com>
+Date: Thu, 23 Feb 2017 11:14:20 +0200
+Subject: [PATCH] macros: add %_gpg_sign_cmd_extra_args
+
+Similar to what rpm4 has. This macro can be used to customize the
+gpg command line options when signing packages. This is needed for
+gpg 2.1 which requires "--pinentry-mode loopback" to allow
+non-interactive signing.
+
+Upstream-Status: Pending
+
+Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
+---
+ macros/macros.in | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/macros/macros.in b/macros/macros.in
+index 8bc5840..fda3c66 100644
+--- a/macros/macros.in
++++ b/macros/macros.in
+@@ -524,7 +524,9 @@ $_arbitrary_tags_tests Foo:Bar
+ %_gpg_passphrase_way %{?_gpg_passphrase:--passphrase "%{_gpg_passphrase}"}%{!?_gpg_passphrase:--passphrase-fd 3}
+
+ %__gpg_check_password_cmd %{__gpg} \
+- gpg --batch --no-verbose %{_gpg_passphrase_way} -u "%{_gpg_name}" -so -
++ gpg --batch --no-verbose %{_gpg_passphrase_way} \
++ %{?_gpg_sign_cmd_extra_args:%{_gpg_sign_cmd_extra_args}} \
++ -u "%{_gpg_name}" -so -
+ #%__pgp_check_password_cmd %{__pgp} \
+ # pgp +batchmode=on +verbose=0 "%{_pgp_name}" -sf
+ #%__pgp5_check_password_cmd %{__pgp} \
+@@ -532,6 +534,7 @@ $_arbitrary_tags_tests Foo:Bar
+
+ %__gpg_sign_cmd %{__gpg} \
+ gpg --batch --no-verbose --no-armor %{_gpg_passphrase_way} --no-secmem-warning \
++ %{?_gpg_sign_cmd_extra_args:%{_gpg_sign_cmd_extra_args}} \
+ -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}
+ #%__pgp_sign_cmd %{__pgp} \
+ # pgp +batchmode=on +verbose=0 +armor=off \
+--
+2.10.2
+
diff --git a/meta/recipes-devtools/rpm/rpm_5.4.16.bb b/meta/recipes-devtools/rpm/rpm_5.4.16.bb
index 883dbc7..17c5818 100644
--- a/meta/recipes-devtools/rpm/rpm_5.4.16.bb
+++ b/meta/recipes-devtools/rpm/rpm_5.4.16.bb
@@ -119,6 +119,7 @@ SRC_URI += " \
file://gcc6-stdlib.patch \
file://0001-system.h-query.c-support-nosignature.patch \
file://rpm-ensure-rpm2cpio-call-rpm-relocation-code.patch \
+ file://0001-macros-add-_gpg_sign_cmd_extra_args.patch \
"
# OE specific changes
--
2.6.6
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 2/3] lib/oe/gpg_sign: make gpg version a property of the signer
2017-02-23 10:24 [PATCH 0/3] Fix rpm signing with GPG v2.1 Markus Lehtonen
2017-02-23 10:24 ` [PATCH 1/3] rpm: support customizing gpg command line Markus Lehtonen
@ 2017-02-23 10:24 ` Markus Lehtonen
2017-02-23 10:24 ` [PATCH 3/3] lib/oe/gpg_sign: fix rpm signing with gpg > 2.1 Markus Lehtonen
2017-02-23 15:58 ` [PATCH 0/3] Fix rpm signing with GPG v2.1 akuster808
3 siblings, 0 replies; 8+ messages in thread
From: Markus Lehtonen @ 2017-02-23 10:24 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
---
meta/lib/oe/gpg_sign.py | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index dcd1990..21dc5ea 100644
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -10,6 +10,7 @@ class LocalSigner(object):
self.gpg_bin = d.getVar('GPG_BIN') or \
bb.utils.which(os.getenv('PATH'), 'gpg')
self.gpg_path = d.getVar('GPG_PATH')
+ self.gpg_version = self.get_gpg_version()
self.rpm_bin = bb.utils.which(os.getenv('PATH'), "rpm")
def export_pubkey(self, output_file, keyid, armor=True):
@@ -58,9 +59,7 @@ class LocalSigner(object):
#gpg > 2.1 supports password pipes only through the loopback interface
#gpg < 2.1 errors out if given unknown parameters
- dots = self.get_gpg_version().split('.')
- assert len(dots) >= 2
- if int(dots[0]) >= 2 and int(dots[1]) >= 1:
+ if self.gpg_version > (2,1,):
cmd += ['--pinentry-mode', 'loopback']
cmd += [input_file]
@@ -87,10 +86,11 @@ class LocalSigner(object):
def get_gpg_version(self):
- """Return the gpg version"""
+ """Return the gpg version as a tuple of ints"""
import subprocess
try:
- return subprocess.check_output((self.gpg_bin, "--version")).split()[2].decode("utf-8")
+ ver_str = subprocess.check_output((self.gpg_bin, "--version")).split()[2].decode("utf-8")
+ return tuple([int(i) for i in ver_str.split('.')])
except subprocess.CalledProcessError as e:
raise bb.build.FuncFailed("Could not get gpg version: %s" % e)
--
2.6.6
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 3/3] lib/oe/gpg_sign: fix rpm signing with gpg > 2.1
2017-02-23 10:24 [PATCH 0/3] Fix rpm signing with GPG v2.1 Markus Lehtonen
2017-02-23 10:24 ` [PATCH 1/3] rpm: support customizing gpg command line Markus Lehtonen
2017-02-23 10:24 ` [PATCH 2/3] lib/oe/gpg_sign: make gpg version a property of the signer Markus Lehtonen
@ 2017-02-23 10:24 ` Markus Lehtonen
2017-02-23 15:58 ` [PATCH 0/3] Fix rpm signing with GPG v2.1 akuster808
3 siblings, 0 replies; 8+ messages in thread
From: Markus Lehtonen @ 2017-02-23 10:24 UTC (permalink / raw)
To: openembedded-core
We need to check the gpg version and alter its command line options
accordingly.
[YOCTO #11054]
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
---
meta/lib/oe/gpg_sign.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index 21dc5ea..b635d8b 100644
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -32,6 +32,8 @@ class LocalSigner(object):
cmd = self.rpm_bin + " --addsign --define '_gpg_name %s' " % keyid
cmd += "--define '_gpg_passphrase %s' " % passphrase
+ if self.gpg_version > (2,1,):
+ cmd += "--define '_gpg_sign_cmd_extra_args --pinentry-mode=loopback' "
if self.gpg_bin:
cmd += "--define '%%__gpg %s' " % self.gpg_bin
if self.gpg_path:
--
2.6.6
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH 0/3] Fix rpm signing with GPG v2.1
2017-02-23 10:24 [PATCH 0/3] Fix rpm signing with GPG v2.1 Markus Lehtonen
` (2 preceding siblings ...)
2017-02-23 10:24 ` [PATCH 3/3] lib/oe/gpg_sign: fix rpm signing with gpg > 2.1 Markus Lehtonen
@ 2017-02-23 15:58 ` akuster808
2017-02-24 7:31 ` Markus Lehtonen
3 siblings, 1 reply; 8+ messages in thread
From: akuster808 @ 2017-02-23 15:58 UTC (permalink / raw)
To: Markus Lehtonen, openembedded-core
Markus,
On 02/23/2017 02:24 AM, Markus Lehtonen wrote:
> This patchset makes signing work with all versions of GPG. Previously, rpm
> package signing in oe-core was not working with GPG v2.1 (which is becoming
> more widespread). This was caused by a change in passphrase dialogue handling
> of GPG.
Off hand, do you know if Morty would benefit from this?
- armin
>
> [YOCTO #11054]
>
> Markus Lehtonen (3):
> rpm: support customizing gpg command line
> lib/oe/gpg_sign: make gpg version a property of the signer
> lib/oe/gpg_sign: fix rpm signing with gpg > 2.1
>
> meta/lib/oe/gpg_sign.py | 12 +++---
> .../0001-macros-add-_gpg_sign_cmd_extra_args.patch | 43 ++++++++++++++++++++++
> meta/recipes-devtools/rpm/rpm_5.4.16.bb | 1 +
> 3 files changed, 51 insertions(+), 5 deletions(-)
> create mode 100644 meta/recipes-devtools/rpm/rpm/0001-macros-add-_gpg_sign_cmd_extra_args.patch
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 0/3] Fix rpm signing with GPG v2.1
2017-02-23 15:58 ` [PATCH 0/3] Fix rpm signing with GPG v2.1 akuster808
@ 2017-02-24 7:31 ` Markus Lehtonen
0 siblings, 0 replies; 8+ messages in thread
From: Markus Lehtonen @ 2017-02-24 7:31 UTC (permalink / raw)
To: akuster808, openembedded-core
On 23/02/2017, 17.58, "akuster808" <akuster808@gmail.com> wrote:
Markus,
On 02/23/2017 02:24 AM, Markus Lehtonen wrote:
> This patchset makes signing work with all versions of GPG. Previously, rpm
> package signing in oe-core was not working with GPG v2.1 (which is becoming
> more widespread). This was caused by a change in passphrase dialogue handling
> of GPG.
Off hand, do you know if Morty would benefit from this?
Yes it would. Same problem with GPG 2.1 there
- Markus
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 0/3] Fix rpm signing with GPG v2.1
2017-02-23 10:22 Markus Lehtonen
@ 2017-02-23 15:48 ` Christopher Larson
0 siblings, 0 replies; 8+ messages in thread
From: Christopher Larson @ 2017-02-23 15:48 UTC (permalink / raw)
To: Markus Lehtonen; +Cc: bitbake-devel
[-- Attachment #1: Type: text/plain, Size: 767 bytes --]
On Thu, Feb 23, 2017 at 3:22 AM, Markus Lehtonen <
markus.lehtonen@linux.intel.com> wrote:
> This patchset makes signing work with all versions of GPG. Previously, rpm
> package signing in oe-core was not working with GPG v2.1 (which is becoming
> more widespread). This was caused by a change in passphrase dialogue
> handling
> of GPG.
>
> [YOCTO #11054]
>
> Markus Lehtonen (3):
> rpm: support customizing gpg command line
> lib/oe/gpg_sign: make gpg version a property of the signer
> lib/oe/gpg_sign: fix rpm signing with gpg > 2.1
>
This doesn’t belong on the bitbake list if it’s oe-core..
--
Christopher Larson
kergoth at gmail dot com
Founder - BitBake, OpenEmbedded, OpenZaurus
Senior Software Engineer, Mentor Graphics
[-- Attachment #2: Type: text/html, Size: 1275 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 0/3] Fix rpm signing with GPG v2.1
@ 2017-02-23 10:22 Markus Lehtonen
2017-02-23 15:48 ` Christopher Larson
0 siblings, 1 reply; 8+ messages in thread
From: Markus Lehtonen @ 2017-02-23 10:22 UTC (permalink / raw)
To: bitbake-devel
This patchset makes signing work with all versions of GPG. Previously, rpm
package signing in oe-core was not working with GPG v2.1 (which is becoming
more widespread). This was caused by a change in passphrase dialogue handling
of GPG.
[YOCTO #11054]
Markus Lehtonen (3):
rpm: support customizing gpg command line
lib/oe/gpg_sign: make gpg version a property of the signer
lib/oe/gpg_sign: fix rpm signing with gpg > 2.1
meta/lib/oe/gpg_sign.py | 12 +++---
.../0001-macros-add-_gpg_sign_cmd_extra_args.patch | 43 ++++++++++++++++++++++
meta/recipes-devtools/rpm/rpm_5.4.16.bb | 1 +
3 files changed, 51 insertions(+), 5 deletions(-)
create mode 100644 meta/recipes-devtools/rpm/rpm/0001-macros-add-_gpg_sign_cmd_extra_args.patch
--
2.6.6
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2017-02-24 7:31 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-02-23 10:24 [PATCH 0/3] Fix rpm signing with GPG v2.1 Markus Lehtonen
2017-02-23 10:24 ` [PATCH 1/3] rpm: support customizing gpg command line Markus Lehtonen
2017-02-23 10:24 ` [PATCH 2/3] lib/oe/gpg_sign: make gpg version a property of the signer Markus Lehtonen
2017-02-23 10:24 ` [PATCH 3/3] lib/oe/gpg_sign: fix rpm signing with gpg > 2.1 Markus Lehtonen
2017-02-23 15:58 ` [PATCH 0/3] Fix rpm signing with GPG v2.1 akuster808
2017-02-24 7:31 ` Markus Lehtonen
-- strict thread matches above, loose matches on Subject: below --
2017-02-23 10:22 Markus Lehtonen
2017-02-23 15:48 ` Christopher Larson
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.