[oe][PATCH 1/2] package_ipk: support signing of ipk packages

[oe][PATCH 1/2] package_ipk: support signing of ipk packages

[Ioan-Adrian Ratiu]

Minimum required opkg version: 3.0 (already in master/jethro).

Add a new bbclass for creating signatures for ipk files.
The signing process is very similar to the existing rpm signing,
but different in some important ways:
    - Signatures are stored outside the ipk files, opkg connects
to a feed server and downloads them as separate files which are
used to verify ipk's. These files go everywhere alongside the ipk.
    - Signatures can be of two types: binary (.sig) and ascii-armored
(.asc). By default OE and opkg use binary, can be configured by using
IPK_SIGNATURE_TYPE (in OE) and "option signature_type gpg-asc" in
opkg.
    - The public key is stored on device and the keyring managed
by the opkg-keyrings package. See its recipe for more details.

Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com>
---
 meta/classes/package_ipk.bbclass |  6 ++++
 meta/classes/sign_ipk.bbclass    | 73 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 79 insertions(+)
 create mode 100644 meta/classes/sign_ipk.bbclass

diff --git a/meta/classes/package_ipk.bbclass b/meta/classes/package_ipk.bbclass
index 4dd7a7e..c491b67 100644
--- a/meta/classes/package_ipk.bbclass
+++ b/meta/classes/package_ipk.bbclass
@@ -246,6 +246,12 @@ python do_package_ipk () {
             bb.utils.unlockfile(lf)
             raise bb.build.FuncFailed("opkg-build execution failed")
 
+        if d.getVar('IPK_SIGN_PACKAGES', True) == '1':
+            ipkver = "%s-%s" % (d.getVar('PKGV'), d.getVar('PKGR'))
+            ipk_to_sign = "%s/%s_%s_%s.ipk" % (pkgoutdir, pkgname, ipkver, d.getVar('PACKAGE_ARCH', True))
+            d.setVar('IPK_TO_SIGN', ipk_to_sign)
+            bb.build.exec_func("sign_ipk", d)
+
         cleanupcontrol(root)
         bb.utils.unlockfile(lf)
 
diff --git a/meta/classes/sign_ipk.bbclass b/meta/classes/sign_ipk.bbclass
new file mode 100644
index 0000000..a4f1f3a
--- /dev/null
+++ b/meta/classes/sign_ipk.bbclass
@@ -0,0 +1,73 @@
+# Class for generating signed IPK packages.
+#
+# Configuration variables used by this class:
+# IPK_GPG_PASSPHRASE_FILE
+#           Path to a file containing the passphrase of the signing key.
+# IPK_GPG_NAME
+#           Name of the key to sign with.
+# IPK_SIGNATURE_TYPE
+#           Optional type of signature to accompany IPK files, can be:
+#                     1. Ascii armored (ASC)
+#                     2. Binary (BIN), default
+# GPG_BIN
+#           Optional variable for specifying the gpg binary/wrapper to use for
+#           signing.
+#
+
+inherit sanity
+
+IPK_SIGN_PACKAGES = '1'
+
+def ipksign_wrapper(d, ipk_file, passphrase, gpg_name=None, sigtype="BIN"):
+    import subprocess
+    from subprocess import Popen
+
+    keypipe = os.pipe()
+    os.write(keypipe[1], passphrase + '\n')
+
+    # use gpg from host PATH if user did not define a specific binary
+    cmd = [d.getVar('GPG_BIN', True) or bb.utils.which(os.getenv('PATH'), "gpg")]
+
+    if gpg_name:
+        cmd += ["-q", "--batch", "--yes", "-b", "-u", gpg_name]
+    else:
+        raise_sanity_error("You need to define IPK_GPG_NAME in bitbake config", d)
+
+    # transmit using pipes for security
+    cmd += ["--passphrase-fd",  str(keypipe[0])]
+
+    # ascii armored or binary signatures
+    if sigtype.lower() == "ASC".lower():
+        cmd += ["-a"]
+    elif sigtype.lower() != "BIN".lower():
+        raise_sanity_error("Invalid IPK_SIGNATURE_TYPE in bitbake config", d)
+
+    cmd += [ipk_file]
+
+    p = Popen(cmd, stdin=subprocess.PIPE)
+    p.wait()
+
+    os.close(keypipe[1])
+    os.close(keypipe[0])
+
+    return p.returncode
+
+
+python sign_ipk () {
+    ipk_gpg_pass_file = (d.getVar("IPK_GPG_PASSPHRASE_FILE", True) or "")
+    if ipk_gpg_pass_file:
+        with open(ipk_gpg_pass_file) as fobj:
+            ipk_gpg_passphrase = fobj.readlines()[0].rstrip('\n')
+    else:
+        raise_sanity_error("You need to define IPK_GPG_PASSPHRASE_FILE in the config", d)
+
+    ipk_gpg_name = (d.getVar("IPK_GPG_NAME", True) or "")
+
+    ipk_file = d.getVar('IPK_TO_SIGN')
+    bb.debug(1, 'IPK_TO_SIGN: %s' % ipk_file)
+
+    sigtype = (d.getVar("IPK_SIGNATURE_TYPE", True) or "")
+
+    if ipksign_wrapper(d, ipk_file, ipk_gpg_passphrase, ipk_gpg_name, sigtype) != 0:
+        raise bb.build.FuncFailed("IPK signing failed")
+}
-- 
2.1.4

[oe][PATCH 2/2] package_manager: support for signed IPK package feeds

[Ioan-Adrian Ratiu]

Create gpg signed package feeds if configured. Very similar to
how rpm does it. Most of the config variables are shared with
the rpm backend (like PACKAGE_FEED_GPG_NAME), with the exception
of PACKAGE_FEED_GPG_PUBKEY which is not needed in this case.

Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com>
---
 meta/lib/oe/package_manager.py | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/meta/lib/oe/package_manager.py b/meta/lib/oe/package_manager.py
index 964fddc..8528c9b 100644
--- a/meta/lib/oe/package_manager.py
+++ b/meta/lib/oe/package_manager.py
@@ -174,10 +174,25 @@ class OpkgIndexer(Indexer):
 
         opkg_index_cmd = bb.utils.which(os.getenv('PATH'), "opkg-make-index")
 
+        gpg_cmd = ''
+
+        # all these variables are needed to succesfully sign the index, otherwise skip signing
+        if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1' and \
+           self.d.getVar('PACKAGE_FEED_GPG_NAME', True) and \
+           self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True):
+                pkgfeed_gpg_name = self.d.getVar('PACKAGE_FEED_GPG_NAME', True)
+                pkgfeed_gpg_pass = self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True)
+                gpg_bin = self.d.getVar('GPG_BIN', True) or bb.utils.which(os.getenv('PATH'), "gpg")
+
+                gpg_cmd = "%s --no-use-agent --batch --yes -ab -u %s --passphrase-file '%s'" % \
+                          (gpg_bin, pkgfeed_gpg_name, pkgfeed_gpg_pass)
+
+
         if not os.path.exists(os.path.join(self.deploy_dir, "Packages")):
             open(os.path.join(self.deploy_dir, "Packages"), "w").close()
 
         index_cmds = []
+        index_sign_files = []
         for arch_var in arch_vars:
             archs = self.d.getVar(arch_var, True)
             if archs is None:
@@ -196,6 +211,8 @@ class OpkgIndexer(Indexer):
                 index_cmds.append('%s -r %s -p %s -m %s' %
                                   (opkg_index_cmd, pkgs_file, pkgs_file, pkgs_dir))
 
+                index_sign_files.append(pkgs_file)
+
         if len(index_cmds) == 0:
             bb.note("There are no packages in %s!" % self.deploy_dir)
             return
@@ -206,7 +223,11 @@ class OpkgIndexer(Indexer):
         if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
             raise NotImplementedError('Package feed signing not implementd for ipk')
 
-
+        if gpg_cmd:
+            for f in index_sign_files:
+                result = oe.utils.multiprocess_exec([gpg_cmd + ' ' + f], create_index)
+                if result:
+                    bb.fatal('%s' % ('\n'.join(result)))
 
 class DpkgIndexer(Indexer):
     def _create_configs(self):
-- 
2.1.4

Re: [oe][PATCH 2/2] package_manager: support for signed IPK package feeds

[Alejandro del Castillo]

On 11/17/2015 09:26 AM, Ioan-Adrian Ratiu wrote:
> Create gpg signed package feeds if configured. Very similar to
> how rpm does it. Most of the config variables are shared with
> the rpm backend (like PACKAGE_FEED_GPG_NAME), with the exception
> of PACKAGE_FEED_GPG_PUBKEY which is not needed in this case.
> 
> Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com>
> ---
>  meta/lib/oe/package_manager.py | 23 ++++++++++++++++++++++-
>  1 file changed, 22 insertions(+), 1 deletion(-)
> 
> diff --git a/meta/lib/oe/package_manager.py b/meta/lib/oe/package_manager.py
> index 964fddc..8528c9b 100644
> --- a/meta/lib/oe/package_manager.py
> +++ b/meta/lib/oe/package_manager.py
> @@ -174,10 +174,25 @@ class OpkgIndexer(Indexer):
>  
>          opkg_index_cmd = bb.utils.which(os.getenv('PATH'), "opkg-make-index")
>  
> +        gpg_cmd = ''
> +
> +        # all these variables are needed to succesfully sign the index, otherwise skip signing
> +        if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1' and \
> +           self.d.getVar('PACKAGE_FEED_GPG_NAME', True) and \
> +           self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True):
> +                pkgfeed_gpg_name = self.d.getVar('PACKAGE_FEED_GPG_NAME', True)
> +                pkgfeed_gpg_pass = self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True)
> +                gpg_bin = self.d.getVar('GPG_BIN', True) or bb.utils.which(os.getenv('PATH'), "gpg")
> +
> +                gpg_cmd = "%s --no-use-agent --batch --yes -ab -u %s --passphrase-file '%s'" % \
> +                          (gpg_bin, pkgfeed_gpg_name, pkgfeed_gpg_pass)
> +
> +

I think you can combine this block with the "if gpg_cmd:" one below (move this
logic to the bottom and combine it with the content of the if gpg_cmd block)

          if not os.path.exists(os.path.join(self.deploy_dir, "Packages")):
>              open(os.path.join(self.deploy_dir, "Packages"), "w").close()
>  
>          index_cmds = []
> +        index_sign_files = []
>          for arch_var in arch_vars:
>              archs = self.d.getVar(arch_var, True)
>              if archs is None:
> @@ -196,6 +211,8 @@ class OpkgIndexer(Indexer):
>                  index_cmds.append('%s -r %s -p %s -m %s' %
>                                    (opkg_index_cmd, pkgs_file, pkgs_file, pkgs_dir))
>  
> +                index_sign_files.append(pkgs_file)
> +
>          if len(index_cmds) == 0:
>              bb.note("There are no packages in %s!" % self.deploy_dir)
>              return
> @@ -206,7 +223,11 @@ class OpkgIndexer(Indexer):
>          if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
>              raise NotImplementedError('Package feed signing not implementd for ipk')

Not need anymore

> -
> +        if gpg_cmd:
> +            for f in index_sign_files:
> +                result = oe.utils.multiprocess_exec([gpg_cmd + ' ' + f], create_index)
> +                if result:
> +                    bb.fatal('%s' % ('\n'.join(result)))
>  
>  class DpkgIndexer(Indexer):
>      def _create_configs(self):
> 

-- 
Cheers,

Alejandro

Re: [oe][PATCH 2/2] package_manager: support for signed IPK package feeds

[Ioan-Adrian Ratiu]

On Tue, 17 Nov 2015 14:48:10 -0600
Alejandro del Castillo <alejandro.delcastillo@ni.com> wrote:

> 
> 
> On 11/17/2015 09:26 AM, Ioan-Adrian Ratiu wrote:
> > Create gpg signed package feeds if configured. Very similar to
> > how rpm does it. Most of the config variables are shared with
> > the rpm backend (like PACKAGE_FEED_GPG_NAME), with the exception
> > of PACKAGE_FEED_GPG_PUBKEY which is not needed in this case.
> > 
> > Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com>
> > ---
> >  meta/lib/oe/package_manager.py | 23 ++++++++++++++++++++++-
> >  1 file changed, 22 insertions(+), 1 deletion(-)
> > 
> > diff --git a/meta/lib/oe/package_manager.py
> > b/meta/lib/oe/package_manager.py index 964fddc..8528c9b 100644
> > --- a/meta/lib/oe/package_manager.py
> > +++ b/meta/lib/oe/package_manager.py
> > @@ -174,10 +174,25 @@ class OpkgIndexer(Indexer):
> >  
> >          opkg_index_cmd = bb.utils.which(os.getenv('PATH'),
> > "opkg-make-index") 
> > +        gpg_cmd = ''
> > +
> > +        # all these variables are needed to succesfully sign the
> > index, otherwise skip signing
> > +        if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1' and \
> > +           self.d.getVar('PACKAGE_FEED_GPG_NAME', True) and \
> > +           self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True):
> > +                pkgfeed_gpg_name =
> > self.d.getVar('PACKAGE_FEED_GPG_NAME', True)
> > +                pkgfeed_gpg_pass =
> > self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True)
> > +                gpg_bin = self.d.getVar('GPG_BIN', True) or
> > bb.utils.which(os.getenv('PATH'), "gpg") +
> > +                gpg_cmd = "%s --no-use-agent --batch --yes -ab -u
> > %s --passphrase-file '%s'" % \
> > +                          (gpg_bin, pkgfeed_gpg_name,
> > pkgfeed_gpg_pass) +
> > +
> 
> I think you can combine this block with the "if gpg_cmd:" one below
> (move this logic to the bottom and combine it with the content of the
> if gpg_cmd block)
> 
>           if not os.path.exists(os.path.join(self.deploy_dir,
> "Packages")):
> >              open(os.path.join(self.deploy_dir, "Packages"),
> > "w").close() 
> >          index_cmds = []
> > +        index_sign_files = []
> >          for arch_var in arch_vars:
> >              archs = self.d.getVar(arch_var, True)
> >              if archs is None:
> > @@ -196,6 +211,8 @@ class OpkgIndexer(Indexer):
> >                  index_cmds.append('%s -r %s -p %s -m %s' %
> >                                    (opkg_index_cmd, pkgs_file,
> > pkgs_file, pkgs_dir)) 
> > +                index_sign_files.append(pkgs_file)
> > +
> >          if len(index_cmds) == 0:
> >              bb.note("There are no packages in %s!" %
> > self.deploy_dir) return
> > @@ -206,7 +223,11 @@ class OpkgIndexer(Indexer):
> >          if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
> >              raise NotImplementedError('Package feed signing not
> > implementd for ipk')
> 
> Not need anymore
> 
> > -
> > +        if gpg_cmd:
> > +            for f in index_sign_files:
> > +                result = oe.utils.multiprocess_exec([gpg_cmd + ' '
> > + f], create_index)
> > +                if result:
> > +                    bb.fatal('%s' % ('\n'.join(result)))
> >  
> >  class DpkgIndexer(Indexer):
> >      def _create_configs(self):
> > 
> 

Writing this way was a choice to avoid code duplication and looping the
arches a second time. If I were to put all logic under the same
condition at the bottom as you suggest, I will have to duplicate all
code that recreates the pkgs_file values needed for signing.

Instead, IMO a better idea is to combine the first block (if
self.d.getVar('PACKAGE_FEED_SIGN'...) with the last one (if gpg_cmd) as
you suggest but keep the "index_sign_files.append(pkgs_file)" line to
avoid looping all the arches a second time and duplicate all that code.

I'll resubmit a v2 to exemplify what I'm saying here.

Question: Is there a better way to get the index file names without
looping through the arches? If yes, then all this code can be put under
a single if branch as you suggest and I agree this is the best case
scenario.

[oe][PATCH v2 1/2] package_ipk: support signing of ipk packages

[Ioan-Adrian Ratiu]

Minimum required opkg version: 3.0 (already in master/jethro).

Add a new bbclass for creating signatures for ipk files.
The signing process is very similar to the existing rpm signing,
but different in some important ways:
    - Signatures are stored outside the ipk files, opkg connects
to a feed server and downloads them as separate files which are
used to verify ipk's. These files go everywhere alongside the ipk.
    - Signatures can be of two types: binary (.sig) and ascii-armored
(.asc). By default OE and opkg use binary, can be configured by using
IPK_SIGNATURE_TYPE (in OE) and "option signature_type gpg-asc" in
opkg.
    - The public key is stored on device and the keyring managed
by the opkg-keyrings package. See its recipe for more details.

Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com>
---
 meta/classes/package_ipk.bbclass |  6 ++++
 meta/classes/sign_ipk.bbclass    | 73 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 79 insertions(+)
 create mode 100644 meta/classes/sign_ipk.bbclass

diff --git a/meta/classes/package_ipk.bbclass b/meta/classes/package_ipk.bbclass
index 4dd7a7e..c491b67 100644
--- a/meta/classes/package_ipk.bbclass
+++ b/meta/classes/package_ipk.bbclass
@@ -246,6 +246,12 @@ python do_package_ipk () {
             bb.utils.unlockfile(lf)
             raise bb.build.FuncFailed("opkg-build execution failed")
 
+        if d.getVar('IPK_SIGN_PACKAGES', True) == '1':
+            ipkver = "%s-%s" % (d.getVar('PKGV'), d.getVar('PKGR'))
+            ipk_to_sign = "%s/%s_%s_%s.ipk" % (pkgoutdir, pkgname, ipkver, d.getVar('PACKAGE_ARCH', True))
+            d.setVar('IPK_TO_SIGN', ipk_to_sign)
+            bb.build.exec_func("sign_ipk", d)
+
         cleanupcontrol(root)
         bb.utils.unlockfile(lf)
 
diff --git a/meta/classes/sign_ipk.bbclass b/meta/classes/sign_ipk.bbclass
new file mode 100644
index 0000000..a4f1f3a
--- /dev/null
+++ b/meta/classes/sign_ipk.bbclass
@@ -0,0 +1,73 @@
+# Class for generating signed IPK packages.
+#
+# Configuration variables used by this class:
+# IPK_GPG_PASSPHRASE_FILE
+#           Path to a file containing the passphrase of the signing key.
+# IPK_GPG_NAME
+#           Name of the key to sign with.
+# IPK_SIGNATURE_TYPE
+#           Optional type of signature to accompany IPK files, can be:
+#                     1. Ascii armored (ASC)
+#                     2. Binary (BIN), default
+# GPG_BIN
+#           Optional variable for specifying the gpg binary/wrapper to use for
+#           signing.
+#
+
+inherit sanity
+
+IPK_SIGN_PACKAGES = '1'
+
+def ipksign_wrapper(d, ipk_file, passphrase, gpg_name=None, sigtype="BIN"):
+    import subprocess
+    from subprocess import Popen
+
+    keypipe = os.pipe()
+    os.write(keypipe[1], passphrase + '\n')
+
+    # use gpg from host PATH if user did not define a specific binary
+    cmd = [d.getVar('GPG_BIN', True) or bb.utils.which(os.getenv('PATH'), "gpg")]
+
+    if gpg_name:
+        cmd += ["-q", "--batch", "--yes", "-b", "-u", gpg_name]
+    else:
+        raise_sanity_error("You need to define IPK_GPG_NAME in bitbake config", d)
+
+    # transmit using pipes for security
+    cmd += ["--passphrase-fd",  str(keypipe[0])]
+
+    # ascii armored or binary signatures
+    if sigtype.lower() == "ASC".lower():
+        cmd += ["-a"]
+    elif sigtype.lower() != "BIN".lower():
+        raise_sanity_error("Invalid IPK_SIGNATURE_TYPE in bitbake config", d)
+
+    cmd += [ipk_file]
+
+    p = Popen(cmd, stdin=subprocess.PIPE)
+    p.wait()
+
+    os.close(keypipe[1])
+    os.close(keypipe[0])
+
+    return p.returncode
+
+
+python sign_ipk () {
+    ipk_gpg_pass_file = (d.getVar("IPK_GPG_PASSPHRASE_FILE", True) or "")
+    if ipk_gpg_pass_file:
+        with open(ipk_gpg_pass_file) as fobj:
+            ipk_gpg_passphrase = fobj.readlines()[0].rstrip('\n')
+    else:
+        raise_sanity_error("You need to define IPK_GPG_PASSPHRASE_FILE in the config", d)
+
+    ipk_gpg_name = (d.getVar("IPK_GPG_NAME", True) or "")
+
+    ipk_file = d.getVar('IPK_TO_SIGN')
+    bb.debug(1, 'IPK_TO_SIGN: %s' % ipk_file)
+
+    sigtype = (d.getVar("IPK_SIGNATURE_TYPE", True) or "")
+
+    if ipksign_wrapper(d, ipk_file, ipk_gpg_passphrase, ipk_gpg_name, sigtype) != 0:
+        raise bb.build.FuncFailed("IPK signing failed")
+}
-- 
2.1.4

[oe][PATCH v2 2/2] package_manager: support for signed IPK package feeds

[Ioan-Adrian Ratiu]

Create gpg signed package feeds if configured. Very similar to
how rpm does it. Most of the config variables are shared with
the rpm backend (like PACKAGE_FEED_GPG_NAME), with the exception
of PACKAGE_FEED_GPG_PUBKEY which is not needed in this case.

Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com>
---
 meta/lib/oe/package_manager.py | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/meta/lib/oe/package_manager.py b/meta/lib/oe/package_manager.py
index 964fddc..a0fe0eb 100644
--- a/meta/lib/oe/package_manager.py
+++ b/meta/lib/oe/package_manager.py
@@ -178,6 +178,7 @@ class OpkgIndexer(Indexer):
             open(os.path.join(self.deploy_dir, "Packages"), "w").close()
 
         index_cmds = []
+        index_sign_files = []
         for arch_var in arch_vars:
             archs = self.d.getVar(arch_var, True)
             if archs is None:
@@ -196,6 +197,8 @@ class OpkgIndexer(Indexer):
                 index_cmds.append('%s -r %s -p %s -m %s' %
                                   (opkg_index_cmd, pkgs_file, pkgs_file, pkgs_dir))
 
+                index_sign_files.append(pkgs_file)
+
         if len(index_cmds) == 0:
             bb.note("There are no packages in %s!" % self.deploy_dir)
             return
@@ -206,7 +209,21 @@ class OpkgIndexer(Indexer):
         if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
             raise NotImplementedError('Package feed signing not implementd for ipk')
 
-
+        # all these variables are needed to succesfully sign the index, otherwise skip signing
+        if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1' and \
+           self.d.getVar('PACKAGE_FEED_GPG_NAME', True) and \
+           self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True):
+                pkgfeed_gpg_name = self.d.getVar('PACKAGE_FEED_GPG_NAME', True)
+                pkgfeed_gpg_pass = self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True)
+                gpg_bin = self.d.getVar('GPG_BIN', True) or bb.utils.which(os.getenv('PATH'), "gpg")
+
+                gpg_cmd = "%s --no-use-agent --batch --yes -ab -u %s --passphrase-file '%s'" % \
+                          (gpg_bin, pkgfeed_gpg_name, pkgfeed_gpg_pass)
+
+                for f in index_sign_files:
+                    result = oe.utils.multiprocess_exec([gpg_cmd + ' ' + f], create_index)
+                    if result:
+                        bb.fatal('%s' % ('\n'.join(result)))
 
 class DpkgIndexer(Indexer):
     def _create_configs(self):
-- 
2.1.4

Re: [oe][PATCH v2 2/2] package_manager: support for signed IPK package feeds

[Alejandro del Castillo]

On 11/18/2015 04:25 AM, Ioan-Adrian Ratiu wrote:
> Create gpg signed package feeds if configured. Very similar to
> how rpm does it. Most of the config variables are shared with
> the rpm backend (like PACKAGE_FEED_GPG_NAME), with the exception
> of PACKAGE_FEED_GPG_PUBKEY which is not needed in this case.
> 
> Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com>
> ---
>  meta/lib/oe/package_manager.py | 19 ++++++++++++++++++-
>  1 file changed, 18 insertions(+), 1 deletion(-)
> 
> diff --git a/meta/lib/oe/package_manager.py b/meta/lib/oe/package_manager.py
> index 964fddc..a0fe0eb 100644
> --- a/meta/lib/oe/package_manager.py
> +++ b/meta/lib/oe/package_manager.py
> @@ -178,6 +178,7 @@ class OpkgIndexer(Indexer):
>              open(os.path.join(self.deploy_dir, "Packages"), "w").close()
>  
>          index_cmds = []
> +        index_sign_files = []
>          for arch_var in arch_vars:
>              archs = self.d.getVar(arch_var, True)
>              if archs is None:
> @@ -196,6 +197,8 @@ class OpkgIndexer(Indexer):
>                  index_cmds.append('%s -r %s -p %s -m %s' %
>                                    (opkg_index_cmd, pkgs_file, pkgs_file, pkgs_dir))
>  
> +                index_sign_files.append(pkgs_file)
> +
>          if len(index_cmds) == 0:
>              bb.note("There are no packages in %s!" % self.deploy_dir)
>              return
> @@ -206,7 +209,21 @@ class OpkgIndexer(Indexer):
>          if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
>              raise NotImplementedError('Package feed signing not implementd for ipk')

Forgot to remove?

> -
> +        # all these variables are needed to succesfully sign the index, otherwise skip signing
> +        if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1' and \
> +           self.d.getVar('PACKAGE_FEED_GPG_NAME', True) and \
> +           self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True):
> +                pkgfeed_gpg_name = self.d.getVar('PACKAGE_FEED_GPG_NAME', True)
> +                pkgfeed_gpg_pass = self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True)
> +                gpg_bin = self.d.getVar('GPG_BIN', True) or bb.utils.which(os.getenv('PATH'), "gpg")
> +
> +                gpg_cmd = "%s --no-use-agent --batch --yes -ab -u %s --passphrase-file '%s'" % \
> +                          (gpg_bin, pkgfeed_gpg_name, pkgfeed_gpg_pass)
> +
> +                for f in index_sign_files:
> +                    result = oe.utils.multiprocess_exec([gpg_cmd + ' ' + f], create_index)
> +                    if result:
> +                        bb.fatal('%s' % ('\n'.join(result)))
>  
>  class DpkgIndexer(Indexer):
>      def _create_configs(self):
> 

This is the approach that I was suggesting, looks good.

-- 
Cheers,

Alejandro

Re: [oe][PATCH v2 2/2] package_manager: support for signed IPK package feeds

[Ioan-Adrian Ratiu]

On Wed, 18 Nov 2015 10:00:23 -0600
Alejandro del Castillo <alejandro.delcastillo@ni.com> wrote:

> 
> 
> On 11/18/2015 04:25 AM, Ioan-Adrian Ratiu wrote:
> > Create gpg signed package feeds if configured. Very similar to
> > how rpm does it. Most of the config variables are shared with
> > the rpm backend (like PACKAGE_FEED_GPG_NAME), with the exception
> > of PACKAGE_FEED_GPG_PUBKEY which is not needed in this case.
> > 
> > Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com>
> > ---
> >  meta/lib/oe/package_manager.py | 19 ++++++++++++++++++-
> >  1 file changed, 18 insertions(+), 1 deletion(-)
> > 
> > diff --git a/meta/lib/oe/package_manager.py
> > b/meta/lib/oe/package_manager.py index 964fddc..a0fe0eb 100644
> > --- a/meta/lib/oe/package_manager.py
> > +++ b/meta/lib/oe/package_manager.py
> > @@ -178,6 +178,7 @@ class OpkgIndexer(Indexer):
> >              open(os.path.join(self.deploy_dir, "Packages"),
> > "w").close() 
> >          index_cmds = []
> > +        index_sign_files = []
> >          for arch_var in arch_vars:
> >              archs = self.d.getVar(arch_var, True)
> >              if archs is None:
> > @@ -196,6 +197,8 @@ class OpkgIndexer(Indexer):
> >                  index_cmds.append('%s -r %s -p %s -m %s' %
> >                                    (opkg_index_cmd, pkgs_file,
> > pkgs_file, pkgs_dir)) 
> > +                index_sign_files.append(pkgs_file)
> > +
> >          if len(index_cmds) == 0:
> >              bb.note("There are no packages in %s!" %
> > self.deploy_dir) return
> > @@ -206,7 +209,21 @@ class OpkgIndexer(Indexer):
> >          if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
> >              raise NotImplementedError('Package feed signing not
> > implementd for ipk')
> 
> Forgot to remove?

No. Please read my previous mail, this is needed to avoid duplicating
those arch loops.

I specifically asked the question if we can't get the package feed file
names in another way; if so, then we can remove this.

> 
> > -
> > +        # all these variables are needed to succesfully sign the
> > index, otherwise skip signing
> > +        if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1' and \
> > +           self.d.getVar('PACKAGE_FEED_GPG_NAME', True) and \
> > +           self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True):
> > +                pkgfeed_gpg_name =
> > self.d.getVar('PACKAGE_FEED_GPG_NAME', True)
> > +                pkgfeed_gpg_pass =
> > self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True)
> > +                gpg_bin = self.d.getVar('GPG_BIN', True) or
> > bb.utils.which(os.getenv('PATH'), "gpg") +
> > +                gpg_cmd = "%s --no-use-agent --batch --yes -ab -u
> > %s --passphrase-file '%s'" % \
> > +                          (gpg_bin, pkgfeed_gpg_name,
> > pkgfeed_gpg_pass) +
> > +                for f in index_sign_files:
> > +                    result = oe.utils.multiprocess_exec([gpg_cmd +
> > ' ' + f], create_index)
> > +                    if result:
> > +                        bb.fatal('%s' % ('\n'.join(result)))
> >  
> >  class DpkgIndexer(Indexer):
> >      def _create_configs(self):
> > 
> 
> This is the approach that I was suggesting, looks good.
> 

Yes, thank you. 

Re: [oe][PATCH v2 2/2] package_manager: support for signed IPK package feeds

[Alejandro del Castillo]

On 11/19/2015 02:35 AM, Ioan-Adrian Ratiu wrote:
> On Wed, 18 Nov 2015 10:00:23 -0600
> Alejandro del Castillo <alejandro.delcastillo@ni.com> wrote:
> 
>>
>>
>> On 11/18/2015 04:25 AM, Ioan-Adrian Ratiu wrote:
>>> Create gpg signed package feeds if configured. Very similar to
>>> how rpm does it. Most of the config variables are shared with
>>> the rpm backend (like PACKAGE_FEED_GPG_NAME), with the exception
>>> of PACKAGE_FEED_GPG_PUBKEY which is not needed in this case.
>>>
>>> Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com>
>>> ---
>>>  meta/lib/oe/package_manager.py | 19 ++++++++++++++++++-
>>>  1 file changed, 18 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/meta/lib/oe/package_manager.py
>>> b/meta/lib/oe/package_manager.py index 964fddc..a0fe0eb 100644
>>> --- a/meta/lib/oe/package_manager.py
>>> +++ b/meta/lib/oe/package_manager.py
>>> @@ -178,6 +178,7 @@ class OpkgIndexer(Indexer):
>>>              open(os.path.join(self.deploy_dir, "Packages"),
>>> "w").close() 
>>>          index_cmds = []
>>> +        index_sign_files = []
>>>          for arch_var in arch_vars:
>>>              archs = self.d.getVar(arch_var, True)
>>>              if archs is None:
>>> @@ -196,6 +197,8 @@ class OpkgIndexer(Indexer):
>>>                  index_cmds.append('%s -r %s -p %s -m %s' %
>>>                                    (opkg_index_cmd, pkgs_file,
>>> pkgs_file, pkgs_dir)) 
>>> +                index_sign_files.append(pkgs_file)
>>> +
>>>          if len(index_cmds) == 0:
>>>              bb.note("There are no packages in %s!" %
>>> self.deploy_dir) return
>>> @@ -206,7 +209,21 @@ class OpkgIndexer(Indexer):
>>>          if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
>>>              raise NotImplementedError('Package feed signing not
>>> implementd for ipk')
>>
>> Forgot to remove?
> 
> No. Please read my previous mail, this is needed to avoid duplicating
> those arch loops.
> 
> I specifically asked the question if we can't get the package feed file
> names in another way; if so, then we can remove this.
> 

I think we might be talking about different things. Here is the piece of code
that should be removed:

if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
     raise NotImplementedError('Package feed signing not implementd for ipk')


-- 
Cheers,

Alejandro

[oe][PATCH v3 1/2] package_ipk: support signing of ipk packages

[Ioan-Adrian Ratiu]

Minimum required opkg version: 3.0 (already in master/jethro).

Add a new bbclass for creating signatures for ipk files.
The signing process is very similar to the existing rpm signing,
but different in some important ways:
    - Signatures are stored outside the ipk files, opkg connects
to a feed server and downloads them as separate files which are
used to verify ipk's. These files go everywhere alongside the ipk.
    - Signatures can be of two types: binary (.sig) and ascii-armored
(.asc). By default OE and opkg use binary, can be configured by using
IPK_SIGNATURE_TYPE (in OE) and "option signature_type gpg-asc" in
opkg.
    - The public key is stored on device and the keyring managed
by the opkg-keyrings package. See its recipe for more details.

Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com>
---
 meta/classes/package_ipk.bbclass |  6 ++++
 meta/classes/sign_ipk.bbclass    | 73 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 79 insertions(+)
 create mode 100644 meta/classes/sign_ipk.bbclass

diff --git a/meta/classes/package_ipk.bbclass b/meta/classes/package_ipk.bbclass
index 4dd7a7e..c491b67 100644
--- a/meta/classes/package_ipk.bbclass
+++ b/meta/classes/package_ipk.bbclass
@@ -246,6 +246,12 @@ python do_package_ipk () {
             bb.utils.unlockfile(lf)
             raise bb.build.FuncFailed("opkg-build execution failed")
 
+        if d.getVar('IPK_SIGN_PACKAGES', True) == '1':
+            ipkver = "%s-%s" % (d.getVar('PKGV'), d.getVar('PKGR'))
+            ipk_to_sign = "%s/%s_%s_%s.ipk" % (pkgoutdir, pkgname, ipkver, d.getVar('PACKAGE_ARCH', True))
+            d.setVar('IPK_TO_SIGN', ipk_to_sign)
+            bb.build.exec_func("sign_ipk", d)
+
         cleanupcontrol(root)
         bb.utils.unlockfile(lf)
 
diff --git a/meta/classes/sign_ipk.bbclass b/meta/classes/sign_ipk.bbclass
new file mode 100644
index 0000000..a4f1f3a
--- /dev/null
+++ b/meta/classes/sign_ipk.bbclass
@@ -0,0 +1,73 @@
+# Class for generating signed IPK packages.
+#
+# Configuration variables used by this class:
+# IPK_GPG_PASSPHRASE_FILE
+#           Path to a file containing the passphrase of the signing key.
+# IPK_GPG_NAME
+#           Name of the key to sign with.
+# IPK_SIGNATURE_TYPE
+#           Optional type of signature to accompany IPK files, can be:
+#                     1. Ascii armored (ASC)
+#                     2. Binary (BIN), default
+# GPG_BIN
+#           Optional variable for specifying the gpg binary/wrapper to use for
+#           signing.
+#
+
+inherit sanity
+
+IPK_SIGN_PACKAGES = '1'
+
+def ipksign_wrapper(d, ipk_file, passphrase, gpg_name=None, sigtype="BIN"):
+    import subprocess
+    from subprocess import Popen
+
+    keypipe = os.pipe()
+    os.write(keypipe[1], passphrase + '\n')
+
+    # use gpg from host PATH if user did not define a specific binary
+    cmd = [d.getVar('GPG_BIN', True) or bb.utils.which(os.getenv('PATH'), "gpg")]
+
+    if gpg_name:
+        cmd += ["-q", "--batch", "--yes", "-b", "-u", gpg_name]
+    else:
+        raise_sanity_error("You need to define IPK_GPG_NAME in bitbake config", d)
+
+    # transmit using pipes for security
+    cmd += ["--passphrase-fd",  str(keypipe[0])]
+
+    # ascii armored or binary signatures
+    if sigtype.lower() == "ASC".lower():
+        cmd += ["-a"]
+    elif sigtype.lower() != "BIN".lower():
+        raise_sanity_error("Invalid IPK_SIGNATURE_TYPE in bitbake config", d)
+
+    cmd += [ipk_file]
+
+    p = Popen(cmd, stdin=subprocess.PIPE)
+    p.wait()
+
+    os.close(keypipe[1])
+    os.close(keypipe[0])
+
+    return p.returncode
+
+
+python sign_ipk () {
+    ipk_gpg_pass_file = (d.getVar("IPK_GPG_PASSPHRASE_FILE", True) or "")
+    if ipk_gpg_pass_file:
+        with open(ipk_gpg_pass_file) as fobj:
+            ipk_gpg_passphrase = fobj.readlines()[0].rstrip('\n')
+    else:
+        raise_sanity_error("You need to define IPK_GPG_PASSPHRASE_FILE in the config", d)
+
+    ipk_gpg_name = (d.getVar("IPK_GPG_NAME", True) or "")
+
+    ipk_file = d.getVar('IPK_TO_SIGN')
+    bb.debug(1, 'IPK_TO_SIGN: %s' % ipk_file)
+
+    sigtype = (d.getVar("IPK_SIGNATURE_TYPE", True) or "")
+
+    if ipksign_wrapper(d, ipk_file, ipk_gpg_passphrase, ipk_gpg_name, sigtype) != 0:
+        raise bb.build.FuncFailed("IPK signing failed")
+}
-- 
2.1.4

[oe][PATCH v3 2/2] package_manager: support for signed IPK package feeds

[Ioan-Adrian Ratiu]

Create gpg signed package feeds if configured. Very similar to
how rpm does it. Most of the config variables are shared with
the rpm backend (like PACKAGE_FEED_GPG_NAME), with the exception
of PACKAGE_FEED_GPG_PUBKEY which is not needed in this case.

Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com>
---
 meta/lib/oe/package_manager.py | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/meta/lib/oe/package_manager.py b/meta/lib/oe/package_manager.py
index 964fddc..091cb7f 100644
--- a/meta/lib/oe/package_manager.py
+++ b/meta/lib/oe/package_manager.py
@@ -178,6 +178,7 @@ class OpkgIndexer(Indexer):
             open(os.path.join(self.deploy_dir, "Packages"), "w").close()
 
         index_cmds = []
+        index_sign_files = []
         for arch_var in arch_vars:
             archs = self.d.getVar(arch_var, True)
             if archs is None:
@@ -196,6 +197,8 @@ class OpkgIndexer(Indexer):
                 index_cmds.append('%s -r %s -p %s -m %s' %
                                   (opkg_index_cmd, pkgs_file, pkgs_file, pkgs_dir))
 
+                index_sign_files.append(pkgs_file)
+
         if len(index_cmds) == 0:
             bb.note("There are no packages in %s!" % self.deploy_dir)
             return
@@ -203,10 +206,22 @@ class OpkgIndexer(Indexer):
         result = oe.utils.multiprocess_exec(index_cmds, create_index)
         if result:
             bb.fatal('%s' % ('\n'.join(result)))
-        if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
-            raise NotImplementedError('Package feed signing not implementd for ipk')
-
 
+        # all these variables are needed to succesfully sign the index, otherwise skip signing
+        if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1' and \
+           self.d.getVar('PACKAGE_FEED_GPG_NAME', True) and \
+           self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True):
+                pkgfeed_gpg_name = self.d.getVar('PACKAGE_FEED_GPG_NAME', True)
+                pkgfeed_gpg_pass = self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True)
+                gpg_bin = self.d.getVar('GPG_BIN', True) or bb.utils.which(os.getenv('PATH'), "gpg")
+
+                gpg_cmd = "%s --no-use-agent --batch --yes -ab -u %s --passphrase-file '%s'" % \
+                          (gpg_bin, pkgfeed_gpg_name, pkgfeed_gpg_pass)
+
+                for f in index_sign_files:
+                    result = oe.utils.multiprocess_exec([gpg_cmd + ' ' + f], create_index)
+                    if result:
+                        bb.fatal('%s' % ('\n'.join(result)))
 
 class DpkgIndexer(Indexer):
     def _create_configs(self):
-- 
2.1.4

Re: [oe][PATCH v3 2/2] package_manager: support for signed IPK package feeds

[Alejandro del Castillo]

On 11/19/2015 09:41 AM, Ioan-Adrian Ratiu wrote:
> Create gpg signed package feeds if configured. Very similar to
> how rpm does it. Most of the config variables are shared with
> the rpm backend (like PACKAGE_FEED_GPG_NAME), with the exception
> of PACKAGE_FEED_GPG_PUBKEY which is not needed in this case.
> 
> Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com>

Acked-by: Alejandro del Castillo <alejandro.delcastillo@ni.com>

-- 
Cheers,

Alejandro