* [PATCH v2] Validate shared state against list of keys
@ 2021-10-13 4:04 Dan McGregor
0 siblings, 0 replies; only message in thread
From: Dan McGregor @ 2021-10-13 4:04 UTC (permalink / raw)
To: openembedded-core; +Cc: Daniel McGregor
From: Daniel McGregor <daniel.mcgregor@vecima.com>
Allow a user to validate sstate objects against a list of keys, instead
of just any known key in the user's keychain.
Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
---
meta/classes/sstate.bbclass | 5 ++++-
meta/lib/oe/gpg_sign.py | 27 ++++++++++++++++++++++-----
2 files changed, 26 insertions(+), 6 deletions(-)
diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass
index 701a19bc612..3bc92eda3dd 100644
--- a/meta/classes/sstate.bbclass
+++ b/meta/classes/sstate.bbclass
@@ -114,6 +114,9 @@ SSTATE_SIG_KEY ?= ""
SSTATE_SIG_PASSPHRASE ?= ""
# Whether to verify the GnUPG signatures when extracting sstate archives
SSTATE_VERIFY_SIG ?= "0"
+# List of signatures to consider valid.
+SSTATE_VALID_SIGS ??= ""
+SSTATE_VALID_SIGS[vardepvalue] = ""
SSTATE_HASHEQUIV_METHOD ?= "oe.sstatesig.OEOuthashBasic"
SSTATE_HASHEQUIV_METHOD[doc] = "The fully-qualified function used to calculate \
@@ -370,7 +373,7 @@ def sstate_installpkg(ss, d):
bb.warn("No signature file for sstate package %s, skipping acceleration..." % sstatepkg)
return False
signer = get_signer(d, 'local')
- if not signer.verify(sstatepkg + '.sig'):
+ if not signer.verify(sstatepkg + '.sig', d.getVar("SSTATE_VALID_SIGS")):
bb.warn("Cannot verify signature on sstate package %s, skipping acceleration..." % sstatepkg)
return False
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index 492f096eaa7..1bce6cb7924 100644
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -109,16 +109,33 @@ class LocalSigner(object):
bb.fatal("Could not get gpg version: %s" % e)
- def verify(self, sig_file):
+ def verify(self, sig_file, valid_sigs = ''):
"""Verify signature"""
- cmd = self.gpg_cmd + ["--verify", "--no-permission-warning"]
+ cmd = self.gpg_cmd + ["--verify", "--no-permission-warning", "--status-fd", "1"]
if self.gpg_path:
cmd += ["--homedir", self.gpg_path]
cmd += [sig_file]
- status = subprocess.call(cmd)
- ret = False if status else True
- return ret
+ status = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+ # Valid if any key matches if unspecified
+ if not valid_sigs:
+ ret = False if status.returncode else True
+ return ret
+
+ import re
+ goodsigs = []
+ sigre = re.compile(r'^\[GNUPG:\] GOODSIG (\S+)\s(.*)$')
+ for l in status.stdout.decode("utf-8").splitlines():
+ s = sigre.match(l)
+ if s:
+ goodsigs += [s.group(1)]
+
+ for sig in valid_sigs.split():
+ if sig in goodsigs:
+ return True
+ if len(goodsigs):
+ bb.warn('No accepted signatures found. Good signatures found: %s.' % ' '.join(goodsigs))
+ return False
def get_signer(d, backend):
--
2.31.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2021-10-13 4:05 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-13 4:04 [PATCH v2] Validate shared state against list of keys Dan McGregor
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).