SIGGEN_LOCKEDSIGS_CHECK_LEVEL ?= 'error'
+# The GnuPG key ID and passphrase to use to sign sstate archives (or unset to
+# not sign)
+SSTATE_SIG_KEY ?= ""
+SSTATE_SIG_PASSPHRASE ?= ""
+# Whether to verify the GnUPG signatures when extracting sstate archives
+SSTATE_VERIFY_SIG ?= "0"
+
# Specify dirs in which the shell function is executed and don't use ${B}
# as default dirs to avoid possible race about ${B} with other task.
sstate_create_package[dirs] = "${SSTATE_BUILDDIR}"
d.setVar('SSTATE_INSTDIR', sstateinst)
d.setVar('SSTATE_PKG', sstatepkg)
+ if bb.utils.to_boolean(d.getVar("SSTATE_VERIFY_SIG", True), False):
+ if subprocess.call(["gpg", "--verify", sstatepkg + ".sig", sstatepkg]) != 0:
+ bb.warn("Cannot verify signature on sstate package %s" % sstatepkg)
+
for f in (d.getVar('SSTATEPREINSTFUNCS', True) or '').split() + ['sstate_unpack_package'] + (d.getVar('SSTATEPOSTUNPACKFUNCS', True) or '').split():
bb.build.exec_func(f, d)
# Try a fetch from the sstate mirror, if it fails just return and
# we will build the package
for srcuri in ['file://{0}'.format(sstatefetch),
- 'file://{0}.siginfo'.format(sstatefetch)]:
+ 'file://{0}.siginfo'.format(sstatefetch),
+ 'file://{0}.sig'.format(sstatefetch)]:
localdata.setVar('SRC_URI', srcuri)
try:
fetcher = bb.fetch2.Fetch([srcuri], localdata, cache=False)
chmod 0664 $TFILE
mv -f $TFILE ${SSTATE_PKG}
+ if [ -n "${SSTATE_SIG_KEY}" ]; then
+ rm -f ${SSTATE_PKG}.sig
+ echo ${SSTATE_SIG_PASSPHRASE} | gpg --batch --passphrase-fd 0 --detach-sign --local-user ${SSTATE_SIG_KEY} --output ${SSTATE_PKG}.sig ${SSTATE_PKG}
+ fi
+
cd ${WORKDIR}
rm -rf ${SSTATE_BUILDDIR}
}
projects / thirdparty / openembedded / openembedded-core-contrib.git / commitdiff
