WIP: implement OBSSIGN_DELSIGN option

Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>

diff --git a/meta/classes/sign_package_feed.bbclass b/meta/classes/sign_package_feed.bbclass
index 953fa85053dfdb8700c4926d1b095effde7ca22a..cf91750ec737d6180477db88659f2db6e92fcd52 100644 (file)
--- a/meta/classes/sign_package_feed.bbclass
+++ b/meta/classes/sign_package_feed.bbclass
@@ -15,6 +15,10 @@
 #           signing.
 # GPG_PATH
 #           Optional variable for specifying the gnupg "home" directory:
+# OBSSIGN_DELSIGN
+#           Optional variable, effective only when 'obssign' backend is enabled.
+#           Set to "1" to remove existing signatures from the RPM packages
+#           before signing with obs-sign.
 #
 inherit sanity
 

diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass
index 8be1c35935198f87e54337cc703265b4a38bc571..d247baad74c06c06f10556bc9763958772373701 100644 (file)
--- a/meta/classes/sign_rpm.bbclass
+++ b/meta/classes/sign_rpm.bbclass
@@ -14,6 +14,10 @@
 #           signing.
 # GPG_PATH
 #           Optional variable for specifying the gnupg "home" directory:
+# OBSSIGN_DELSIGN
+#           Optional variable, effective only when 'obssign' backend is enabled.
+#           Set to "1" to remove existing signatures from the RPM packages
+#           before signing with obs-sign.
 #
 inherit sanity
 

diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index d8ab816a848d97adf3f3045ab65fced70c0800af..447c23be292cc7ea7e50b53d947e1d2ea224591d 100644 (file)
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -68,9 +68,10 @@ class LocalSigner(object):
 
 class ObsSigner(object):
     """Class for handling signing with obs-signd"""
-    def __init__(self, keyid):
+    def __init__(self, d, keyid):
         self.keyid = keyid
         self.rpm_bin = bb.utils.which(os.getenv('PATH'), "rpm")
+        self.del_old_sign = d.getVar('OBSSIGN_DELSIGN', True) == "1"
 
     def export_pubkey(self, output_file):
         """Export GPG public key to a file"""
@@ -87,16 +88,19 @@ class ObsSigner(object):
         """Sign RPM files"""
         import pexpect
 
-        # Remove existing signatures
-        cmd = "%s --delsign %s" % (self.rpm_bin, ' '.join(files))
-        status, output = oe.utils.getstatusoutput(cmd)
-        if status:
-            raise bb.build.FuncFailed("Failed to remove RPM signatures: %s" %
-                                      output)
+        # Remove existing signatures. This is a workaround for a limitation
+        # of obs-signd: sign is not able to add additional signatures and fails
+        # if existing signatures are found in the RPM package.
+        if self.del_old_sign:
+            cmd = "%s --delsign %s" % (self.rpm_bin, ' '.join(files))
+            status, output = oe.utils.getstatusoutput(cmd)
+            if status:
+                raise bb.build.FuncFailed("Failed to remove RPM signatures: %s" %
+                                          output)
         # Sign packages
         cmd = "sign -u '%s' -r %s" % (self.keyid, ' '.join(files))
         status, output = oe.utils.getstatusoutput(cmd)
-        if status:
+        if status or [line for line in output.splitlines() if line.endswith('already signed')]:
             raise bb.build.FuncFailed("Failed to sign RPM packages: %s" %
                                       output)
 
@@ -118,7 +122,7 @@ def get_signer(d, backend, keyid, passphrase_file):
         if passphrase_file:
             bb.note("GPG passphrase file setting not used when 'obssign' "
                     "backend is used.")
-        return ObsSigner(keyid)
+        return ObsSigner(d, keyid)
     else:
         bb.fatal("Unsupported signing backend '%s'" % backend)