tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[patch] Building signed packages directly



                        Hi tech-pkg@,

I'd like to get this patch reviewed before committing. It adds the
following variables to mk.conf:

 * SIGN_PACKAGES, to sign the packages generated with the method
   specified (possible: gpg, x509)

 * X509_KEY, the key to use when signing packages with an X509
   certificate (holds the pathname to the key file)

 * X509_CERTIFICATE, the certificate to use when signing packages with
   an X509 certificate (holds the pathname to the X509 certificate)

All these variables are optional, and the latter two only required if
the first is set to "x509" obviously. The "gpg" signing method uses
existing support from pkg_admin(1) and therefore pkg_install.conf(5).

The patch also updates mk/pkgformat/pkg/package.mk to create signed
packages, copying the staging unsigned package directly as a signed one
thanks to pkg_admin(1).

HTH,
-- 
khorben
commit a400f683c7893bdf693c37afa8bfb8b4fb5eef36
Author: Pierre Pronchery <khorben%EdgeBSD.org@localhost>
Date:   Wed Mar 26 14:28:02 2014 +0100

    Added support for creating signed binary packages directly

diff --git a/mk/defaults/mk.conf b/mk/defaults/mk.conf
index 2e42e86..55affa4 100644
--- a/mk/defaults/mk.conf
+++ b/mk/defaults/mk.conf
@@ -86,6 +86,21 @@ SIGN_PACKAGES= gpg
 # Possible: defined, not defined
 # Default: not defined
 
+#SIGN_PACKAGES=
+# sign the packages generated (when supported) with the method specified.
+# Possible: gpg, x509, not defined
+# Default: not defined
+
+#X509_KEY=
+# key to use when signing packages with an X509 certificate.
+# Possible: pathname to the key file, not defined
+# Default: not defined
+
+#X509_CERTIFICATE=
+# certificate to use when signing packages with an X509 certificate.
+# Possible: pathname to the X509 certificate, not defined
+# Default: not defined
+
 .if defined(PKG_DEVELOPER) && ${PKG_DEVELOPER} != "no"
 PATCH_DEBUG?=
 .endif
diff --git a/mk/pkgformat/pkg/package.mk b/mk/pkgformat/pkg/package.mk
index 3a0175b..5dff2e6 100644
--- a/mk/pkgformat/pkg/package.mk
+++ b/mk/pkgformat/pkg/package.mk
@@ -66,6 +66,33 @@ _PKG_ARGS_PACKAGE+=  -u ${REAL_ROOT_USER} -g 
${REAL_ROOT_GROUP}
 _PKG_ARGS_PACKAGE+=    -E
 .endif
 
+.if !empty(SIGN_PACKAGES:Mgpg)
+${STAGE_PKGFILE}: ${_CONTENTS_TARGETS}
+       ${RUN} ${MKDIR} ${.TARGET:H}
+       @${STEP_MSG} "Creating signed binary package ${.TARGET}"
+       ${RUN} tmpname=${.TARGET:S,${PKG_SUFX}$,.tmp${PKG_SUFX},};      \
+       if ${PKG_CREATE} ${_PKG_ARGS_PACKAGE} "$$tmpname"; then         \
+               ${PKG_ADMIN} gpg-sign-package "$$tmpname" ${.TARGET};   \
+               exitcode=$$?;                                           \
+               ${RM} -f "$$tmpname";                                   \
+               [ $$exitcode -eq 0 ] || exit $$exitcode;                \
+       else                                                            \
+               exitcode=$$?; ${RM} -f "$$tmpname"; exit $$exitcode;    \
+       fi
+.elif !empty(SIGN_PACKAGES:Mx509)
+${STAGE_PKGFILE}: ${_CONTENTS_TARGETS}
+       ${RUN} ${MKDIR} ${.TARGET:H}
+       @${STEP_MSG} "Creating signed binary package ${.TARGET}"
+       ${RUN} tmpname=${.TARGET:S,${PKG_SUFX}$,.tmp${PKG_SUFX},};      \
+       if ${PKG_CREATE} ${_PKG_ARGS_PACKAGE} "$$tmpname"; then         \
+               ${PKG_ADMIN} x509-sign-package "$$tmpname" ${.TARGET};  \
+               exitcode=$$?;                                           \
+               ${RM} -f "$$tmpname";                                   \
+               [ $$exitcode -eq 0 ] || exit $$exitcode;                \
+       else                                                            \
+               exitcode=$$?; ${RM} -f "$$tmpname"; exit $$exitcode;    \
+       fi
+.else
 ${STAGE_PKGFILE}: ${_CONTENTS_TARGETS}
        ${RUN} ${MKDIR} ${.TARGET:H}
        @${STEP_MSG} "Creating binary package ${.TARGET}"
@@ -75,6 +102,7 @@ ${STAGE_PKGFILE}: ${_CONTENTS_TARGETS}
        else                                                            \
                exitcode=$$?; ${RM} -f "$$tmpname"; exit $$exitcode;    \
        fi
+.endif
 
 .if ${_USE_DESTDIR} != "no"
 .if !empty(SIGN_PACKAGES:Mgpg)


Home | Main Index | Thread Index | Old Index