Re: [patch] Building signed packages directly

To: tech-pkg%netbsd.org@localhost
Subject: Re: [patch] Building signed packages directly
From: Pierre Pronchery <khorben%defora.org@localhost>
Date: Fri, 04 Apr 2014 04:07:27 +0200

On 03/04/2014 16:09, Joerg Sonnenberger wrote:
> On Thu, Apr 03, 2014 at 01:33:55AM +0200, Pierre Pronchery wrote:
>>> Don't duplicate the target, just operate on the intermediate package
>>> directly.
>>
>> Is this new patch better?
> 
> No, there are still three different calls to pkg_create.

Ok, I now understand a bit better the implications of the change, and
why it was wrong:
- I am now forcing the use of a staging package whenever signing
  (including when PKG_DESTDIR_SUPPORT is not available)
- therefore, signing happens when "copying" the staging package to its
  final place (pkg_admin does the copy instead of ln||cp)
- the operation of pkg_create is no longer affected.

I believe the patch attached is therefore better than before (but will
still welcome review). I have a problem with the "package-create" rule
notably, and had to remove the dependency on "package-remove"; is this
acceptable, or can somebody explain why this is necessary?

I have tested the following combinations, with pkgtools/digest:
- SIGN_PACKAGES=gpg and PKG_DESTDIR_SUPPORT=none
- SIGN_PACKAGES=gpg and PKG_DESTDIR_SUPPORT untouched (enabled)
- SIGN_PACKAGES untouched and PKG_DESTDIR_SUPPORT=none
- SIGN_PACKAGES untouched and PKG_DESTDIR_SUPPORT untouched (enabled)

All four produce a working package, and otherwise work as expected.

Cheers,
-- 
khorben

Index: mk/defaults/mk.conf
===================================================================
RCS file: /cvsroot/pkgsrc/mk/defaults/mk.conf,v
retrieving revision 1.238
diff -p -u -r1.238 mk.conf
--- mk/defaults/mk.conf 11 Mar 2014 14:07:04 -0000      1.238
+++ mk/defaults/mk.conf 4 Apr 2014 01:58:42 -0000
@@ -71,6 +71,21 @@ GZIP?=       -9
 # Possible: defined, not defined
 # Default: not defined
 
+#SIGN_PACKAGES=
+# sign the packages generated with the method specified.
+# Possible: gpg, x509, not defined
+# Default: not defined
+
+#X509_KEY=
+# key to use when signing packages with an X509 certificate.
+# Possible: pathname to the key file, not defined
+# Default: not defined
+
+#X509_CERTIFICATE=
+# certificate to use when signing packages with an X509 certificate.
+# Possible: pathname to the X509 certificate, not defined
+# Default: not defined
+
 .if defined(PKG_DEVELOPER) && ${PKG_DEVELOPER} != "no"
 PATCH_DEBUG?=
 .endif
Index: mk/pkgformat/pkg/package.mk
===================================================================
RCS file: /cvsroot/pkgsrc/mk/pkgformat/pkg/package.mk,v
retrieving revision 1.3
diff -p -u -r1.3 package.mk
--- mk/pkgformat/pkg/package.mk 10 Aug 2013 06:05:57 -0000      1.3
+++ mk/pkgformat/pkg/package.mk 4 Apr 2014 01:58:42 -0000
@@ -14,7 +14,13 @@ PKG_SUFX?=           .tgz
 FILEBASE?=             ${PKGBASE}
 PKGFILE?=              ${PKGREPOSITORY}/${FILEBASE}-${PKGVERSION}${PKG_SUFX}
 .if ${_USE_DESTDIR} == "no"
+. if !empty(SIGN_PACKAGES:Mgpg)
+STAGE_PKGFILE?=                
${WRKDIR}/.packages/${FILEBASE}-${PKGVERSION}${PKG_SUFX}
+. elif !empty(SIGN_PACKAGES:Mx509)
+STAGE_PKGFILE?=                
${WRKDIR}/.packages/${FILEBASE}-${PKGVERSION}${PKG_SUFX}
+. else
 STAGE_PKGFILE?=                ${PKGFILE}
+. endif
 .else
 STAGE_PKGFILE?=                
${WRKDIR}/.packages/${FILEBASE}-${PKGVERSION}${PKG_SUFX}
 .endif
@@ -38,7 +44,7 @@ package-check-installed:
 ### package-create creates the binary package.
 ###
 .PHONY: package-create
-package-create: package-remove ${PKGFILE} package-links
+package-create: ${PKGFILE} package-links
 
 ######################################################################
 ### stage-package-create (PRIVATE, pkgsrc/mk/package/package.mk)
@@ -76,12 +82,21 @@ ${STAGE_PKGFILE}: ${_CONTENTS_TARGETS}
                exitcode=$$?; ${RM} -f "$$tmpname"; exit $$exitcode;    \
        fi
 
-.if ${_USE_DESTDIR} != "no"
+.if ${PKGFILE} != ${STAGE_PKGFILE}
 ${PKGFILE}: ${STAGE_PKGFILE}
        ${RUN} ${MKDIR} ${.TARGET:H}
+. if !empty(SIGN_PACKAGES:Mgpg)
+       @${STEP_MSG} "Creating signed binary package ${.TARGET} (GPG)"
+       ${PKG_ADMIN} gpg-sign-package ${STAGE_PKGFILE} ${PKGFILE}
+. elif !empty(SIGN_PACKAGES:Mx509)
+       @${STEP_MSG} "Creating signed binary package ${.TARGET} (X509)"
+       ${PKG_ADMIN} x509-sign-package ${STAGE_PKGFILE} ${PKGFILE}      \
+               ${X509_KEY} ${X509_CERTIFICATE}
+. else
        @${STEP_MSG} "Creating binary package ${.TARGET}"
        ${LN} -f ${STAGE_PKGFILE} ${PKGFILE} 2>/dev/null || \
                ${CP} -pf ${STAGE_PKGFILE} ${PKGFILE}
+. endif
 .endif
 
 ######################################################################

References:
- [patch] Building signed packages directly
  - From: Pierre Pronchery
- Re: [patch] Building signed packages directly
  - From: Joerg Sonnenberger
- Re: [patch] Building signed packages directly
  - From: Pierre Pronchery
- Re: [patch] Building signed packages directly
  - From: Joerg Sonnenberger

Prev by Date: daily pkgsrc CVS update output
Next by Date: Announcing the pkgsrc-2014Q1 Branch
Previous by Thread: Re: [patch] Building signed packages directly
Next by Thread: earthwork
Indexes:

Home | Main Index | Thread Index | Old Index