From 60d101b579c03dc6c2581a6ff0b7d0b570499625 Mon Sep 17 00:00:00 2001 From: jperkin Date: Thu, 29 Oct 2015 20:09:28 +0000 Subject: Perform signing at the staged package stage rather than only during the copy to the target pkgfile. Ensures consistency at all stages, means we can support verifying the signature at install time, and also fixes signed packages with recent pbulk changes which now invoke 'stage-package-create' rather than 'package'. --- mk/pkgformat/pkg/package.mk | 36 +++++++++++++++++++----------------- 1 file changed, 19 insertions(+), 17 deletions(-) (limited to 'mk') diff --git a/mk/pkgformat/pkg/package.mk b/mk/pkgformat/pkg/package.mk index 2453a903f2b..9150e5d862f 100644 --- a/mk/pkgformat/pkg/package.mk +++ b/mk/pkgformat/pkg/package.mk @@ -1,4 +1,4 @@ -# $NetBSD: package.mk,v 1.11 2015/09/07 11:02:28 jperkin Exp $ +# $NetBSD: package.mk,v 1.12 2015/10/29 20:09:28 jperkin Exp $ .if defined(PKG_SUFX) WARNINGS+= "PKG_SUFX is deprecated, please use PKG_COMPRESSION" @@ -70,30 +70,32 @@ _PKG_ARGS_PACKAGE+= -u ${REAL_ROOT_USER} -g ${REAL_ROOT_GROUP} .endif ${STAGE_PKGFILE}: ${_CONTENTS_TARGETS} - ${RUN} ${MKDIR} ${.TARGET:H} @${STEP_MSG} "Creating binary package ${.TARGET}" - ${RUN} ${_ULIMIT_CMD} tmpname=${.TARGET:S,${PKG_SUFX}$,.tmp${PKG_SUFX},}; \ - if ${PKG_CREATE} ${_PKG_ARGS_PACKAGE} "$$tmpname"; then \ - ${MV} -f "$$tmpname" ${.TARGET}; \ - else \ + ${RUN} ${MKDIR} ${.TARGET:H}; ${_ULIMIT_CMD} \ + tmpname=${.TARGET:S,${PKG_SUFX}$,.tmp${PKG_SUFX},}; \ + if ! ${PKG_CREATE} ${_PKG_ARGS_PACKAGE} "$$tmpname"; then \ exitcode=$$?; ${RM} -f "$$tmpname"; exit $$exitcode; \ fi +.if !empty(SIGN_PACKAGES:U:Mgpg) + @${STEP_MSG} "Signing binary package ${.TARGET} (GPG)" + ${RUN} tmpname=${.TARGET:S,${PKG_SUFX}$,.tmp${PKG_SUFX},}; \ + ${PKG_ADMIN} gpg-sign-package "$$tmpname" ${.TARGET} +.elif !empty(SIGN_PACKAGES:U:Mx509) + @${STEP_MSG} "Signing binary package ${.TARGET} (X509)" + ${RUN} tmpname=${.TARGET:S,${PKG_SUFX}$,.tmp${PKG_SUFX},}; \ + ${PKG_ADMIN} x509-sign-package "$$tmpname" ${.TARGET} \ + ${X509_KEY} ${X509_CERTIFICATE} +.else + ${RUN} tmpname=${.TARGET:S,${PKG_SUFX}$,.tmp${PKG_SUFX},}; \ + ${MV} -f "$$tmpname" ${.TARGET} +.endif .if ${PKGFILE} != ${STAGE_PKGFILE} ${PKGFILE}: ${STAGE_PKGFILE} - ${RUN} ${MKDIR} ${.TARGET:H} -. if !empty(SIGN_PACKAGES:U:Mgpg) - @${STEP_MSG} "Creating signed binary package ${.TARGET} (GPG)" - ${PKG_ADMIN} gpg-sign-package ${STAGE_PKGFILE} ${PKGFILE} -. elif !empty(SIGN_PACKAGES:U:Mx509) - @${STEP_MSG} "Creating signed binary package ${.TARGET} (X509)" - ${PKG_ADMIN} x509-sign-package ${STAGE_PKGFILE} ${PKGFILE} \ - ${X509_KEY} ${X509_CERTIFICATE} -. else @${STEP_MSG} "Creating binary package ${.TARGET}" - ${LN} -f ${STAGE_PKGFILE} ${PKGFILE} 2>/dev/null || \ + ${RUN} ${MKDIR} ${.TARGET:H}; \ + ${LN} -f ${STAGE_PKGFILE} ${PKGFILE} 2>/dev/null || \ ${CP} -pf ${STAGE_PKGFILE} ${PKGFILE} -. endif .endif ###################################################################### -- cgit v1.2.3