CaROS/meta-openembedded
3
1
Fork 0
mirror of git://git.openembedded.org/meta-openembedded synced 2026-01-01 13:58:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

signing.bbclass: create env with 0x600

Browse Source 
The env file holds the PKCS#11 uris, which include the pin to access
the database - in plaintext. Directly create the file (after it has
been remove) with the proper 'user RW only' permissions, to give only
the build-user access to this somewhat "security sensitive" file.

Note that the softhsm/sqlite3.db* is already 0x600.

Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This commit is contained in:
Johannes Schneider 2025-08-20 12:11:28 +02:00 committed by Khem Raj
parent 5c33bc28eb
commit c092b3adc5
No known key found for this signature in database
GPG Key ID: BB053355919D3314
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
meta-oe/classes/signing.bbclass
View File

@ -104,6 +104,7 @@ signing_import_prepare() {
export _SIGNING_ENV_FILE_="${B}/meta-signing.env"
rm -f "$_SIGNING_ENV_FILE_"
install -m 600 /dev/null "$_SIGNING_ENV_FILE_"
export SOFTHSM2_CONF="${B}/softhsm2.conf"
export SOFTHSM2_DIR="${B}/softhsm2.tokens"
@ -331,7 +332,7 @@ signing_import_install() {
install -d ${D}${localstatedir}/lib/softhsm/tokens/${PN}
install -m 600 -t ${D}${localstatedir}/lib/softhsm/tokens/${PN} ${B}/softhsm2.tokens/*/*
install -d ${D}${localstatedir}/lib/meta-signing.env.d
install -m 644 "${B}/meta-signing.env" ${D}${localstatedir}/lib/meta-signing.env.d/${PN}
install -m 600 "${B}/meta-signing.env" ${D}${localstatedir}/lib/meta-signing.env.d/${PN}
}
signing_prepare() {