intel · mythi · Jun 17, 2017 · Jun 16, 2017 · Feb 2, 2017 · Mar 23, 2017
diff --git a/meta-flatpak/classes/flatpak-config.bbclass b/meta-flatpak/classes/flatpak-config.bbclass
@@ -0,0 +1,65 @@
+# We expect to find our scripts here, in the scripts subdirectory.
+FLATPAKBASE = "${FLATPAK_LAYERDIR}"
+
+# Flatpak image base. We need to use this often in path names to avoid
+# conflicts for repos of different ${MACHINES}. Although flatpak uses
+# ostree as the backend for its repositories, the runtime branch naming
+# conventions for flatpak ostree repositories is strict. Branches names
+# must be of the form
+#
+#   runtime/ID/ARCH/VERSION
+#
+# Any other branches are silently ignored by flatpak. Therefore we cannot
+# easily reuse (primary) repositories across multiple ${MACHINES} wihtout
+# running into branch-naming conflicts. It is technically possible to share
+# a primary bare-user repository if we teach the repository-exporting bits
+# to do clever branch-name translations when pulling to the destination
+# (exported, archive-z2) repository. However, since the exported repos anyway
+# cannot be shared in this way there is not much point in doing so.
+#
+# As an additional restriction, ARCH must be from a known set, which is the
+# one commonly used by the kernel, package managers, etc (although there is
+# a slight chance that non-standard ARCHs work if explicitly overridden from
+# the command-line... needs to be either tested or checked from the sources).
+#
+# Therefore, we translate ${MACHINE} to ${BUILD_ARCH} a.k.a ${FLATPAK_ARCH}
+# in branch names while use ${MACHINE} as such in repository names.
+#
+FLATPAK_PN ?= "${@d.getVar('PN').split('-flatpak-')[0]}"
+
+# Canonical ARCH flatpak will understand.
+FLATPAK_ARCH ?= "${BUILD_ARCH}"
+
+# Per-build per-${MACHINE} per-image primary bare-user flatpak repository.
+FLATPAK_REPO = "${WORKDIR}/${FLATPAK_PN}.flatpak.${MACHINE}.bare-user"
+
+# This is an archive-z2 repository where we export our builds for testing.
+# This can be exposed over HTTP for consumption by flatpak. Among other
+# things, this can be used to pull in the generated BaseSdk and BasePlatform
+# repository branches to a development host for building flatpak applications
+# against the corresponding flatpak-enabled image. Set this to empty if you
+# don't want to automatically publish to such a repository.
+FLATPAK_EXPORT ?= "${DEPLOY_DIR}/${FLATPAK_PN}.flatpak.${MACHINE}.archive-z2"
+
+# We use the domain and the (canonical) branch together with ${MACHINE} to
+# construct the full flatpak REFs of our base and SDK runtimes. The full REF
+# is considered the canonical branch and is constructed as:
+#
+#  runtime/${FLATPAK_DOMAIN}.Base{Platform,Sdk}/${FLATPAK_ARCH}/${FLATPAK_BRANCH}
+#
+# Optionally we publish builds as two additional branches:
+#
+#   - an optional rolling 'latest' corresponding to the last build
+#   - an optional rolling 'build' tagged with the ${BUILD_ID}
+#
+# Setting the corresponding variables for the optional branches to empty
+# disables publishing/creating those branches.
+#
+FLATPAK_DOMAIN ?= "org.example"
+FLATPAK_BRANCH ?= "${DISTRO_VERSION}"
+FLATPAK_LATEST ?= "${DISTRO}/${FLATPAK_PN}/latest"
+FLATPAK_BUILD  ?= "${DISTRO}/${FLATPAK_PN}/build/${BUILD_ID}"
+
+# This is the GPG key id of our repository signing key. If you set this to
+# empty, signing is disabled altogether.
+FLATPAK_GPGID ?= "refkit-signing@key"
diff --git a/meta-flatpak/classes/flatpak-image-variants.bbclass b/meta-flatpak/classes/flatpak-image-variants.bbclass
@@ -0,0 +1,39 @@
+IMAGE_FEATURES[validitems] += " \
+    flatpak \
+    tools-sdk \
+    dev-pkgs \
+    tools-debug \
+    tools-profile \
+"
+
+FEATURE_PACKAGES_flatpak = " \
+    packagegroup-flatpak \
+"
+
+#
+# Define two flatpak-related image variants.
+#
+# - flatpak runtime image variant 'flatpak-runtime':
+#     This variant corresponds to a flatpak BasePlatform runtime. In
+#     addition to the content of its base image, this variant has the
+#     necessary runtime bits for flatpak. Using this image on a device
+#     enables one to pull in, update and run applications as flatpaks
+#     from flatpak remotes/repositories.
+#
+# - flatpak SDK image variant 'flatpak-sdk':
+#     This variant corresponds to a flatpak BaseSdk runtime. It has the
+#     necessary bits for compiling applications and publishing them as
+#     flatpaks in flatpak repositories.
+#
+# When building these images variants, a flatpak repository will also be
+# populated with the contents of these images. This repository can be used
+# to flatpak-install the runtime and SDK runtimes on a development machine
+# for generating flatpaks for the flatpak-runtime image variant.
+
+# 'flatpak-runtime' variant (runtime image for a device)
+IMAGE_VARIANT[flatpak-runtime] = "flatpak"
+
+# 'flatpak-sdk' variant (SDK image for a development host)
+IMAGE_VARIANT[flatpak-sdk] = "flatpak tools-develop tools-debug dev-pkgs"
+
+BBCLASSEXTEND += "imagevariant:flatpak-runtime imagevariant:flatpak-sdk"
diff --git a/meta-flatpak/classes/flatpak-repository.bbclass b/meta-flatpak/classes/flatpak-repository.bbclass
@@ -0,0 +1,139 @@
+# Check we have the necessary distro features enabled.
+inherit distro_features_check
+REQUIRED_DISTRO_FEATURES_append = " usrmerge systemd pam"
+
+inherit flatpak-config
+
+REFKIT_SIGNING_KEYS += "${FLATPAK_GPGID}"
+inherit refkit-signing-keys
+
+#
+# Create and populate a primary flatpak repository from/for an image.
+#
+fakeroot do_flatpak_populate_repository () {
+   echo "Flatpak repository population:"
+   echo "  * FLATPAKBASE:    ${FLATPAKBASE}"
+   echo "  * IMAGE_BASENAME: ${IMAGE_BASENAME}"
+
+   # Bail out early if flatpak is not enabled for this image.
+   case ${IMAGE_BASENAME} in
+       *-flatpak-runtime) RUNTIME_TYPE=BasePlatform;;
+       *-flatpak-sdk)     RUNTIME_TYPE=BaseSdk;;
+       *)
+          echo "${IMAGE_BASENAME} is not a flatpak-enabled image..."
+          return 0
+          ;;
+   esac
+
+   echo "${IMAGE_BASENAME} is a flatpak $RUNTIME_TYPE image"
+
+   if [ -n "${FLATPAK_GPGID}" ]; then
+       GPG_SIGN="--gpg-home ${REFKIT_SIGNING_GPGDIR} \
+                 --gpg-id ${FLATPAK_GPGID}"
+   else
+       GPG_SIGN=""
+   fi
+
+   # Hmm... it might be a better idea to either preconstruct this in
+   # flatpak-config and just be a postman for it here, or pass these
+   # separately to the backend script and let that construct these.
+   # XXX TODO: We'll need to revisit this and decide...
+
+   _base="runtime/${FLATPAK_DOMAIN}.$RUNTIME_TYPE/${FLATPAK_ARCH}"
+   _t=""
+   for _b in ${FLATPAK_BRANCH} ${FLATPAK_LATEST} ${FLATPAK_BUILD}; do
+       BRANCHES="$BRANCHES$_t$_base/$_b"
+       _t=","
+   done
+
+   echo "Using flatpak branches $BRANCHES for ${IMAGE_ROOTFS}..."
+
+   # Generate/populate flatpak/OSTree repository
+   ${FLATPAKBASE}/scripts/flatpak-populate-repo.sh \
+       --repo-path ${FLATPAK_REPO} \
+       --repo-mode bare-user \
+       $GPG_SIGN \
+       --branches "$BRANCHES" \
+       --image-sysroot ${IMAGE_ROOTFS} \
+       --tmp-dir ${TMPDIR}
+}
+
+do_flatpak_populate_repository[depends] += " \
+    ostree-native:do_populate_sysroot \
+    flatpak-native:do_populate_sysroot \
+    gnupg1-native:do_populate_sysroot \
+"
+
+do_flatpak_populate_repository[vardeps] += " \
+    FLATPAK_REPO \
+    FLATPAK_EXPORT \
+    FLATPAK_DOMAIN \
+    FLATPAK_BRANCH \
+    FLATPAK_LATEST \
+    FLATPAK_BUILD \
+    FLATPAK_GPGID \
+"
+
+#
+# Export an image (well the bare-user repo, really) to an archive-z2 repo.
+#
+fakeroot do_flatpak_export_repository () {
+   # Bail out early if no export repository is defined.
+   if [ -z "${FLATPAK_EXPORT}" ]; then
+       echo "Flatpak repository for export not specified, skip export..."
+       return 0
+   fi
+
+   # Bail out early if flatpak is not enabled for this image.
+   case ${IMAGE_BASENAME} in
+       *-flatpak-runtime) RUNTIME_TYPE=BasePlatform;;
+       *-flatpak-sdk)     RUNTIME_TYPE=BaseSdk;;
+       *)
+          echo "${IMAGE_BASENAME} is not a flatpak-enabled image..."
+          return 0
+          ;;
+   esac
+
+   echo "${IMAGE_BASENAME} is a flatpak $RUNTIME_TYPE image"
+
+   if [ -n "${FLATPAK_GPGID}" ]; then
+       GPG_SIGN="--gpg-home ${REFKIT_SIGNING_GPGDIR} \
+                 --gpg-id ${FLATPAK_GPGID}"
+   else
+       GPG_SIGN=""
+   fi
+
+   # Export to archive-z2 flatpak/OSTree repository
+   ${FLATPAKBASE}/scripts/flatpak-populate-repo.sh \
+       --repo-path ${FLATPAK_REPO} \
+       --repo-export ${FLATPAK_EXPORT} \
+       --machine ${MACHINE} \
+       $GPG_SIGN \
+       --tmp-dir ${TMPDIR}
+}
+
+do_flatpak_export_repository[depends] += " \
+    ostree-native:do_populate_sysroot \
+    flatpak-native:do_populate_sysroot \
+    gnupg1-native:do_populate_sysroot \
+"
+
+do_flatpak_export_repository[vardeps] += " \
+    FLATPAK_REPO \
+    FLATPAK_EXPORT \
+    FLATPAK_DOMAIN \
+    FLATPAK_BRANCH \
+    FLATPAK_LATEST \
+    FLATPAK_BUILD \
+    FLATPAK_GPGID \
+    MACHINE \
+"
+
+addtask flatpak_populate_repository \
+    after do_rootfs \
+    before do_image_complete
+
+addtask flatpak_export_repository \
+    after do_flatpak_populate_repository \
+    before do_image_complete
+
diff --git a/meta-flatpak/classes/refkit-signing-keys.bbclass b/meta-flatpak/classes/refkit-signing-keys.bbclass
@@ -0,0 +1,84 @@
+#
+# This class can be used to generate (or import) a set of signing keys,
+# for whatever purpose the build might need those. Once such purpose is
+# the signing of base OS and flatpak ostree repositories.
+#
+# To make sure all the necessary keys get generated list them in your
+# local.conf (or some other global configuration file) by setting
+# REFKIT_SIGNING_KEYS to necessary key IDs.
+
+# Signing keys to generate, a list of key IDs.
+REFKIT_SIGNING_KEYS    ?= ""
+
+# This is where we put our GPG homedir, export keys to, etc.
+REFKIT_SIGNING_GPGDIR  ?= "${DEPLOY_DIR}/gnupg"
+
+# How long we let two parallel key generation tasks clash.
+REFKIT_SIGNING_TIMEOUT ?= "60"
+
+# task to generate/check all requested signing keys
+fakeroot do_generate_signing_keys () {
+    # Bail out early if we have no keys to generate.
+    if [ -z "${REFKIT_SIGNING_KEYS}" -o -z "${REFKIT_SIGNING_GPGDIR}" ]; then
+        echo "No GPG key IDs or directory set, nothing to do..."
+        return 0
+    fi
+
+    # When building several images in parallel (e.g. in CI), we have to
+    # make sure we don't let two tasks start generating the same signing
+    # key into the keyring. While GPG itself seems to semi-gracefully
+    # survive a keyring with duplicate key ids, gpgme (or maybe just ostree,
+    # I did not bother checking it) segfaults in such a case.
+    # Therefore, we have this unholy kludge where we use mkdir(2) as a
+    # lock, and let the task getting there first do the deed, while the
+    # second one just waits for the first to finish (and consequently causes
+    # its own dependent tasks to properly wait for the keys to get generated).
+    # Yuck...
+
+    dir="${REFKIT_SIGNING_GPGDIR}"
+    mkdir -p "${dir%/*}"
+    mkdir "${dir}.lock" || { # Forgive me Thompson&Dijkstra, for I have sinned...
+        slept=0
+        for id in ${REFKIT_SIGNING_KEYS}; do
+            while [ $slept -lt ${REFKIT_SIGNING_TIMEOUT} ]; do
+                if [ ! -e ${dir}/$id.sec ]; then
+                    echo "Waiting for generation of signing key $id..."
+                    sleep 1
+                    let slept=$slept+1
+                else
+                    echo "Got signing key $id..."
+                    break
+                fi
+            done
+        done
+        if [ $slept -ge ${REFKIT_SIGNING_TIMEOUT} ]; then
+            echo "Signing key generation timed out..."
+            return 1
+        else
+            return 0
+        fi
+    }
+
+    dir="${REFKIT_SIGNING_GPGDIR}"
+    for id in ${REFKIT_SIGNING_KEYS}; do
+        pubkey="$dir/$id.pub"
+        seckey="$dir/$id.sec"
+
+        # Generate repository signing GPG keys, if we don't have them yet.
+        echo "Generating/checking signing key $id..."
+
+        ${FLATPAKBASE}/scripts/gpg-keygen.sh \
+            --home $dir \
+            --id $id \
+            --pub $pubkey \
+            --sec $seckey
+    done
+
+    rmdir "${dir}.lock"
+}
+
+do_generate_signing_keys[depends] += " \
+    gnupg1-native:do_populate_sysroot \
+"
+
+addtask generate_signing_keys before do_rootfs
diff --git a/meta-flatpak/classes/requires-systemd.bbclass b/meta-flatpak/classes/requires-systemd.bbclass
@@ -0,0 +1,11 @@
+# Same as systemd.bbclass but should be used by recipes which require
+# systemd (as opposed to just support systemd).
+
+
+SYSTEMD_FEATURE_class-target = "systemd"
+SYSTEMD_FEATURE_class-native = ""
+
+REQUIRED_DISTRO_FEATURES = "${SYSTEMD_FEATURE}"
+inherit distro_features_check
+
+inherit systemd
diff --git a/meta-flatpak/conf/distro/include/flatpak.inc b/meta-flatpak/conf/distro/include/flatpak.inc
@@ -0,0 +1,9 @@
+REFKIT_DEFAULT_DISTRO_FEATURES += " \
+    usrmerge \
+    systemd \
+    pam \
+    flatpak \
+"
+
+# Enable D-Bus session bus support, needed by flatpak.
+PACKAGECONFIG_append_pn-dbus_refkit-config = " user-session"
diff --git a/meta-flatpak/conf/layer.conf b/meta-flatpak/conf/layer.conf
@@ -0,0 +1,16 @@
+# We have a conf and classes directory, add to BBPATH
+BBPATH .= ":${LAYERDIR}"
+
+# We have recipes-* directories, add to BBFILES
+BBFILES += " \
+    ${LAYERDIR}/recipes-*/*/*.bb \
+    ${LAYERDIR}/recipes-*/*/*.bbappend"
+
+BBFILE_COLLECTIONS += "flatpak-layer"
+BBFILE_PATTERN_flatpak-layer = "^${LAYERDIR}/"
+BBFILE_PRIORITY_flatpak-layer = "6"
+
+LAYERDEPENDS_flatpak-layer = "core openembedded-layer filesystems-layer"
+
+# Set a variable for easy access to the top directory of the flatpak layer.
+FLATPAK_LAYERDIR = '${@os.path.normpath("${LAYERDIR}")}'