From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6669723628337102848 X-Received: by 2002:a1c:b48b:: with SMTP id d133mr2191016wmf.6.1555326719908; Mon, 15 Apr 2019 04:11:59 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a1c:2d04:: with SMTP id t4ls803052wmt.4.gmail; Mon, 15 Apr 2019 04:11:59 -0700 (PDT) X-Google-Smtp-Source: APXvYqz8GVLnnRJ//u9zdpX0FIbeS2Xvt8J7oVTT6vf33ujOsBJyoAu40/T1TzvxeSTOenzqlVWj X-Received: by 2002:a7b:ce1a:: with SMTP id m26mr2407119wmc.16.1555326719427; Mon, 15 Apr 2019 04:11:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555326719; cv=none; d=google.com; s=arc-20160816; b=DxohYWrBaG0LOiCFaM+l91F8EWX1gSovazp8fBaAHiFyaJSwZR+W+rPcetWjz+BlZR tF2SDgWx1iy/tqZ8THSR3y+oyjYuZx2Kb09k8c/IpXVyRKlWX4pCuioKamhhv0hthjrY a+BIrARgeBV1ASu+dPbrpytG7+jlVK7eB52ZRyMvonclJQVkEJW6Rkx/W4JTt2pyLPwr WqHA4xBiSo/GSqJTpC7IwxCdztcysjh0msDvQe6qINd4Ez2YgWa1veNziyFwA6IadbPw N+CWStx4gDA/G/2Qq/043Y2ZiaF0nfQ5G+GLw3vc6szzGf09GNjXpb+C2gjuJU6hyP5/ HOXQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=user-agent:in-reply-to:content-disposition:content-description :mime-version:references:message-id:subject:cc:to:from:date; bh=txfoCyOqZFe36KWxBEOjM6npv5JoFkLJ3Pxrxvy/VWQ=; b=W0hZaJbjQL2guGn/tU0KBm41U0AXO7iqG2Rn1dSRXzrxI9Bd4cz3VY19wd1Lfdd76V 9CW2FRYrSXMi/f2FBrNU4KJt6nTHaVRNtgUlYCwKW0+bFpg90qQPj3uP8yCgMQ/NGrW9 qe60XmGSNsvpwMUZUCDZvYlA8fUkjAjzSPEEMuySwQKzxkjgjwf+YZTn7lT4Z0vmXlzS l6VGLCrvY94z+cP/upjAd6BmQUiHq3x7BDEDjZ9rpzWdXRC9AT/Ga00j/n9x//DjAARd RHCge1nUJ++zpbbx4I/hygJH/UF8n+p7YPlSkTZP3TFcXhkbNTlgg6e13aPStLmTN4S9 fASw== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of andreas.reichel.ext@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=andreas.reichel.ext@siemens.com Return-Path: Received: from lizzard.sbs.de (lizzard.sbs.de. [194.138.37.39]) by gmr-mx.google.com with ESMTPS id s8si835154wme.0.2019.04.15.04.11.59 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 15 Apr 2019 04:11:59 -0700 (PDT) Received-SPF: pass (google.com: domain of andreas.reichel.ext@siemens.com designates 194.138.37.39 as permitted sender) client-ip=194.138.37.39; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of andreas.reichel.ext@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=andreas.reichel.ext@siemens.com Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by lizzard.sbs.de (8.15.2/8.15.2) with ESMTPS id x3FBBxjU026537 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 15 Apr 2019 13:11:59 +0200 Received: from iiotirae (golem.ppmd.siemens.net [139.25.69.122]) by mail1.sbs.de (8.15.2/8.15.2) with SMTP id x3FBBw2m008163; Mon, 15 Apr 2019 13:11:58 +0200 Date: Mon, 15 Apr 2019 13:11:58 +0200 From: Andreas Reichel To: "Maxim Yu. Osipov" Cc: isar-users@googlegroups.com Subject: Re: [PATCH v8 1/7] Revert "isar-bootstrap: Allow to set local keys in DISTRO_APT_KEYS" Message-ID: <20190415111157.GA12152@iiotirae> References: <20190321151526.12001-1-andreas.reichel.ext@siemens.com> <20190321151526.12001-2-andreas.reichel.ext@siemens.com> <948fa832-67d1-37d1-02b0-7120ab7546d4@ilbers.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Description: message Content-Disposition: inline In-Reply-To: <948fa832-67d1-37d1-02b0-7120ab7546d4@ilbers.de> User-Agent: Mutt/1.11.4 (2019-03-13) X-TUID: iso0wmndwB7q On Mon, Mar 25, 2019 at 12:20:10PM +0100, Maxim Yu. Osipov wrote: > Hi Andreas, > > On 3/21/19 4:15 PM, Andreas J. Reichel wrote: > > From: Andreas Reichel > > > > This reverts commit af983a13b6f4cee5d4af5e5cf6318231e02775c9. > > > > This commit broke usage of remote keys, where they usually come from. > > If fetching "http://example.com/dir1/dir2/key", the file is fetched > > into the subdir WORKDIR/dir1/dir2/, which breaks with this code. > > However it succeeds with absolute paths. > > We do not want to guess where the downloaded file will be. This does > > not work anymore if the key is downloaded from remote with a URL. > > Furthermore, a user could specify "subdir" as fetcher parameter > > or other things, which break this. > > In general it's better to avoid reverting the patches. Okay. > > I disagree with the statement that "commit af983a13 broke usage of remote > keys" - I wrote you a month ago (see forwarded email below) that this patch > doesn't break Raspbian build - the key is put also under downloads (DL_DIR) in DL_DIR - Yes, where you can get name collisions with several keys since you cannot rename the files with your code via bitbake URL parameter. > directory: > > I've build the current 'master' for target > multiconfig:rpi-jessie:isar-image-base. I gave you an example where it broke for me. Raspbian is not one of these. https://archive.raspbian.org/raspbian.public.key Is there a subdir after the domain? - No ! Does it fit to my example? => No. Does your argument with raspbian make sense now? => No. > > Sorry for copy-paste ;): > > <<<< > isar/build$ find -name raspbian.public.key > ./downloads/raspbian.public.key > ./tmp/work/raspbian-jessie-armhf/isar-bootstrap-target/raspbian.public.key > >>> > > So I don't accept this patch. > Then I have to rebase - without revert - , which may take some time... Regards, Andreas > Regards, > Maxim. > > > -------- Forwarded Message -------- > Subject: Re: [PATCH 0/1] Fix remote key fetching apt keyring > Date: Wed, 20 Feb 2019 12:58:09 +0100 > From: Maxim Yu. Osipov > Organization: ilbers GmbH > To: Jan Kiszka , [ext] Andreas J. Reichel > , isar-users@googlegroups.com, Baurzhan > Ismagulov > > On 2/20/19 12:27 PM, Jan Kiszka wrote: > > On 20.02.19 12:21, [ext] Andreas J. Reichel wrote: > >> From: Andreas Reichel > >> > >> Since my last mail was not answered, but this is an important topic, > >> here is a patch that shows what the problem is. > >> > >> If we fetch the user apt key from remote, we need the basename, > >> if we fetch it locally we need the absolute path... > >> > >> While this might not be the best way to fix this, it works as good > >> as the rest of this code... > >> > >> At least it fixes Isar again up to adding the key to the keyring. > >> > >> But this still does not fix the next problem with the docker-ce key: > >> > >> | I: Running command: debootstrap --arch arm64 --foreign --verbose > >> --variant=minbase --include=locales --components=main,contrib,non-free > >> --keyring > >> /build/build/tmp/work/debian-stretch-arm64/isar-bootstrap-target/apt-keyring.gpg > > >> stretch > >> /build/build/tmp/work/debian-stretch-arm64/isar-bootstrap-target/rootfs > http://ftp.debian.org/debian > >> > >> | I: Retrieving InRelease > >> | I: Retrieving Release > >> | I: Retrieving Release.gpg > >> | I: Checking Release signature > >> | E: Release signed by unknown key (key id EF0F382A1A7B6500) > >> > >> So something additionally must be done. Since I am not an expert on > >> debian keyring/debootstrap and dpkg signing I will try to find a > >> solution but maybe somebody has a good idea already? > >> > > > > Baurzhan, Maxim, any idea? > > Strange...I thought that commit af983a13 fixes the reported problem > When testing my patch signing base-apt I've tried both - remote keys (used > by Raspberry Pi target) and local key. > > > > > > > This is really fixed in a follow-up commit. > > > > Signed-off-by: Andreas Reichel > > --- > > meta/recipes-core/isar-bootstrap/isar-bootstrap.inc | 5 +++-- > > 1 file changed, 3 insertions(+), 2 deletions(-) > > > > diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc > > index c1b571a..2910eea 100644 > > --- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc > > +++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc > > @@ -40,8 +40,9 @@ python () { > > d.setVar("DEBOOTSTRAP_KEYRING", "--keyring ${APTKEYRING}") > > for key in distro_apt_keys.split(): > > url = urlparse(key) > > - d.appendVar("SRC_URI", " " + key) > > - d.appendVar("APTKEYFILES", " " + wd + url.path) > > + filename = os.path.basename(url.path) > > + d.appendVar("SRC_URI", " %s" % key) > > + d.appendVar("APTKEYFILES", " %s" % filename) > > if bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')): > > own_pub_key = d.getVar("BASE_REPO_KEY", False) > > if own_pub_key: > > > > > -- > Maxim Osipov > ilbers GmbH > Maria-Merian-Str. 8 > 85521 Ottobrunn > Germany > +49 (151) 6517 6917 > mosipov@ilbers.de > http://ilbers.de/ > Commercial register Munich, HRB 214197 > General Manager: Baurzhan Ismagulov -- Andreas Reichel Dipl.-Phys. (Univ.) Software Consultant Andreas.Reichel@tngtech.com, +49-174-3180074 TNG Technology Consulting GmbH, Betastr. 13a, 85774 Unterfoehring Geschaeftsfuehrer: Henrik Klagges, Dr. Robert Dahlke, Gerhard Mueller Sitz: Unterfoehring * Amtsgericht Muenchen * HRB 135082