From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6699413522129879040 X-Received: by 2002:a50:94e6:: with SMTP id t35mr60508821eda.137.1560500580779; Fri, 14 Jun 2019 01:23:00 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a17:906:5e48:: with SMTP id b8ls1970170eju.3.gmail; Fri, 14 Jun 2019 01:23:00 -0700 (PDT) X-Google-Smtp-Source: APXvYqyYauw+AGQO3y3ff6WiN3YypyH66Hf+7sEwgmWCfYBVFOkXZH6Iu863/Og/y1SNfYQuirYA X-Received: by 2002:a17:906:3e8d:: with SMTP id a13mr16309783ejj.71.1560500580384; Fri, 14 Jun 2019 01:23:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560500580; cv=none; d=google.com; s=arc-20160816; b=L6wszJdjVXTvR6doBxzPSKpjvHhwrzuz5CFVnqVBydg9fcOm9/C/XNs8huPapNuD9c n8V7JyYM3f3Qpqw9lalPI+Od+vOWDx8g3diQIlI1+KZkoFa6T4VJO9oc4dNw1kFlrkwG NzXDuMz4tOWn+R3zUvWEF90f1a2t7DnF51gjVZ8PXLsT4k24Eex7QY01qIoU3/sr2Gaz Q6qjGrE7yYD6erkPbjxM+/2xsOjJzA53HhS8H4KIPACugzT0T/LBfrgbL2eXXYRex+3Q P5M10JW9wfs32yvNDDN6ieyo2Y3Qri3hUHCi9nuirPIX/xI2I1jJxyHXyT0O/HdppjOy a+fQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date; bh=k8o7cg2Hlwjd09H0iWXRuq8eqRgfoifr/q6sDiOINmQ=; b=KWdPubxFXLoZyEeEp/PTMU5SBQLpdMpbV2PNLCJ+MY1HWD7v9UnrWtBmRnsTcosMo1 AtF3EYWo7JsEht3RYoafmlqQh/+rkgkbu5FP96QyGEPGD7mXhHdBj2dXkT4Rce2fZ9xB ewCaiZBQC6tjlMKaZK2dOTXbGy0USPPgNkmmvcNiEF8XfyKBX3c9iAmgZxNL0hb56LRC oFL3LXmtc36XB7dpDk9xvOLXqRs37gIUQzB/ql9oy9cbSgjWEjnP9DZJSqrzcvFV1dBL lNETwzp/CvOBMrgkwguHvqqFWad6I2LgKmCR05BOckHCyA55SqRxaDFUMbC87ocjs4uL Lkrg== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from lizzard.sbs.de (lizzard.sbs.de. [194.138.37.39]) by gmr-mx.google.com with ESMTPS id w13si124472eje.0.2019.06.14.01.23.00 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 14 Jun 2019 01:23:00 -0700 (PDT) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) client-ip=194.138.37.39; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by lizzard.sbs.de (8.15.2/8.15.2) with ESMTPS id x5E8MxcS016052 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 14 Jun 2019 10:22:59 +0200 Received: from md1za8fc.ad001.siemens.net ([139.23.114.106]) by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id x5E8MxrT006474; Fri, 14 Jun 2019 10:22:59 +0200 Date: Fri, 14 Jun 2019 10:22:55 +0200 From: Henning Schild To: "Amy_Fong@mentor.com" Cc: isar-users Subject: Re: base-apt signing interface could be improved Message-ID: <20190614102255.0c782b51@md1za8fc.ad001.siemens.net> In-Reply-To: References: <20190606154558.7eea07bd@md1za8fc.ad001.siemens.net> X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-TUID: MaF+Rbg7U6I8 Am Thu, 13 Jun 2019 09:55:29 -0700 schrieb "Amy_Fong@mentor.com" : > On Thursday, 6 June 2019 09:46:02 UTC-4, Henning Schild wrote: > > > > Hi, > > > > i just had a quick look at the implementation of the base-apt > > signing for the first time. The interface is not ideal and has > > potential for the signing key and the checking key not actually > > belonging together. > > > > As far as i understand the code i read, Isar will start signing > > base-apt if BASE_REPO_KEY is set to anything. The private key it > > will use to sign the repo is not specified at all, it will be > > whatever gnupg defaults to, given its configuration. > > > > I would suggest to switch from "SignWith yes" to "SignWith > > ", and derive the id from BASE_REPO_KEY. > > > > Further improvements would be to actually configure gnupg inside > > Isar and not rely on an outside configuration. Relying on the > > outside config means that all (multi)configs will have to use the > > same keypair. So we would add > > > > BASE_REPO_KEY_PRIVATE and ..._PASSPHRASE > > > > Now we would create a new gpg homedir next to where we store > > base-apt. We would import that one key there and potentially unlock > > it with its passphrase. If we clean and rebuild we get a working > > gpghome for sure. > > > > Henning > > > > Hi, > > Perhaps something like the following ... > > Of course, since BASE_REPO_KEY permits specifying > multiple keys, this raises a question of which keyid? Oh that is a nice hidden feature, indeed one can specify multiple keys there. So that variable should be called BASE_REPO_KEYS instead. And yes reprepro also supports multiple values. So i guess your patch is correct and it would probably sign the repo with all the keys specified. Whether that is what we want is another question, and i am not sure whether "yes" will also use all keys or just the default one. > Amy > > From 5ceb4a2ef97bc7fa6c44cd9ce6f73f9a831773f3 Mon Sep 17 00:00:00 2001 > From: Amy Fong > Date: Thu, 13 Jun 2019 12:52:06 -0400 > Subject: [PATCH] base-apt: Use BASE_REPO_KEY for signing > > Extract keyid from BASE_REPO_KEY for signing > > Signed-off-by: Amy Fong > --- > meta/recipes-devtools/base-apt/base-apt.bb | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > diff --git a/meta/recipes-devtools/base-apt/base-apt.bb > b/meta/recipes-devtools/base-apt/base-apt.bb > index 1c0b4c6..81245f7 100644 > --- a/meta/recipes-devtools/base-apt/base-apt.bb > +++ b/meta/recipes-devtools/base-apt/base-apt.bb > @@ -19,8 +19,15 @@ do_cache_config() { > sed -e "s#{CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \ > ${WORKDIR}/distributions.in > > ${CACHE_CONF_DIR}/distributions if [ "${BASE_REPO_KEY}" ] ; then > + option="yes" maybe there is a better name for the variable? Henning > + for key in ${BASE_REPO_KEY}; do > + keyid=$(wget -qO - $key | gpg --keyid-format 0xlong > --with-colons - 2>/dev/null |grep "^pub:" |awk -F':' '{print $5;}') > + if [ -n "$keyid" ]; then > + option="$keyid" > + fi > + done > # To generate Release.gpg > - echo "SignWith: yes" >> ${CACHE_CONF_DIR}/distributions > + echo "SignWith: $option" >> > ${CACHE_CONF_DIR}/distributions fi > fi >