From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6699413522129879040 X-Received: by 2002:a1c:bbc1:: with SMTP id l184mr17936136wmf.111.1560770398844; Mon, 17 Jun 2019 04:19:58 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a7b:c34f:: with SMTP id l15ls4809980wmj.4.gmail; Mon, 17 Jun 2019 04:19:58 -0700 (PDT) X-Google-Smtp-Source: APXvYqwL6YVkt3/5dl2eyZmACl1u+tbcqy0A3XcZT0Gmldj2sNu/XmzSHCEs24iHUHGmQkKni7ad X-Received: by 2002:a1c:6a0e:: with SMTP id f14mr19682914wmc.154.1560770398376; Mon, 17 Jun 2019 04:19:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560770398; cv=none; d=google.com; s=arc-20160816; b=Gzci0xrPbnHyb8ShsSBot19pJU6mnQBldhxXamGG5ED/LC3D9yC0Hr/zjV4UVe7eSY gqWBZFomdZ6ltI5IiCesv9AhOaFFlGgS0aHFZKJrVd9Je7SaN6R8HbQNoawrDFs2ME4e 2iyWE2orPm2kUexUS79fJw7XFp3q1DCcl0vmd1JKyrsI+Kx6eRxhuHuVCsNtCiEM774i P/YXz1zwBiNBGyvBLqYtnh1VADRN61qsiCLbxibzumr4C5a5WDmK09In8M+bxaflY4nt gRGucvd408SXJdQ0pmMuKQLH7i8Avo4ojH4vDFfix1hRvjVP6/t/H9ASqeu3IqYriUeT Lv3w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date; bh=V8eVEsN7sfBzHVH63qCbSLlblF//9/nY34Ga9PQ1Pmw=; b=aUOdHL8/nAHnSDPxVzVR6U9V8AVQa4FXwsisyXoCrlgmmxrT678UOvnW2Ys1n0fIc6 Vsw0Vumb06QEd+Ark+fcUXHpoipoE8M+xdbB8tb5CTHZZf9wM1JFIzdsSMQvNoRbc5B+ Iu2a4XFUwXhIwgoUQqiw5QOta7xJtTT40dbebCU6mjKuFAye2Y9Rd1tUWSXTJP+ZyMlI +zHwulJN+3OZFT8Vui2FmRD2Wtx4V3CMLfsDojDszL72gFjCKP9ObzDc6gEa0A2LujgT pCJhpb42x8oiwkm260w2wDiEvb3XupHbuNzMqSQaTv/pi38kBuUFhrmt+wYBa7/exIoo nksg== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from gecko.sbs.de (gecko.sbs.de. [194.138.37.40]) by gmr-mx.google.com with ESMTPS id j15si348194wmh.0.2019.06.17.04.19.58 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 17 Jun 2019 04:19:58 -0700 (PDT) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) client-ip=194.138.37.40; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by gecko.sbs.de (8.15.2/8.15.2) with ESMTPS id x5HBJuM3012734 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 17 Jun 2019 13:19:56 +0200 Received: from md1za8fc.ad001.siemens.net ([139.25.68.171]) by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id x5HBJc53029422; Mon, 17 Jun 2019 13:19:38 +0200 Date: Mon, 17 Jun 2019 13:19:37 +0200 From: Henning Schild To: "Amy_Fong@mentor.com" Cc: isar-users Subject: Re: base-apt signing interface could be improved Message-ID: <20190617131937.2852d692@md1za8fc.ad001.siemens.net> In-Reply-To: References: <20190606154558.7eea07bd@md1za8fc.ad001.siemens.net> <20190614102255.0c782b51@md1za8fc.ad001.siemens.net> X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-TUID: zSVp7BqGirIE Am Fri, 14 Jun 2019 06:50:58 -0700 schrieb "Amy_Fong@mentor.com" : > On Friday, 14 June 2019 04:23:00 UTC-4, Henning Schild wrote: > > > > Am Thu, 13 Jun 2019 09:55:29 -0700 > > schrieb "Amy_...@mentor.com " > >: > > > > > On Thursday, 6 June 2019 09:46:02 UTC-4, Henning Schild wrote: > > > > > > > > Hi, > > > > > > > > i just had a quick look at the implementation of the base-apt > > > > signing for the first time. The interface is not ideal and has > > > > potential for the signing key and the checking key not actually > > > > belonging together. > > > > > > > > As far as i understand the code i read, Isar will start signing > > > > base-apt if BASE_REPO_KEY is set to anything. The private key > > > > it will use to sign the repo is not specified at all, it will > > > > be whatever gnupg defaults to, given its configuration. > > > > > > > > I would suggest to switch from "SignWith yes" to "SignWith > > > > ", and derive the id from BASE_REPO_KEY. > > > > > > > > Further improvements would be to actually configure gnupg > > > > inside Isar and not rely on an outside configuration. Relying > > > > on the outside config means that all (multi)configs will have > > > > to use the same keypair. So we would add > > > > > > > > BASE_REPO_KEY_PRIVATE and ..._PASSPHRASE > > > > > > > > Now we would create a new gpg homedir next to where we store > > > > base-apt. We would import that one key there and potentially > > > > unlock it with its passphrase. If we clean and rebuild we get a > > > > working gpghome for sure. > > > > > > > > Henning > > > > > > > > > > Hi, > > > > > > Perhaps something like the following ... > > > > > > Of course, since BASE_REPO_KEY permits specifying > > > multiple keys, this raises a question of which keyid? > > > > Oh that is a nice hidden feature, indeed one can specify multiple > > keys there. So that variable should be called BASE_REPO_KEYS > > instead. > > > > And yes reprepro also supports multiple values. So i guess your > > patch is correct and it would probably sign the repo with all the > > keys specified. > > > > Whether that is what we want is another question, and i am not sure > > whether "yes" will also use all keys or just the default one. > > > > > Amy > > > > > > From 5ceb4a2ef97bc7fa6c44cd9ce6f73f9a831773f3 Mon Sep 17 00:00:00 > > > 2001 From: Amy Fong > > > > Date: Thu, 13 Jun 2019 12:52:06 -0400 > > > Subject: [PATCH] base-apt: Use BASE_REPO_KEY for signing > > > > > > Extract keyid from BASE_REPO_KEY for signing > > > > > > Signed-off-by: Amy Fong > > > > --- > > > meta/recipes-devtools/base-apt/base-apt.bb | 9 ++++++++- > > > 1 file changed, 8 insertions(+), 1 deletion(-) > > > > > > diff --git a/meta/recipes-devtools/base-apt/base-apt.bb > > > b/meta/recipes-devtools/base-apt/base-apt.bb > > > index 1c0b4c6..81245f7 100644 > > > --- a/meta/recipes-devtools/base-apt/base-apt.bb > > > +++ b/meta/recipes-devtools/base-apt/base-apt.bb > > > @@ -19,8 +19,15 @@ do_cache_config() { > > > sed -e "s#{CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \ > > > ${WORKDIR}/distributions.in > > > > ${CACHE_CONF_DIR}/distributions if [ "${BASE_REPO_KEY}" ] ; then > > > + option="yes" > > > > maybe there is a better name for the variable? > > > > Henning > > > > > + for key in ${BASE_REPO_KEY}; do > > > + keyid=$(wget -qO - $key | gpg --keyid-format > > > 0xlong --with-colons - 2>/dev/null |grep "^pub:" |awk -F':' > > > '{print $5;}') > > > + if [ -n "$keyid" ]; then > > > + option="$keyid" > > > + fi > > > + done > > > # To generate Release.gpg > > > - echo "SignWith: yes" >> > > > ${CACHE_CONF_DIR}/distributions > > > + echo "SignWith: $option" >> > > > ${CACHE_CONF_DIR}/distributions fi > > > fi > > > > > > > How about BASE_REPO_SIGN_KEY? I do not understand what you are trying to solve with changing that name and going back to one-key-only, after you have found that BASE_REPO_KEY is indeed an array and reprepro also accepts an array. Now we need to know what "yes", compared to the array. And any tiny patch like this one, without a proper commit message and description, is not going to lead anywhere good. You guys are doing the full story. kas, signed base-apt, multiple keys, agent-forwarding ... After you are done you should have a clear picture of what currently does not work as expected, and how it can be fixes (your initial implementation). We can then discuss that implementation and incorporate a full patch series including docs into kas and Isar. > commit 42ee1139e8383fc27e7d98be522cb4d306fd170c (HEAD -> apt_sign) > Author: Amy Fong > Date: Thu Jun 13 12:52:06 2019 -0400 > > base-apt: Use BASE_REPO_SIGN_KEY for signing > > Extract keyid from BASE_REPO_SIGN_KEY for signing > > Signed-off-by: Amy Fong > > diff --git a/meta/recipes-devtools/base-apt/base-apt.bb > b/meta/recipes-devtools/base-apt/base-apt.bb > index 1c0b4c6..c896add 100644 > --- a/meta/recipes-devtools/base-apt/base-apt.bb > +++ b/meta/recipes-devtools/base-apt/base-apt.bb > @@ -18,9 +18,14 @@ do_cache_config() { > if [ ! -e "${CACHE_CONF_DIR}/distributions" ]; then > sed -e "s#{CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \ > ${WORKDIR}/distributions.in > > ${CACHE_CONF_DIR}/distributions > - if [ "${BASE_REPO_KEY}" ] ; then > + if [ "${BASE_REPO_SIGN_KEY}" ] ; then > + option="yes" > + keyid=$(wget -qO - "${BASE_REPO_SIGN_KEY}" | gpg Using wget, but that is most likely a "file:///" URI. And whenever you do networking in a task, you need to take care of proxies. Henning > --keyid-format 0xlong --with-colons - 2>/dev/null |grep "^pub:" |awk > -F':' '{print $5;}') > + if [ -n "$keyid" ]; then > + option="$keyid" > + fi > # To generate Release.gpg > - echo "SignWith: yes" >> ${CACHE_CONF_DIR}/distributions > + echo "SignWith: $option" >> > ${CACHE_CONF_DIR}/distributions fi > fi > >