From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6699413522129879040
X-Received: by 2002:a19:bec1:: with SMTP id o184mr4060982lff.86.1561709080268;
        Fri, 28 Jun 2019 01:04:40 -0700 (PDT)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a2e:92c8:: with SMTP id k8ls205258ljh.7.gmail; Fri, 28 Jun
 2019 01:04:39 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwNkVh4zCvWfCewyATUH2NkzdKrqNM4MSQHV4TJ4aWJ17b/hODYqZXAakl0PRBBtDitRCRd
X-Received: by 2002:a2e:3604:: with SMTP id d4mr5360967lja.85.1561709079644;
        Fri, 28 Jun 2019 01:04:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1561709079; cv=none;
        d=google.com; s=arc-20160816;
        b=u+j8PQ//YmUxEpEmBso0X2wkR/2+AH7+msvvFd/vv/HztbUjBk+azdXUrMdXlE3YKj
         F1YVouv/XXMVBU0mqJRM2aSa4JUECBMX8+KFXXL33JR3JxRTx61VItu2sREriCKD5Ok5
         u4fO09vCRaL1U7iJmEceZcmhwINda6iN3Qhzw2N+SsjtDMp4kdG1zHVzGqwWBRa8YNJ6
         JECoBzGufUzhDYk3Ok/VAVkIkEsjDvwm0jpQrZrn/q4Jy7Cq8lQshYb+LS69aAMIs5vV
         p/3EOQtzk6WImCjzH6lUaZcDTA15/hRBfwGI3KCzd59L7j+9CRNxpqVyOM+hqThPDiat
         Vu/Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date;
        bh=hpaWwgARJazC6OyRqgKJBpDacTgWu+wtUA+tbW1Z+5U=;
        b=qMcWyIKaTUnOL3lYSl3zyJwx6DmnbwlsHB/i6rHH0/LcwnX2+L8KCseAJEvL+6FZ4Y
         OTMq5/9fHomj3O0APSjrCtIYqCueht1HU2MChQ8WIVHdjGdGNHTL5YYkdQ9XQ4A2TYsZ
         aSEGJNvGtr4w4Yd2ViLvsboRb3ohRAvQhK3rxo5DiEKZsnJBaZyGi2C+YfIwI1qxJX5P
         fBQFsk3BdVMWTQ9eTgikkGpVC2pnudPDqXkgdMghjYqEkqq8E5K1m/GBlYsB/NXihw9P
         9AlyFEMDNKDrUrwmzU2Zq6hClZ4qJAZw0JckRQItLUP+1HAvKsyzuGnchgioX4avyeD5
         z3jg==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.14 as permitted sender) smtp.mailfrom=henning.schild@siemens.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
Return-Path: <henning.schild@siemens.com>
Received: from david.siemens.de (david.siemens.de. [192.35.17.14])
        by gmr-mx.google.com with ESMTPS id q25si78541lfp.0.2019.06.28.01.04.39
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 28 Jun 2019 01:04:39 -0700 (PDT)
Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.14 as permitted sender) client-ip=192.35.17.14;
Authentication-Results: gmr-mx.google.com;
       spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.14 as permitted sender) smtp.mailfrom=henning.schild@siemens.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66])
	by david.siemens.de (8.15.2/8.15.2) with ESMTPS id x5S84cT6005163
	(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Fri, 28 Jun 2019 10:04:38 +0200
Received: from md1za8fc.ad001.siemens.net ([139.25.69.32])
	by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id x5S84cSr031153;
	Fri, 28 Jun 2019 10:04:38 +0200
Date: Fri, 28 Jun 2019 10:04:35 +0200
From: Henning Schild <henning.schild@siemens.com>
To: <vijaikumar.kanagarajan@gmail.com>
Cc: isar-users <isar-users@googlegroups.com>
Subject: Re: base-apt signing interface could be improved
Message-ID: <20190628100435.17d17215@md1za8fc.ad001.siemens.net>
In-Reply-To: <6cd52b1a-5d97-468f-b262-61e8bc461f57@googlegroups.com>
References: <20190606154558.7eea07bd@md1za8fc.ad001.siemens.net>
	<e8d1cf1d-4cd8-4eb8-b695-3bed3d97e27f@googlegroups.com>
	<20190614102255.0c782b51@md1za8fc.ad001.siemens.net>
	<b74ebad2-c689-4293-9862-45629c553fee@googlegroups.com>
	<20190617131937.2852d692@md1za8fc.ad001.siemens.net>
	<6cd52b1a-5d97-468f-b262-61e8bc461f57@googlegroups.com>
X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-TUID: D5QCIRgI9Ako

Am Thu, 27 Jun 2019 10:04:05 -0700
schrieb <vijaikumar.kanagarajan@gmail.com>:

> On Monday, June 17, 2019 at 4:49:58 PM UTC+5:30, Henning Schild wrote:
> >
> > Am Fri, 14 Jun 2019 06:50:58 -0700 
> > schrieb "Amy_...@mentor.com <javascript:>" <amy.f...@gmail.com 
> > <javascript:>>: 
> >  
> > > On Friday, 14 June 2019 04:23:00 UTC-4, Henning Schild wrote:   
> > > > 
> > > > Am Thu, 13 Jun 2019 09:55:29 -0700 
> > > > schrieb "Amy_...@mentor.com <javascript:>" <amy.f...@gmail.com 
> > > > <javascript:>>: 
> > > >     
> > > > > On Thursday, 6 June 2019 09:46:02 UTC-4, Henning Schild
> > > > > wrote:     
> > > > > > 
> > > > > > Hi, 
> > > > > > 
> > > > > > i just had a quick look at the implementation of the
> > > > > > base-apt signing for the first time. The interface is not
> > > > > > ideal and has potential for the signing key and the
> > > > > > checking key not actually belonging together. 
> > > > > > 
> > > > > > As far as i understand the code i read, Isar will start
> > > > > > signing base-apt if BASE_REPO_KEY is set to anything. The
> > > > > > private key it will use to sign the repo is not specified
> > > > > > at all, it will be whatever gnupg defaults to, given its
> > > > > > configuration. 
> > > > > > 
> > > > > > I would suggest to switch from "SignWith yes" to "SignWith 
> > > > > > <keyid>", and derive the id from BASE_REPO_KEY. 
> > > > > > 
> > > > > > Further improvements would be to actually configure gnupg 
> > > > > > inside Isar and not rely on an outside configuration.
> > > > > > Relying on the outside config means that all (multi)configs
> > > > > > will have to use the same keypair. So we would add 
> > > > > > 
> > > > > > BASE_REPO_KEY_PRIVATE and ..._PASSPHRASE 
> > > > > > 
> > > > > > Now we would create a new gpg homedir next to where we
> > > > > > store base-apt. We would import that one key there and
> > > > > > potentially unlock it with its passphrase. If we clean and
> > > > > > rebuild we get a working gpghome for sure. 
> > > > > > 
> > > > > > Henning 
> > > > > >       
> > > > > 
> > > > > Hi, 
> > > > > 
> > > > > Perhaps something like the following ... 
> > > > > 
> > > > > Of course, since BASE_REPO_KEY permits specifying 
> > > > > multiple keys, this raises a question of which keyid?     
> > > > 
> > > > Oh that is a nice hidden feature, indeed one can specify
> > > > multiple keys there. So that variable should be called
> > > > BASE_REPO_KEYS instead. 
> > > > 
> > > > And yes reprepro also supports multiple values. So i guess your 
> > > > patch is correct and it would probably sign the repo with all
> > > > the keys specified. 
> > > > 
> > > > Whether that is what we want is another question, and i am not
> > > > sure whether "yes" will also use all keys or just the default
> > > > one. 
> > > > > Amy 
> > > > > 
> > > > > From 5ceb4a2ef97bc7fa6c44cd9ce6f73f9a831773f3 Mon Sep 17
> > > > > 00:00:00 2001 From: Amy Fong <Amy_...@mentor.com
> > > > > <javascript:>> Date: Thu, 13 Jun 2019 12:52:06 -0400 
> > > > > Subject: [PATCH] base-apt: Use BASE_REPO_KEY for signing 
> > > > > 
> > > > > Extract keyid from BASE_REPO_KEY for signing 
> > > > > 
> > > > > Signed-off-by: Amy Fong <Amy_...@mentor.com <javascript:>> 
> > > > > --- 
> > > > >  meta/recipes-devtools/base-apt/base-apt.bb | 9 ++++++++- 
> > > > >  1 file changed, 8 insertions(+), 1 deletion(-) 
> > > > > 
> > > > > diff --git a/meta/recipes-devtools/base-apt/base-apt.bb 
> > > > > b/meta/recipes-devtools/base-apt/base-apt.bb 
> > > > > index 1c0b4c6..81245f7 100644 
> > > > > --- a/meta/recipes-devtools/base-apt/base-apt.bb 
> > > > > +++ b/meta/recipes-devtools/base-apt/base-apt.bb 
> > > > > @@ -19,8 +19,15 @@ do_cache_config() { 
> > > > >          sed -e "s#{CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \ 
> > > > >              ${WORKDIR}/distributions.in > 
> > > > > ${CACHE_CONF_DIR}/distributions if [ "${BASE_REPO_KEY}" ] ;
> > > > > then 
> > > > > +            option="yes"     
> > > > 
> > > > maybe there is a better name for the variable? 
> > > > 
> > > > Henning 
> > > >     
> > > > > +            for key in ${BASE_REPO_KEY}; do 
> > > > > +                keyid=$(wget -qO - $key | gpg --keyid-format 
> > > > > 0xlong --with-colons - 2>/dev/null |grep "^pub:" |awk -F':' 
> > > > > '{print $5;}') 
> > > > > +                if [ -n "$keyid" ]; then 
> > > > > +                    option="$keyid" 
> > > > > +                fi 
> > > > > +            done 
> > > > >              # To generate Release.gpg 
> > > > > -            echo "SignWith: yes" >> 
> > > > > ${CACHE_CONF_DIR}/distributions 
> > > > > +            echo "SignWith: $option" >> 
> > > > > ${CACHE_CONF_DIR}/distributions fi 
> > > > >      fi 
> > > > >       
> > > >     
> > > 
> > > How about BASE_REPO_SIGN_KEY?   
> >
> > I do not understand what you are trying to solve with changing that 
> > name and going back to one-key-only, after you have found that 
> > BASE_REPO_KEY is indeed an array and reprepro also accepts an
> > array. 
> >
> > Now we need to know what "yes", compared to the array. 
> >  
> 
> From reprepro manual:
> 
> SignWith
> When this field is present, a Release.gpg file will be generated. If
> the value is "yes" or "default", the default key of gpg is used.
> 
> Reference:
> https://manpages.debian.org/stretch/reprepro/reprepro.1.en.html 
> 
> So I guess it would not be signed by all the keys instead just with
> the default key.

Thanks for looking this up. That actually means that the current code
is incorrect.
 - the variable is an array but the name is singular
 - every step, except reprepro deals with that correctly

So the idea of one of your patches is correct, and a fixed version of
it should be merged.

Henning

> Thanks,
> Vijai Kumar K
> 
> 
> > And any tiny patch like this one, without a proper commit message
> > and description, is not going to lead anywhere good. 
> >
> > You guys are doing the full story. kas, signed base-apt, multiple
> > keys, agent-forwarding ... 
> > After you are done you should have a clear picture of what
> > currently does not work as expected, and how it can be fixes (your
> > initial implementation). 
> > We can then discuss that implementation and incorporate a full
> > patch series including docs into kas and Isar. 
> >  
> > > commit 42ee1139e8383fc27e7d98be522cb4d306fd170c (HEAD ->
> > > apt_sign) Author: Amy Fong <Amy_...@mentor.com <javascript:>> 
> > > Date:   Thu Jun 13 12:52:06 2019 -0400 
> > > 
> > >     base-apt: Use BASE_REPO_SIGN_KEY for signing 
> > >     
> > >     Extract keyid from BASE_REPO_SIGN_KEY for signing 
> > >     
> > >     Signed-off-by: Amy Fong <Amy_...@mentor.com <javascript:>> 
> > > 
> > > diff --git a/meta/recipes-devtools/base-apt/base-apt.bb 
> > > b/meta/recipes-devtools/base-apt/base-apt.bb 
> > > index 1c0b4c6..c896add 100644 
> > > --- a/meta/recipes-devtools/base-apt/base-apt.bb 
> > > +++ b/meta/recipes-devtools/base-apt/base-apt.bb 
> > > @@ -18,9 +18,14 @@ do_cache_config() { 
> > >      if [ ! -e "${CACHE_CONF_DIR}/distributions" ]; then 
> > >          sed -e "s#{CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \ 
> > >              ${WORKDIR}/distributions.in > 
> > > ${CACHE_CONF_DIR}/distributions 
> > > -        if [ "${BASE_REPO_KEY}" ] ; then 
> > > +        if [ "${BASE_REPO_SIGN_KEY}" ] ; then 
> > > +            option="yes" 
> > > +            keyid=$(wget -qO - "${BASE_REPO_SIGN_KEY}" | gpg   
> >
> > Using wget, but that is most likely a "file:///" URI. And whenever
> > you do networking in a task, you need to take care of proxies. 
> >
> > Henning 
> >  
> > > --keyid-format 0xlong --with-colons - 2>/dev/null |grep "^pub:"
> > > |awk -F':' '{print $5;}') 
> > > +            if [ -n "$keyid" ]; then 
> > > +                option="$keyid" 
> > > +            fi 
> > >              # To generate Release.gpg 
> > > -            echo "SignWith: yes" >>
> > > ${CACHE_CONF_DIR}/distributions 
> > > +            echo "SignWith: $option" >> 
> > > ${CACHE_CONF_DIR}/distributions fi 
> > >      fi 
> > >   
> > >   
> >
> >  
>