From: Vijai Kumar K <vijaikumar.kanagarajan@gmail.com>
To: Jan Kiszka <jan.kiszka@siemens.com>
Cc: vijaikumar.kanagarajan@gmail.com, isar-users@googlegroups.com,
henning.schild@siemens.com, claudius.heine.ext@siemens.com,
Amy_Fong@mentor.com
Subject: Re: [PATCH] base-apt: Use gpg keyid instead of yes
Date: Mon, 30 Sep 2019 14:12:27 +0530 [thread overview]
Message-ID: <20190930084227.GC10223@lightning> (raw)
In-Reply-To: <49311e01-52f4-0ae8-ac95-a297e1343a20@siemens.com>
On Mon, Sep 30, 2019 at 08:17:00AM +0200, Jan Kiszka wrote:
> On 27.09.19 23:11, vijaikumar.kanagarajan@gmail.com wrote:
> > From: Vijai Kumar K <Vijaikumar_Kanagarajan@mentor.com>
> >
> > When using "SignWith: yes", reprepro uses the default gpg key
> > of the system to sign the repo. The default gpg key might be
> > different from what is specified in BASE_REPO_KEY, resulting
> > in using a wrong key for signing.
> >
> > Derive and use the keyid from the keyfile supplied instead of
> > a generic yes option.
> >
> > Suggested-by: Amy Fong <Amy_Fong@mentor.com>
> > Signed-off-by: Vijai Kumar K <Vijaikumar_Kanagarajan@mentor.com>
> > ---
> > meta/recipes-devtools/base-apt/base-apt.bb | 22 +++++++++++++++++++---
> > 1 file changed, 19 insertions(+), 3 deletions(-)
> >
> > diff --git a/meta/recipes-devtools/base-apt/base-apt.bb b/meta/recipes-devtools/base-apt/base-apt.bb
> > index 74189f1..c74be86 100644
> > --- a/meta/recipes-devtools/base-apt/base-apt.bb
> > +++ b/meta/recipes-devtools/base-apt/base-apt.bb
> > @@ -4,6 +4,7 @@
> > SRC_URI = "file://distributions.in"
> > BASE_REPO_KEY ?= ""
> > +KEYFILES ?= ""
> > CACHE_CONF_DIR = "${REPO_BASE_DIR}/${BASE_DISTRO}/conf"
> > do_cache_config[dirs] = "${CACHE_CONF_DIR}"
> > @@ -12,13 +13,18 @@ do_cache_config[lockfiles] = "${REPO_BASE_DIR}/isar.lock"
> > # Generate reprepro config for current distro if it doesn't exist. Once it's
> > # generated, this task should do nothing.
> > -do_cache_config() {
> > +repo_config() {
> > if [ ! -e "${CACHE_CONF_DIR}/distributions" ]; then
> > sed -e "s#{CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \
> > ${WORKDIR}/distributions.in > ${CACHE_CONF_DIR}/distributions
> > - if [ "${BASE_REPO_KEY}" ] ; then
> > + if [ -n "${KEYFILES}" ]; then
> > + option=""
> > + for key in ${KEYFILES}; do
> > + keyid=$(cat ${key} | gpg --keyid-format 0xlong --with-colons - 2>/dev/null |grep "^pub:" |awk -F':' '{print $5;}')
>
> I hope this parsing is stable...
Having used it for quite sometime I dont see an issue. It would be better if we error out if the key is not present
in the system. Will add it in v2.
>
> > + option="${option}${keyid} "
> > + done
> > # To generate Release.gpg
> > - echo "SignWith: yes" >> ${CACHE_CONF_DIR}/distributions
> > + echo "SignWith: ${option}" >> ${CACHE_CONF_DIR}/distributions
> > fi
> > fi
> > @@ -35,4 +41,14 @@ do_cache_config() {
> > fi
> > }
> > +python do_cache_config() {
> > + for key in d.getVar('BASE_REPO_KEY').split():
> > + d.appendVar("SRC_URI", " %s" % key)
> > + fetcher = bb.fetch2.Fetch([key], d)
>
> I wonder if that magically addresses the case that changing key file content
> should also trigger rebuilds. Similar to
> https://github.com/ilbers/isar/issues/60.
Not sure about that. May be some testing would reveal it.
>
> > + filename = fetcher.localpath(key)
> > + d.appendVar("KEYFILES", " %s" % filename)
> > +
> > + bb.build.exec_func('repo_config', d)
> > +}
> > +
> > addtask cache_config after do_build
> >
>
> Looks good - if the keyid extraction if actually robust.
>
Thanks,
Vijai Kumar K
> Jan
>
> --
> Siemens AG, Corporate Technology, CT RDA IOT SES-DE
> Corporate Competence Center Embedded Linux
next prev parent reply other threads:[~2019-09-30 8:42 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-27 21:11 vijaikumar.kanagarajan
2019-09-30 6:17 ` Jan Kiszka
2019-09-30 8:42 ` Vijai Kumar K [this message]
2019-09-30 8:51 ` vijai kumar
2019-10-14 16:38 ` Henning Schild
2019-10-15 9:17 ` [PATCH v2] " vijaikumar.kanagarajan
2019-10-15 9:19 ` vijai kumar
2019-10-23 7:24 ` Vijai Kumar K
2019-11-02 15:57 ` Baurzhan Ismagulov
2019-11-02 16:37 ` vijai kumar
2019-11-05 10:33 ` [PATCH] meta/base-apt: Fix build issue with CI vijaikumar.kanagarajan
2019-11-05 18:10 ` vijai kumar
2019-11-19 16:41 ` Baurzhan Ismagulov
2019-11-19 16:40 ` [PATCH v2] base-apt: Use gpg keyid instead of yes Baurzhan Ismagulov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190930084227.GC10223@lightning \
--to=vijaikumar.kanagarajan@gmail.com \
--cc=Amy_Fong@mentor.com \
--cc=claudius.heine.ext@siemens.com \
--cc=henning.schild@siemens.com \
--cc=isar-users@googlegroups.com \
--cc=jan.kiszka@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox