* [PATCH] base-apt: Use gpg keyid instead of yes
@ 2019-09-27 21:11 vijaikumar.kanagarajan
2019-09-30 6:17 ` Jan Kiszka
0 siblings, 1 reply; 14+ messages in thread
From: vijaikumar.kanagarajan @ 2019-09-27 21:11 UTC (permalink / raw)
To: isar-users, henning.schild, claudius.heine.ext
Cc: jan.kiszka, Amy_Fong, Vijai Kumar K
From: Vijai Kumar K <Vijaikumar_Kanagarajan@mentor.com>
When using "SignWith: yes", reprepro uses the default gpg key
of the system to sign the repo. The default gpg key might be
different from what is specified in BASE_REPO_KEY, resulting
in using a wrong key for signing.
Derive and use the keyid from the keyfile supplied instead of
a generic yes option.
Suggested-by: Amy Fong <Amy_Fong@mentor.com>
Signed-off-by: Vijai Kumar K <Vijaikumar_Kanagarajan@mentor.com>
---
meta/recipes-devtools/base-apt/base-apt.bb | 22 +++++++++++++++++++---
1 file changed, 19 insertions(+), 3 deletions(-)
diff --git a/meta/recipes-devtools/base-apt/base-apt.bb b/meta/recipes-devtools/base-apt/base-apt.bb
index 74189f1..c74be86 100644
--- a/meta/recipes-devtools/base-apt/base-apt.bb
+++ b/meta/recipes-devtools/base-apt/base-apt.bb
@@ -4,6 +4,7 @@
SRC_URI = "file://distributions.in"
BASE_REPO_KEY ?= ""
+KEYFILES ?= ""
CACHE_CONF_DIR = "${REPO_BASE_DIR}/${BASE_DISTRO}/conf"
do_cache_config[dirs] = "${CACHE_CONF_DIR}"
@@ -12,13 +13,18 @@ do_cache_config[lockfiles] = "${REPO_BASE_DIR}/isar.lock"
# Generate reprepro config for current distro if it doesn't exist. Once it's
# generated, this task should do nothing.
-do_cache_config() {
+repo_config() {
if [ ! -e "${CACHE_CONF_DIR}/distributions" ]; then
sed -e "s#{CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \
${WORKDIR}/distributions.in > ${CACHE_CONF_DIR}/distributions
- if [ "${BASE_REPO_KEY}" ] ; then
+ if [ -n "${KEYFILES}" ]; then
+ option=""
+ for key in ${KEYFILES}; do
+ keyid=$(cat ${key} | gpg --keyid-format 0xlong --with-colons - 2>/dev/null |grep "^pub:" |awk -F':' '{print $5;}')
+ option="${option}${keyid} "
+ done
# To generate Release.gpg
- echo "SignWith: yes" >> ${CACHE_CONF_DIR}/distributions
+ echo "SignWith: ${option}" >> ${CACHE_CONF_DIR}/distributions
fi
fi
@@ -35,4 +41,14 @@ do_cache_config() {
fi
}
+python do_cache_config() {
+ for key in d.getVar('BASE_REPO_KEY').split():
+ d.appendVar("SRC_URI", " %s" % key)
+ fetcher = bb.fetch2.Fetch([key], d)
+ filename = fetcher.localpath(key)
+ d.appendVar("KEYFILES", " %s" % filename)
+
+ bb.build.exec_func('repo_config', d)
+}
+
addtask cache_config after do_build
--
2.17.1
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] base-apt: Use gpg keyid instead of yes
2019-09-27 21:11 [PATCH] base-apt: Use gpg keyid instead of yes vijaikumar.kanagarajan
@ 2019-09-30 6:17 ` Jan Kiszka
2019-09-30 8:42 ` Vijai Kumar K
2019-10-14 16:38 ` Henning Schild
0 siblings, 2 replies; 14+ messages in thread
From: Jan Kiszka @ 2019-09-30 6:17 UTC (permalink / raw)
To: vijaikumar.kanagarajan, isar-users, henning.schild, claudius.heine.ext
Cc: Amy_Fong, Vijai Kumar K
On 27.09.19 23:11, vijaikumar.kanagarajan@gmail.com wrote:
> From: Vijai Kumar K <Vijaikumar_Kanagarajan@mentor.com>
>
> When using "SignWith: yes", reprepro uses the default gpg key
> of the system to sign the repo. The default gpg key might be
> different from what is specified in BASE_REPO_KEY, resulting
> in using a wrong key for signing.
>
> Derive and use the keyid from the keyfile supplied instead of
> a generic yes option.
>
> Suggested-by: Amy Fong <Amy_Fong@mentor.com>
> Signed-off-by: Vijai Kumar K <Vijaikumar_Kanagarajan@mentor.com>
> ---
> meta/recipes-devtools/base-apt/base-apt.bb | 22 +++++++++++++++++++---
> 1 file changed, 19 insertions(+), 3 deletions(-)
>
> diff --git a/meta/recipes-devtools/base-apt/base-apt.bb b/meta/recipes-devtools/base-apt/base-apt.bb
> index 74189f1..c74be86 100644
> --- a/meta/recipes-devtools/base-apt/base-apt.bb
> +++ b/meta/recipes-devtools/base-apt/base-apt.bb
> @@ -4,6 +4,7 @@
> SRC_URI = "file://distributions.in"
>
> BASE_REPO_KEY ?= ""
> +KEYFILES ?= ""
>
> CACHE_CONF_DIR = "${REPO_BASE_DIR}/${BASE_DISTRO}/conf"
> do_cache_config[dirs] = "${CACHE_CONF_DIR}"
> @@ -12,13 +13,18 @@ do_cache_config[lockfiles] = "${REPO_BASE_DIR}/isar.lock"
>
> # Generate reprepro config for current distro if it doesn't exist. Once it's
> # generated, this task should do nothing.
> -do_cache_config() {
> +repo_config() {
> if [ ! -e "${CACHE_CONF_DIR}/distributions" ]; then
> sed -e "s#{CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \
> ${WORKDIR}/distributions.in > ${CACHE_CONF_DIR}/distributions
> - if [ "${BASE_REPO_KEY}" ] ; then
> + if [ -n "${KEYFILES}" ]; then
> + option=""
> + for key in ${KEYFILES}; do
> + keyid=$(cat ${key} | gpg --keyid-format 0xlong --with-colons - 2>/dev/null |grep "^pub:" |awk -F':' '{print $5;}')
I hope this parsing is stable...
> + option="${option}${keyid} "
> + done
> # To generate Release.gpg
> - echo "SignWith: yes" >> ${CACHE_CONF_DIR}/distributions
> + echo "SignWith: ${option}" >> ${CACHE_CONF_DIR}/distributions
> fi
> fi
>
> @@ -35,4 +41,14 @@ do_cache_config() {
> fi
> }
>
> +python do_cache_config() {
> + for key in d.getVar('BASE_REPO_KEY').split():
> + d.appendVar("SRC_URI", " %s" % key)
> + fetcher = bb.fetch2.Fetch([key], d)
I wonder if that magically addresses the case that changing key file content
should also trigger rebuilds. Similar to https://github.com/ilbers/isar/issues/60.
> + filename = fetcher.localpath(key)
> + d.appendVar("KEYFILES", " %s" % filename)
> +
> + bb.build.exec_func('repo_config', d)
> +}
> +
> addtask cache_config after do_build
>
Looks good - if the keyid extraction if actually robust.
Jan
--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] base-apt: Use gpg keyid instead of yes
2019-09-30 6:17 ` Jan Kiszka
@ 2019-09-30 8:42 ` Vijai Kumar K
2019-09-30 8:51 ` vijai kumar
2019-10-14 16:38 ` Henning Schild
1 sibling, 1 reply; 14+ messages in thread
From: Vijai Kumar K @ 2019-09-30 8:42 UTC (permalink / raw)
To: Jan Kiszka
Cc: vijaikumar.kanagarajan, isar-users, henning.schild,
claudius.heine.ext, Amy_Fong
On Mon, Sep 30, 2019 at 08:17:00AM +0200, Jan Kiszka wrote:
> On 27.09.19 23:11, vijaikumar.kanagarajan@gmail.com wrote:
> > From: Vijai Kumar K <Vijaikumar_Kanagarajan@mentor.com>
> >
> > When using "SignWith: yes", reprepro uses the default gpg key
> > of the system to sign the repo. The default gpg key might be
> > different from what is specified in BASE_REPO_KEY, resulting
> > in using a wrong key for signing.
> >
> > Derive and use the keyid from the keyfile supplied instead of
> > a generic yes option.
> >
> > Suggested-by: Amy Fong <Amy_Fong@mentor.com>
> > Signed-off-by: Vijai Kumar K <Vijaikumar_Kanagarajan@mentor.com>
> > ---
> > meta/recipes-devtools/base-apt/base-apt.bb | 22 +++++++++++++++++++---
> > 1 file changed, 19 insertions(+), 3 deletions(-)
> >
> > diff --git a/meta/recipes-devtools/base-apt/base-apt.bb b/meta/recipes-devtools/base-apt/base-apt.bb
> > index 74189f1..c74be86 100644
> > --- a/meta/recipes-devtools/base-apt/base-apt.bb
> > +++ b/meta/recipes-devtools/base-apt/base-apt.bb
> > @@ -4,6 +4,7 @@
> > SRC_URI = "file://distributions.in"
> > BASE_REPO_KEY ?= ""
> > +KEYFILES ?= ""
> > CACHE_CONF_DIR = "${REPO_BASE_DIR}/${BASE_DISTRO}/conf"
> > do_cache_config[dirs] = "${CACHE_CONF_DIR}"
> > @@ -12,13 +13,18 @@ do_cache_config[lockfiles] = "${REPO_BASE_DIR}/isar.lock"
> > # Generate reprepro config for current distro if it doesn't exist. Once it's
> > # generated, this task should do nothing.
> > -do_cache_config() {
> > +repo_config() {
> > if [ ! -e "${CACHE_CONF_DIR}/distributions" ]; then
> > sed -e "s#{CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \
> > ${WORKDIR}/distributions.in > ${CACHE_CONF_DIR}/distributions
> > - if [ "${BASE_REPO_KEY}" ] ; then
> > + if [ -n "${KEYFILES}" ]; then
> > + option=""
> > + for key in ${KEYFILES}; do
> > + keyid=$(cat ${key} | gpg --keyid-format 0xlong --with-colons - 2>/dev/null |grep "^pub:" |awk -F':' '{print $5;}')
>
> I hope this parsing is stable...
Having used it for quite sometime I dont see an issue. It would be better if we error out if the key is not present
in the system. Will add it in v2.
>
> > + option="${option}${keyid} "
> > + done
> > # To generate Release.gpg
> > - echo "SignWith: yes" >> ${CACHE_CONF_DIR}/distributions
> > + echo "SignWith: ${option}" >> ${CACHE_CONF_DIR}/distributions
> > fi
> > fi
> > @@ -35,4 +41,14 @@ do_cache_config() {
> > fi
> > }
> > +python do_cache_config() {
> > + for key in d.getVar('BASE_REPO_KEY').split():
> > + d.appendVar("SRC_URI", " %s" % key)
> > + fetcher = bb.fetch2.Fetch([key], d)
>
> I wonder if that magically addresses the case that changing key file content
> should also trigger rebuilds. Similar to
> https://github.com/ilbers/isar/issues/60.
Not sure about that. May be some testing would reveal it.
>
> > + filename = fetcher.localpath(key)
> > + d.appendVar("KEYFILES", " %s" % filename)
> > +
> > + bb.build.exec_func('repo_config', d)
> > +}
> > +
> > addtask cache_config after do_build
> >
>
> Looks good - if the keyid extraction if actually robust.
>
Thanks,
Vijai Kumar K
> Jan
>
> --
> Siemens AG, Corporate Technology, CT RDA IOT SES-DE
> Corporate Competence Center Embedded Linux
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] base-apt: Use gpg keyid instead of yes
2019-09-30 8:42 ` Vijai Kumar K
@ 2019-09-30 8:51 ` vijai kumar
0 siblings, 0 replies; 14+ messages in thread
From: vijai kumar @ 2019-09-30 8:51 UTC (permalink / raw)
To: isar-users
[-- Attachment #1.1: Type: text/plain, Size: 3908 bytes --]
On Monday, September 30, 2019 at 2:12:34 PM UTC+5:30, vijai kumar wrote:
>
> On Mon, Sep 30, 2019 at 08:17:00AM +0200, Jan Kiszka wrote:
> > On 27.09.19 23:11, vijaikumar.kanagarajan@gmail.com wrote:
> > > From: Vijai Kumar K <Vijaikumar_Kanagarajan@mentor.com>
> > >
> > > When using "SignWith: yes", reprepro uses the default gpg key
> > > of the system to sign the repo. The default gpg key might be
> > > different from what is specified in BASE_REPO_KEY, resulting
> > > in using a wrong key for signing.
> > >
> > > Derive and use the keyid from the keyfile supplied instead of
> > > a generic yes option.
> > >
> > > Suggested-by: Amy Fong <Amy_Fong@mentor.com>
> > > Signed-off-by: Vijai Kumar K <Vijaikumar_Kanagarajan@mentor.com>
> > > ---
> > > meta/recipes-devtools/base-apt/base-apt.bb | 22
> +++++++++++++++++++---
> > > 1 file changed, 19 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/meta/recipes-devtools/base-apt/base-apt.bb
> b/meta/recipes-devtools/base-apt/base-apt.bb
> > > index 74189f1..c74be86 100644
> > > --- a/meta/recipes-devtools/base-apt/base-apt.bb
> > > +++ b/meta/recipes-devtools/base-apt/base-apt.bb
> > > @@ -4,6 +4,7 @@
> > > SRC_URI = "file://distributions.in"
> > > BASE_REPO_KEY ?= ""
> > > +KEYFILES ?= ""
> > > CACHE_CONF_DIR = "${REPO_BASE_DIR}/${BASE_DISTRO}/conf"
> > > do_cache_config[dirs] = "${CACHE_CONF_DIR}"
> > > @@ -12,13 +13,18 @@ do_cache_config[lockfiles] =
> "${REPO_BASE_DIR}/isar.lock"
> > > # Generate reprepro config for current distro if it doesn't exist.
> Once it's
> > > # generated, this task should do nothing.
> > > -do_cache_config() {
> > > +repo_config() {
> > > if [ ! -e "${CACHE_CONF_DIR}/distributions" ]; then
> > > sed -e "s#{CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \
> > > ${WORKDIR}/distributions.in >
> ${CACHE_CONF_DIR}/distributions
> > > - if [ "${BASE_REPO_KEY}" ] ; then
> > > + if [ -n "${KEYFILES}" ]; then
> > > + option=""
> > > + for key in ${KEYFILES}; do
> > > + keyid=$(cat ${key} | gpg --keyid-format 0xlong
> --with-colons - 2>/dev/null |grep "^pub:" |awk -F':' '{print $5;}')
> >
> > I hope this parsing is stable...
>
> Having used it for quite sometime I dont see an issue. It would be better
> if we error out if the key is not present
> in the system. Will add it in v2.
>
On a second thought that condition check is unnecessary at this point. It
could just fail at signing when it is not able to find the key.
So no V2.
>
> >
> > > + option="${option}${keyid} "
> > > + done
> > > # To generate Release.gpg
> > > - echo "SignWith: yes" >> ${CACHE_CONF_DIR}/distributions
> > > + echo "SignWith: ${option}" >>
> ${CACHE_CONF_DIR}/distributions
> > > fi
> > > fi
> > > @@ -35,4 +41,14 @@ do_cache_config() {
> > > fi
> > > }
> > > +python do_cache_config() {
> > > + for key in d.getVar('BASE_REPO_KEY').split():
> > > + d.appendVar("SRC_URI", " %s" % key)
> > > + fetcher = bb.fetch2.Fetch([key], d)
> >
> > I wonder if that magically addresses the case that changing key file
> content
> > should also trigger rebuilds. Similar to
> > https://github.com/ilbers/isar/issues/60.
>
> Not sure about that. May be some testing would reveal it.
>
> >
> > > + filename = fetcher.localpath(key)
> > > + d.appendVar("KEYFILES", " %s" % filename)
> > > +
> > > + bb.build.exec_func('repo_config', d)
> > > +}
> > > +
> > > addtask cache_config after do_build
> > >
> >
> > Looks good - if the keyid extraction if actually robust.
> >
>
> Thanks,
> Vijai Kumar K
>
> > Jan
> >
> > --
> > Siemens AG, Corporate Technology, CT RDA IOT SES-DE
> > Corporate Competence Center Embedded Linux
>
[-- Attachment #1.2: Type: text/html, Size: 9649 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] base-apt: Use gpg keyid instead of yes
2019-09-30 6:17 ` Jan Kiszka
2019-09-30 8:42 ` Vijai Kumar K
@ 2019-10-14 16:38 ` Henning Schild
2019-10-15 9:17 ` [PATCH v2] " vijaikumar.kanagarajan
1 sibling, 1 reply; 14+ messages in thread
From: Henning Schild @ 2019-10-14 16:38 UTC (permalink / raw)
To: Jan Kiszka
Cc: vijaikumar.kanagarajan, isar-users, claudius.heine.ext, Amy_Fong,
Vijai Kumar K
Am Mon, 30 Sep 2019 08:17:00 +0200
schrieb Jan Kiszka <jan.kiszka@siemens.com>:
> On 27.09.19 23:11, vijaikumar.kanagarajan@gmail.com wrote:
> > From: Vijai Kumar K <Vijaikumar_Kanagarajan@mentor.com>
> >
> > When using "SignWith: yes", reprepro uses the default gpg key
> > of the system to sign the repo. The default gpg key might be
> > different from what is specified in BASE_REPO_KEY, resulting
> > in using a wrong key for signing.
> >
> > Derive and use the keyid from the keyfile supplied instead of
> > a generic yes option.
> >
> > Suggested-by: Amy Fong <Amy_Fong@mentor.com>
> > Signed-off-by: Vijai Kumar K <Vijaikumar_Kanagarajan@mentor.com>
> > ---
> > meta/recipes-devtools/base-apt/base-apt.bb | 22
> > +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3
> > deletions(-)
> >
> > diff --git a/meta/recipes-devtools/base-apt/base-apt.bb
> > b/meta/recipes-devtools/base-apt/base-apt.bb index 74189f1..c74be86
> > 100644 --- a/meta/recipes-devtools/base-apt/base-apt.bb
> > +++ b/meta/recipes-devtools/base-apt/base-apt.bb
> > @@ -4,6 +4,7 @@
> > SRC_URI = "file://distributions.in"
> >
> > BASE_REPO_KEY ?= ""
> > +KEYFILES ?= ""
> >
> > CACHE_CONF_DIR = "${REPO_BASE_DIR}/${BASE_DISTRO}/conf"
> > do_cache_config[dirs] = "${CACHE_CONF_DIR}"
> > @@ -12,13 +13,18 @@ do_cache_config[lockfiles] =
> > "${REPO_BASE_DIR}/isar.lock"
> > # Generate reprepro config for current distro if it doesn't
> > exist. Once it's # generated, this task should do nothing.
> > -do_cache_config() {
> > +repo_config() {
> > if [ ! -e "${CACHE_CONF_DIR}/distributions" ]; then
> > sed -e "s#{CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \
> > ${WORKDIR}/distributions.in >
> > ${CACHE_CONF_DIR}/distributions
> > - if [ "${BASE_REPO_KEY}" ] ; then
> > + if [ -n "${KEYFILES}" ]; then
> > + option=""
> > + for key in ${KEYFILES}; do
> > + keyid=$(cat ${key} | gpg --keyid-format 0xlong
> > --with-colons - 2>/dev/null |grep "^pub:" |awk -F':' '{print
> > $5;}')
>
> I hope this parsing is stable...
It looks ok, the format args used are meant for parsing.
But i would like to point out the useless use of cat.
Plus an inconsistent use of spaces around pipes.
Henning
>
> > + option="${option}${keyid} "
> > + done
> > # To generate Release.gpg
> > - echo "SignWith: yes" >> ${CACHE_CONF_DIR}/distributions
> > + echo "SignWith: ${option}" >>
> > ${CACHE_CONF_DIR}/distributions fi
> > fi
> >
> > @@ -35,4 +41,14 @@ do_cache_config() {
> > fi
> > }
> >
> > +python do_cache_config() {
> > + for key in d.getVar('BASE_REPO_KEY').split():
> > + d.appendVar("SRC_URI", " %s" % key)
> > + fetcher = bb.fetch2.Fetch([key], d)
>
> I wonder if that magically addresses the case that changing key file
> content should also trigger rebuilds. Similar to
> https://github.com/ilbers/isar/issues/60.
>
> > + filename = fetcher.localpath(key)
> > + d.appendVar("KEYFILES", " %s" % filename)
> > +
> > + bb.build.exec_func('repo_config', d)
> > +}
> > +
> > addtask cache_config after do_build
> >
>
> Looks good - if the keyid extraction if actually robust.
>
> Jan
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH v2] base-apt: Use gpg keyid instead of yes
2019-10-14 16:38 ` Henning Schild
@ 2019-10-15 9:17 ` vijaikumar.kanagarajan
2019-10-15 9:19 ` vijai kumar
` (2 more replies)
0 siblings, 3 replies; 14+ messages in thread
From: vijaikumar.kanagarajan @ 2019-10-15 9:17 UTC (permalink / raw)
To: isar-users, henning.schild; +Cc: Vijai Kumar K
From: Vijai Kumar K <Vijaikumar_Kanagarajan@mentor.com>
When using "SignWith: yes", reprepro uses the default gpg key
of the system to sign the repo. The default gpg key might be
different from what is specified in BASE_REPO_KEY, resulting
in using a wrong key for signing.
Derive and use the keyid from the keyfile supplied instead of
a generic yes option.
Suggested-by: Amy Fong <Amy_Fong@mentor.com>
Signed-off-by: Vijai Kumar K <Vijaikumar_Kanagarajan@mentor.com>
---
Changes in v2:
- Address review comments from Henning.
meta/recipes-devtools/base-apt/base-apt.bb | 22 +++++++++++++++++++---
1 file changed, 19 insertions(+), 3 deletions(-)
diff --git a/meta/recipes-devtools/base-apt/base-apt.bb b/meta/recipes-devtools/base-apt/base-apt.bb
index 6acd6e7..42ff782 100644
--- a/meta/recipes-devtools/base-apt/base-apt.bb
+++ b/meta/recipes-devtools/base-apt/base-apt.bb
@@ -4,6 +4,7 @@
SRC_URI = "file://distributions.in"
BASE_REPO_KEY ?= ""
+KEYFILES ?= ""
CACHE_CONF_DIR = "${REPO_BASE_DIR}/${BASE_DISTRO}/conf"
do_cache_config[dirs] = "${CACHE_CONF_DIR}"
@@ -12,13 +13,18 @@ do_cache_config[lockfiles] = "${REPO_BASE_DIR}/isar.lock"
# Generate reprepro config for current distro if it doesn't exist. Once it's
# generated, this task should do nothing.
-do_cache_config() {
+repo_config() {
if [ ! -e "${CACHE_CONF_DIR}/distributions" ]; then
sed -e "s#{CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \
${WORKDIR}/distributions.in > ${CACHE_CONF_DIR}/distributions
- if [ "${BASE_REPO_KEY}" ] ; then
+ if [ -n "${KEYFILES}" ]; then
+ option=""
+ for key in ${KEYFILES}; do
+ keyid=$(gpg --keyid-format 0xlong --with-colons ${key} 2>/dev/null | grep "^pub:" | awk -F':' '{print $5;}')
+ option="${option}${keyid} "
+ done
# To generate Release.gpg
- echo "SignWith: yes" >> ${CACHE_CONF_DIR}/distributions
+ echo "SignWith: ${option}" >> ${CACHE_CONF_DIR}/distributions
fi
fi
@@ -35,4 +41,14 @@ do_cache_config() {
fi
}
+python do_cache_config() {
+ for key in d.getVar('BASE_REPO_KEY').split():
+ d.appendVar("SRC_URI", " %s" % key)
+ fetcher = bb.fetch2.Fetch([key], d)
+ filename = fetcher.localpath(key)
+ d.appendVar("KEYFILES", " %s" % filename)
+
+ bb.build.exec_func('repo_config', d)
+}
+
addtask cache_config after do_unpack before do_build
--
2.17.1
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2] base-apt: Use gpg keyid instead of yes
2019-10-15 9:17 ` [PATCH v2] " vijaikumar.kanagarajan
@ 2019-10-15 9:19 ` vijai kumar
2019-10-23 7:24 ` Vijai Kumar K
2019-11-02 15:57 ` Baurzhan Ismagulov
2019-11-19 16:40 ` [PATCH v2] base-apt: Use gpg keyid instead of yes Baurzhan Ismagulov
2 siblings, 1 reply; 14+ messages in thread
From: vijai kumar @ 2019-10-15 9:19 UTC (permalink / raw)
To: isar-users
[-- Attachment #1.1: Type: text/plain, Size: 2865 bytes --]
This v2 is also rebased on top of current next. Forgot to mention that.
Thanks,
Vijai Kumar K
On Tuesday, October 15, 2019 at 2:47:55 PM UTC+5:30, vijai kumar wrote:
>
> From: Vijai Kumar K <Vijaikumar_Kanagarajan@mentor.com>
>
> When using "SignWith: yes", reprepro uses the default gpg key
> of the system to sign the repo. The default gpg key might be
> different from what is specified in BASE_REPO_KEY, resulting
> in using a wrong key for signing.
>
> Derive and use the keyid from the keyfile supplied instead of
> a generic yes option.
>
> Suggested-by: Amy Fong <Amy_Fong@mentor.com>
> Signed-off-by: Vijai Kumar K <Vijaikumar_Kanagarajan@mentor.com>
> ---
> Changes in v2:
> - Address review comments from Henning.
>
> meta/recipes-devtools/base-apt/base-apt.bb | 22 +++++++++++++++++++---
> 1 file changed, 19 insertions(+), 3 deletions(-)
>
> diff --git a/meta/recipes-devtools/base-apt/base-apt.bb
> b/meta/recipes-devtools/base-apt/base-apt.bb
> index 6acd6e7..42ff782 100644
> --- a/meta/recipes-devtools/base-apt/base-apt.bb
> +++ b/meta/recipes-devtools/base-apt/base-apt.bb
> @@ -4,6 +4,7 @@
> SRC_URI = "file://distributions.in"
>
> BASE_REPO_KEY ?= ""
> +KEYFILES ?= ""
>
> CACHE_CONF_DIR = "${REPO_BASE_DIR}/${BASE_DISTRO}/conf"
> do_cache_config[dirs] = "${CACHE_CONF_DIR}"
> @@ -12,13 +13,18 @@ do_cache_config[lockfiles] =
> "${REPO_BASE_DIR}/isar.lock"
>
> # Generate reprepro config for current distro if it doesn't exist. Once
> it's
> # generated, this task should do nothing.
> -do_cache_config() {
> +repo_config() {
> if [ ! -e "${CACHE_CONF_DIR}/distributions" ]; then
> sed -e "s#{CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \
> ${WORKDIR}/distributions.in >
> ${CACHE_CONF_DIR}/distributions
> - if [ "${BASE_REPO_KEY}" ] ; then
> + if [ -n "${KEYFILES}" ]; then
> + option=""
> + for key in ${KEYFILES}; do
> + keyid=$(gpg --keyid-format 0xlong --with-colons ${key}
> 2>/dev/null | grep "^pub:" | awk -F':' '{print $5;}')
> + option="${option}${keyid} "
> + done
> # To generate Release.gpg
> - echo "SignWith: yes" >> ${CACHE_CONF_DIR}/distributions
> + echo "SignWith: ${option}" >> ${CACHE_CONF_DIR}/distributions
> fi
> fi
>
> @@ -35,4 +41,14 @@ do_cache_config() {
> fi
> }
>
> +python do_cache_config() {
> + for key in d.getVar('BASE_REPO_KEY').split():
> + d.appendVar("SRC_URI", " %s" % key)
> + fetcher = bb.fetch2.Fetch([key], d)
> + filename = fetcher.localpath(key)
> + d.appendVar("KEYFILES", " %s" % filename)
> +
> + bb.build.exec_func('repo_config', d)
> +}
> +
> addtask cache_config after do_unpack before do_build
> --
> 2.17.1
>
>
[-- Attachment #1.2: Type: text/html, Size: 7264 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2] base-apt: Use gpg keyid instead of yes
2019-10-15 9:19 ` vijai kumar
@ 2019-10-23 7:24 ` Vijai Kumar K
0 siblings, 0 replies; 14+ messages in thread
From: Vijai Kumar K @ 2019-10-23 7:24 UTC (permalink / raw)
To: vijai kumar; +Cc: isar-users
On Tue, Oct 15, 2019 at 02:19:36AM -0700, vijai kumar wrote:
If there are no more review comments, can this be merged to next?
Thanks,
Vijai Kumar K
> This v2 is also rebased on top of current next. Forgot to mention that.
>
> Thanks,
> Vijai Kumar K
>
> On Tuesday, October 15, 2019 at 2:47:55 PM UTC+5:30, vijai kumar wrote:
> >
> > From: Vijai Kumar K <Vijaikumar_Kanagarajan@mentor.com>
> >
> > When using "SignWith: yes", reprepro uses the default gpg key
> > of the system to sign the repo. The default gpg key might be
> > different from what is specified in BASE_REPO_KEY, resulting
> > in using a wrong key for signing.
> >
> > Derive and use the keyid from the keyfile supplied instead of
> > a generic yes option.
> >
> > Suggested-by: Amy Fong <Amy_Fong@mentor.com>
> > Signed-off-by: Vijai Kumar K <Vijaikumar_Kanagarajan@mentor.com>
> > ---
> > Changes in v2:
> > - Address review comments from Henning.
> >
> > meta/recipes-devtools/base-apt/base-apt.bb | 22 +++++++++++++++++++---
> > 1 file changed, 19 insertions(+), 3 deletions(-)
> >
> > diff --git a/meta/recipes-devtools/base-apt/base-apt.bb
> > b/meta/recipes-devtools/base-apt/base-apt.bb
> > index 6acd6e7..42ff782 100644
> > --- a/meta/recipes-devtools/base-apt/base-apt.bb
> > +++ b/meta/recipes-devtools/base-apt/base-apt.bb
> > @@ -4,6 +4,7 @@
> > SRC_URI = "file://distributions.in"
> >
> > BASE_REPO_KEY ?= ""
> > +KEYFILES ?= ""
> >
> > CACHE_CONF_DIR = "${REPO_BASE_DIR}/${BASE_DISTRO}/conf"
> > do_cache_config[dirs] = "${CACHE_CONF_DIR}"
> > @@ -12,13 +13,18 @@ do_cache_config[lockfiles] =
> > "${REPO_BASE_DIR}/isar.lock"
> >
> > # Generate reprepro config for current distro if it doesn't exist. Once
> > it's
> > # generated, this task should do nothing.
> > -do_cache_config() {
> > +repo_config() {
> > if [ ! -e "${CACHE_CONF_DIR}/distributions" ]; then
> > sed -e "s#{CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \
> > ${WORKDIR}/distributions.in >
> > ${CACHE_CONF_DIR}/distributions
> > - if [ "${BASE_REPO_KEY}" ] ; then
> > + if [ -n "${KEYFILES}" ]; then
> > + option=""
> > + for key in ${KEYFILES}; do
> > + keyid=$(gpg --keyid-format 0xlong --with-colons ${key}
> > 2>/dev/null | grep "^pub:" | awk -F':' '{print $5;}')
> > + option="${option}${keyid} "
> > + done
> > # To generate Release.gpg
> > - echo "SignWith: yes" >> ${CACHE_CONF_DIR}/distributions
> > + echo "SignWith: ${option}" >> ${CACHE_CONF_DIR}/distributions
> > fi
> > fi
> >
> > @@ -35,4 +41,14 @@ do_cache_config() {
> > fi
> > }
> >
> > +python do_cache_config() {
> > + for key in d.getVar('BASE_REPO_KEY').split():
> > + d.appendVar("SRC_URI", " %s" % key)
> > + fetcher = bb.fetch2.Fetch([key], d)
> > + filename = fetcher.localpath(key)
> > + d.appendVar("KEYFILES", " %s" % filename)
> > +
> > + bb.build.exec_func('repo_config', d)
> > +}
> > +
> > addtask cache_config after do_unpack before do_build
> > --
> > 2.17.1
> >
> >
>
> --
> You received this message because you are subscribed to the Google Groups "isar-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/isar-users/c20121db-766f-49e2-b64b-d25761d4f1bb%40googlegroups.com.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2] base-apt: Use gpg keyid instead of yes
2019-10-15 9:17 ` [PATCH v2] " vijaikumar.kanagarajan
2019-10-15 9:19 ` vijai kumar
@ 2019-11-02 15:57 ` Baurzhan Ismagulov
2019-11-02 16:37 ` vijai kumar
2019-11-19 16:40 ` [PATCH v2] base-apt: Use gpg keyid instead of yes Baurzhan Ismagulov
2 siblings, 1 reply; 14+ messages in thread
From: Baurzhan Ismagulov @ 2019-11-02 15:57 UTC (permalink / raw)
To: isar-users
Hello Vijai Kumar,
On Tue, Oct 15, 2019 at 02:47:23PM +0530, vijaikumar.kanagarajan@gmail.com wrote:
> When using "SignWith: yes", reprepro uses the default gpg key
> of the system to sign the repo. The default gpg key might be
> different from what is specified in BASE_REPO_KEY, resulting
> in using a wrong key for signing.
>
> Derive and use the keyid from the keyfile supplied instead of
> a generic yes option.
I'm experiencing the problems below, could you please have a look?
http://ci.isar-build.org:8080/job/isar_ibr_next/lastFailedBuild/consoleFull
bitbake -v -c cache_base_repo multiconfig:qemuarm-stretch:isar-image-base multiconfig:qemuarm64-stretch:isar-image-base multiconfig:qemuamd64-stretch:isar-image-base multiconfig:qemuarm-buster:isar-image-base
...
ERROR: mc:qemuarm-buster:base-apt-1.0-r0 do_cache_config: Function failed: repo_config (log file is located at /workspace/build/isar_ibr_next/12/build/tmp/work/debian-buster-armhf/base-apt/1.0-r0/temp/log.do_cache_config.16781)
...
| + export GNUPGHOME=/tmp/tmp.laEgOqLEko
| + reprepro -b /workspace/build/isar_ibr_next/12/build/downloads/base-apt/debian-buster/apt/debian --dbdir /workspace/build/isar_ibr_next/12/build/downloads/base-apt/debian-buster/db/debian export buster
| Error parsing /workspace/build/isar_ibr_next/12/build/downloads/base-apt/debian-buster/apt/debian/conf/distributions, line 4, column 12: Missing value for SignWith field.
With kind regards,
Baurzhan.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2] base-apt: Use gpg keyid instead of yes
2019-11-02 15:57 ` Baurzhan Ismagulov
@ 2019-11-02 16:37 ` vijai kumar
2019-11-05 10:33 ` [PATCH] meta/base-apt: Fix build issue with CI vijaikumar.kanagarajan
0 siblings, 1 reply; 14+ messages in thread
From: vijai kumar @ 2019-11-02 16:37 UTC (permalink / raw)
To: isar-users
[-- Attachment #1: Type: text/plain, Size: 2082 bytes --]
Sure Baurzhan. I'm on travel. I'll look into it first thing Monday morning.
Thanks,
Vijai Kumar K
On Sat 2 Nov, 2019, 9:27 PM Baurzhan Ismagulov, <ibr@radix50.net> wrote:
> Hello Vijai Kumar,
>
> On Tue, Oct 15, 2019 at 02:47:23PM +0530, vijaikumar.kanagarajan@gmail.com
> wrote:
> > When using "SignWith: yes", reprepro uses the default gpg key
> > of the system to sign the repo. The default gpg key might be
> > different from what is specified in BASE_REPO_KEY, resulting
> > in using a wrong key for signing.
> >
> > Derive and use the keyid from the keyfile supplied instead of
> > a generic yes option.
>
> I'm experiencing the problems below, could you please have a look?
>
> http://ci.isar-build.org:8080/job/isar_ibr_next/lastFailedBuild/consoleFull
>
> bitbake -v -c cache_base_repo multiconfig:qemuarm-stretch:isar-image-base
> multiconfig:qemuarm64-stretch:isar-image-base
> multiconfig:qemuamd64-stretch:isar-image-base
> multiconfig:qemuarm-buster:isar-image-base
> ...
> ERROR: mc:qemuarm-buster:base-apt-1.0-r0 do_cache_config: Function failed:
> repo_config (log file is located at
> /workspace/build/isar_ibr_next/12/build/tmp/work/debian-buster-armhf/base-apt/1.0-r0/temp/log.do_cache_config.16781)
> ...
> | + export GNUPGHOME=/tmp/tmp.laEgOqLEko
> | + reprepro -b
> /workspace/build/isar_ibr_next/12/build/downloads/base-apt/debian-buster/apt/debian
> --dbdir
> /workspace/build/isar_ibr_next/12/build/downloads/base-apt/debian-buster/db/debian
> export buster
> | Error parsing
> /workspace/build/isar_ibr_next/12/build/downloads/base-apt/debian-buster/apt/debian/conf/distributions,
> line 4, column 12: Missing value for SignWith field.
>
> With kind regards,
> Baurzhan.
>
> --
> You received this message because you are subscribed to the Google Groups
> "isar-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to isar-users+unsubscribe@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/isar-users/20191102155725.ecot7nhc4f3pqxck%40yssyq.m.ilbers.de
> .
>
[-- Attachment #2: Type: text/html, Size: 3076 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH] meta/base-apt: Fix build issue with CI
2019-11-02 16:37 ` vijai kumar
@ 2019-11-05 10:33 ` vijaikumar.kanagarajan
2019-11-05 18:10 ` vijai kumar
2019-11-19 16:41 ` Baurzhan Ismagulov
0 siblings, 2 replies; 14+ messages in thread
From: vijaikumar.kanagarajan @ 2019-11-05 10:33 UTC (permalink / raw)
To: isar-users, ibr; +Cc: Vijai Kumar K
From: Vijai Kumar K <Vijaikumar_Kanagarajan@mentor.com>
CI triggers the build in a chrooted environment with userspec
option set to host user. GPG commands would fail since we donot have
access to the $HOME folder in chroot.
Make GNUPGHOME available to avoid failures due to permission issues.
Signed-off-by: Vijai Kumar K <Vijaikumar_Kanagarajan@mentor.com>
---
Hi Baurzhan,
This patch should fix the issue we are facing in CI.
There is a job running successfully with this patchset at
http://ci.isar-build.org:8080/job/isar_vkk_devel/10/consoleFull
Thanks,
Vijai Kumar K
meta/recipes-devtools/base-apt/base-apt.bb | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/meta/recipes-devtools/base-apt/base-apt.bb b/meta/recipes-devtools/base-apt/base-apt.bb
index 42ff782..9a0f7c8 100644
--- a/meta/recipes-devtools/base-apt/base-apt.bb
+++ b/meta/recipes-devtools/base-apt/base-apt.bb
@@ -14,6 +14,10 @@ do_cache_config[lockfiles] = "${REPO_BASE_DIR}/isar.lock"
# Generate reprepro config for current distro if it doesn't exist. Once it's
# generated, this task should do nothing.
repo_config() {
+ if [ -n "${GNUPGHOME}" ]; then
+ export GNUPGHOME="${GNUPGHOME}"
+ fi
+
if [ ! -e "${CACHE_CONF_DIR}/distributions" ]; then
sed -e "s#{CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \
${WORKDIR}/distributions.in > ${CACHE_CONF_DIR}/distributions
@@ -32,9 +36,6 @@ repo_config() {
path_databases="${REPO_BASE_DB_DIR}/${BASE_DISTRO}"
if [ ! -d "${path_databases}" ]; then
- if [ -n "${GNUPGHOME}" ]; then
- export GNUPGHOME="${GNUPGHOME}"
- fi
reprepro -b ${path_cache} \
--dbdir ${path_databases} \
export ${BASE_DISTRO_CODENAME}
--
2.17.1
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] meta/base-apt: Fix build issue with CI
2019-11-05 10:33 ` [PATCH] meta/base-apt: Fix build issue with CI vijaikumar.kanagarajan
@ 2019-11-05 18:10 ` vijai kumar
2019-11-19 16:41 ` Baurzhan Ismagulov
1 sibling, 0 replies; 14+ messages in thread
From: vijai kumar @ 2019-11-05 18:10 UTC (permalink / raw)
To: isar-users
[-- Attachment #1.1: Type: text/plain, Size: 2060 bytes --]
The build succeeded.
Thanks,
Vijai Kumar K
On Tuesday, November 5, 2019 at 4:03:27 PM UTC+5:30, vijai kumar wrote:
>
> From: Vijai Kumar K <Vijaikumar_Kanagarajan@mentor.com>
>
> CI triggers the build in a chrooted environment with userspec
> option set to host user. GPG commands would fail since we donot have
> access to the $HOME folder in chroot.
>
> Make GNUPGHOME available to avoid failures due to permission issues.
>
> Signed-off-by: Vijai Kumar K <Vijaikumar_Kanagarajan@mentor.com>
> ---
>
> Hi Baurzhan,
>
> This patch should fix the issue we are facing in CI.
>
> There is a job running successfully with this patchset at
> http://ci.isar-build.org:8080/job/isar_vkk_devel/10/consoleFull
>
>
> Thanks,
> Vijai Kumar K
>
> meta/recipes-devtools/base-apt/base-apt.bb | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/meta/recipes-devtools/base-apt/base-apt.bb
> b/meta/recipes-devtools/base-apt/base-apt.bb
> index 42ff782..9a0f7c8 100644
> --- a/meta/recipes-devtools/base-apt/base-apt.bb
> +++ b/meta/recipes-devtools/base-apt/base-apt.bb
> @@ -14,6 +14,10 @@ do_cache_config[lockfiles] =
> "${REPO_BASE_DIR}/isar.lock"
> # Generate reprepro config for current distro if it doesn't exist. Once
> it's
> # generated, this task should do nothing.
> repo_config() {
> + if [ -n "${GNUPGHOME}" ]; then
> + export GNUPGHOME="${GNUPGHOME}"
> + fi
> +
> if [ ! -e "${CACHE_CONF_DIR}/distributions" ]; then
> sed -e "s#{CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \
> ${WORKDIR}/distributions.in >
> ${CACHE_CONF_DIR}/distributions
> @@ -32,9 +36,6 @@ repo_config() {
> path_databases="${REPO_BASE_DB_DIR}/${BASE_DISTRO}"
>
> if [ ! -d "${path_databases}" ]; then
> - if [ -n "${GNUPGHOME}" ]; then
> - export GNUPGHOME="${GNUPGHOME}"
> - fi
> reprepro -b ${path_cache} \
> --dbdir ${path_databases} \
> export ${BASE_DISTRO_CODENAME}
> --
> 2.17.1
>
>
[-- Attachment #1.2: Type: text/html, Size: 6152 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2] base-apt: Use gpg keyid instead of yes
2019-10-15 9:17 ` [PATCH v2] " vijaikumar.kanagarajan
2019-10-15 9:19 ` vijai kumar
2019-11-02 15:57 ` Baurzhan Ismagulov
@ 2019-11-19 16:40 ` Baurzhan Ismagulov
2 siblings, 0 replies; 14+ messages in thread
From: Baurzhan Ismagulov @ 2019-11-19 16:40 UTC (permalink / raw)
To: isar-users
On Tue, Oct 15, 2019 at 02:47:23PM +0530, vijaikumar.kanagarajan@gmail.com wrote:
> When using "SignWith: yes", reprepro uses the default gpg key
> of the system to sign the repo. The default gpg key might be
> different from what is specified in BASE_REPO_KEY, resulting
> in using a wrong key for signing.
>
> Derive and use the keyid from the keyfile supplied instead of
> a generic yes option.
Applied to next, thanks.
With kind regards,
Baurzhan.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] meta/base-apt: Fix build issue with CI
2019-11-05 10:33 ` [PATCH] meta/base-apt: Fix build issue with CI vijaikumar.kanagarajan
2019-11-05 18:10 ` vijai kumar
@ 2019-11-19 16:41 ` Baurzhan Ismagulov
1 sibling, 0 replies; 14+ messages in thread
From: Baurzhan Ismagulov @ 2019-11-19 16:41 UTC (permalink / raw)
To: isar-users
On Tue, Nov 05, 2019 at 04:03:14PM +0530, vijaikumar.kanagarajan@gmail.com wrote:
> CI triggers the build in a chrooted environment with userspec
> option set to host user. GPG commands would fail since we donot have
> access to the $HOME folder in chroot.
>
> Make GNUPGHOME available to avoid failures due to permission issues.
Applied to next, thanks.
With kind regards,
Baurzhan.
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2019-11-19 16:41 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-27 21:11 [PATCH] base-apt: Use gpg keyid instead of yes vijaikumar.kanagarajan
2019-09-30 6:17 ` Jan Kiszka
2019-09-30 8:42 ` Vijai Kumar K
2019-09-30 8:51 ` vijai kumar
2019-10-14 16:38 ` Henning Schild
2019-10-15 9:17 ` [PATCH v2] " vijaikumar.kanagarajan
2019-10-15 9:19 ` vijai kumar
2019-10-23 7:24 ` Vijai Kumar K
2019-11-02 15:57 ` Baurzhan Ismagulov
2019-11-02 16:37 ` vijai kumar
2019-11-05 10:33 ` [PATCH] meta/base-apt: Fix build issue with CI vijaikumar.kanagarajan
2019-11-05 18:10 ` vijai kumar
2019-11-19 16:41 ` Baurzhan Ismagulov
2019-11-19 16:40 ` [PATCH v2] base-apt: Use gpg keyid instead of yes Baurzhan Ismagulov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox