[PATCH v3 0/2] Fix gpg bootstrap when not signed

[PATCH v3 0/2] Fix gpg bootstrap when not signed

[Baurzhan Ismagulov]

Changes in v3:

- 0001:
  - Remove trailing white space.
  - Change tabs to spaces.
  - Added "signed" / "unsigned" to the comments, identical comments before
    different code is confusing.
- 0002:
  - Call test once.
  - Fix a typo in the commit message.

[PATCH v3 1/2] ci: always test signed and unsigned repo builds

[Baurzhan Ismagulov]

From: Henning Schild <henning.schild@siemens.com>

Just split the target set we had into two. Test the first signed and the
other one unsigned.

Signed-off-by: Henning Schild <henning.schild@siemens.com>
---
 .gitlab-ci.yml      |  2 +-
 scripts/ci_build.sh | 43 ++++++++++++++++++++++++++++---------------
 2 files changed, 29 insertions(+), 16 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index dd6e12b..1437bd7 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -32,7 +32,7 @@ full-ci:
     - PREVIOUS_SHA="$(cat .CI_COMMIT_SHA || true)"
     - if [ "$CI_COMMIT_SHA" != "$PREVIOUS_SHA" ]; then
           echo "$CI_COMMIT_SHA" > .CI_COMMIT_SHA;
-          scripts/ci_build.sh -q -c -r -s;
+          scripts/ci_build.sh -q -c -r;
       fi
   cache:
     key: "$CI_COMMIT_REF_SLUG"
diff --git a/scripts/ci_build.sh b/scripts/ci_build.sh
index ecaa88a..7926221 100755
--- a/scripts/ci_build.sh
+++ b/scripts/ci_build.sh
@@ -50,13 +50,14 @@ CROSS_TARGETS_SET="\
                   mc:de0-nano-soc-stretch:isar-image-base \
                   mc:rpi-stretch:isar-image-base"
 
-REPRO_TARGETS_SET="\
+REPRO_TARGETS_SET_SIGNED="\
             mc:qemuarm-stretch:isar-image-base \
-            mc:qemuarm64-stretch:isar-image-base \
+            mc:qemuarm64-stretch:isar-image-base"
+
+REPRO_TARGETS_SET="\
             mc:qemuamd64-stretch:isar-image-base \
             mc:qemuarm-buster:isar-image-base"
 
-
 show_help() {
     echo "This script builds the default Isar images."
     echo
@@ -70,7 +71,7 @@ show_help() {
     echo "    -d, --debug              enable debug bitbake output."
     echo "    -f, --fast               cross build reduced set of configurations."
     echo "    -q, --quiet              suppress verbose bitbake output."
-    echo "    -r, --repro [-s, --sign] enable use of cached base repository with optional signing."
+    echo "    -r, --repro              enable use of cached base repository."
     echo "    --help                   display this message and exit."
     echo
     echo "Exit status:"
@@ -109,8 +110,10 @@ do
         ;;
     -r|--repro)
         REPRO_BUILD="1"
+        # This switch is deprecated, just here to not cause failing CI on
+        # legacy configs
         case "$2" in
-        -s|--sign) SIGN_REPO='1'; shift ;;
+        -s|--sign) shift ;;
         esac
         ;;
     *)
@@ -133,24 +136,34 @@ if [ -n "$CROSS_BUILD" ]; then
 fi
 
 if [ -n "$REPRO_BUILD" ]; then
-    if [ -n "$SIGN_REPO" ]; then
-        ISAR_TESTSUITE_GPG_PUB_KEY_FILE="$ISARROOT/testsuite/base-apt/test_pub.key"
-        ISAR_TESTSUITE_GPG_PRIV_KEY_FILE="$ISARROOT/testsuite/base-apt/test_priv.key"
-        export GNUPGHOME=$(mktemp -d)
-        gpg --import $ISAR_TESTSUITE_GPG_PUB_KEY_FILE $ISAR_TESTSUITE_GPG_PRIV_KEY_FILE
-        echo BASE_REPO_KEY=\"file://$ISAR_TESTSUITE_GPG_PUB_KEY_FILE\" >> conf/local.conf
-    fi
-    # Enable use of cached base repository
+    ISAR_TESTSUITE_GPG_PUB_KEY_FILE="$ISARROOT/testsuite/base-apt/test_pub.key"
+    ISAR_TESTSUITE_GPG_PRIV_KEY_FILE="$ISARROOT/testsuite/base-apt/test_priv.key"
+    export GNUPGHOME=$(mktemp -d)
+    gpg --import $ISAR_TESTSUITE_GPG_PUB_KEY_FILE $ISAR_TESTSUITE_GPG_PRIV_KEY_FILE
+
+    # Enable use of signed cached base repository
+    echo BASE_REPO_KEY=\"file://$ISAR_TESTSUITE_GPG_PUB_KEY_FILE\" >> conf/local.conf
+    bitbake $BB_ARGS -c cache_base_repo $REPRO_TARGETS_SET_SIGNED
+    while [ -e bitbake.sock ]; do sleep 1; done
+    sudo rm -rf tmp
+    sed -i -e 's/#ISAR_USE_CACHED_BASE_REPO ?= "1"/ISAR_USE_CACHED_BASE_REPO ?= "1"/g' conf/local.conf
+    bitbake $BB_ARGS $REPRO_TARGETS_SET_SIGNED
+    while [ -e bitbake.sock ]; do sleep 1; done
+    # Cleanup and disable use of signed cached base repository
+    sudo rm -rf tmp
+    sed -i -e 's/ISAR_USE_CACHED_BASE_REPO ?= "1"/#ISAR_USE_CACHED_BASE_REPO ?= "1"/g' conf/local.conf
+    sed -i -e 's/^BASE_REPO_KEY/#BASE_REPO_KEY/g' conf/local.conf
+
+    # Enable use of unsigned cached base repository
     bitbake $BB_ARGS -c cache_base_repo $REPRO_TARGETS_SET
     while [ -e bitbake.sock ]; do sleep 1; done
     sudo rm -rf tmp
     sed -i -e 's/#ISAR_USE_CACHED_BASE_REPO ?= "1"/ISAR_USE_CACHED_BASE_REPO ?= "1"/g' conf/local.conf
     bitbake $BB_ARGS $REPRO_TARGETS_SET
     while [ -e bitbake.sock ]; do sleep 1; done
-    # Cleanup and disable use of cached base repository
+    # Cleanup and disable use of unsigned cached base repository
     sudo rm -rf tmp
     sed -i -e 's/ISAR_USE_CACHED_BASE_REPO ?= "1"/#ISAR_USE_CACHED_BASE_REPO ?= "1"/g' conf/local.conf
-    sed -i -e 's/^BASE_REPO_KEY/#BASE_REPO_KEY/g' conf/local.conf
 fi
 
 sed -i -e 's/#IMAGE_INSTALL += "isar-disable-apt-cache"/IMAGE_INSTALL += "isar-disable-apt-cache"/g' conf/local.conf
-- 
2.20.1

[PATCH v3 2/2] bootstrap: really fix gpg bootstrap when not signed

[Baurzhan Ismagulov]

From: Henning Schild <henning.schild@siemens.com>

ef5255a8f8006e6f4 fixed one case but broke another. The existence of the
key file does not mean that it actually contains our bootstrap keys. It
contains keys from multiple sources.

Signed-off-by: Henning Schild <henning.schild@siemens.com>
---
 meta/recipes-core/isar-bootstrap/isar-bootstrap.inc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
index b506f30..d614d9a 100644
--- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
+++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
@@ -233,7 +233,8 @@ isar_bootstrap() {
     debootstrap_args="--verbose --variant=minbase --include=${DISTRO_BOOTSTRAP_BASE_PACKAGES}"
     if [ -f "${DISTRO_BOOTSTRAP_KEYRING}" ]; then
         debootstrap_args="$debootstrap_args --keyring=${DISTRO_BOOTSTRAP_KEYRING}"
-    else
+    fi
+    if [ "${ISAR_USE_CACHED_BASE_REPO}" = "1" -a -z "${BASE_REPO_KEY}" ]; then
         debootstrap_args="$debootstrap_args --no-check-gpg"
     fi
     E="${@ isar_export_proxies(d)}"
-- 
2.20.1

Re: [PATCH v3 0/2] Fix gpg bootstrap when not signed

[Henning Schild]

Thanks for the fixes. Looks good to me.

Am Mon, 18 Nov 2019 18:08:48 +0100
schrieb Baurzhan Ismagulov <ibr@radix50.net>:

> Changes in v3:
> 
> - 0001:
>   - Remove trailing white space.
>   - Change tabs to spaces.
>   - Added "signed" / "unsigned" to the comments, identical comments
> before different code is confusing.
> - 0002:
>   - Call test once.

I recently started linting my shell code with shellcheck. It would not
like that, but it is fine with me.

Henning

>   - Fix a typo in the commit message.
>