On Monday, September 30, 2019 at 2:12:34 PM UTC+5:30, vijai kumar wrote: > > On Mon, Sep 30, 2019 at 08:17:00AM +0200, Jan Kiszka wrote: > > On 27.09.19 23:11, vijaikumar.kanagarajan@gmail.com wrote: > > > From: Vijai Kumar K > > > > > > When using "SignWith: yes", reprepro uses the default gpg key > > > of the system to sign the repo. The default gpg key might be > > > different from what is specified in BASE_REPO_KEY, resulting > > > in using a wrong key for signing. > > > > > > Derive and use the keyid from the keyfile supplied instead of > > > a generic yes option. > > > > > > Suggested-by: Amy Fong > > > Signed-off-by: Vijai Kumar K > > > --- > > > meta/recipes-devtools/base-apt/base-apt.bb | 22 > +++++++++++++++++++--- > > > 1 file changed, 19 insertions(+), 3 deletions(-) > > > > > > diff --git a/meta/recipes-devtools/base-apt/base-apt.bb > b/meta/recipes-devtools/base-apt/base-apt.bb > > > index 74189f1..c74be86 100644 > > > --- a/meta/recipes-devtools/base-apt/base-apt.bb > > > +++ b/meta/recipes-devtools/base-apt/base-apt.bb > > > @@ -4,6 +4,7 @@ > > > SRC_URI = "file://distributions.in" > > > BASE_REPO_KEY ?= "" > > > +KEYFILES ?= "" > > > CACHE_CONF_DIR = "${REPO_BASE_DIR}/${BASE_DISTRO}/conf" > > > do_cache_config[dirs] = "${CACHE_CONF_DIR}" > > > @@ -12,13 +13,18 @@ do_cache_config[lockfiles] = > "${REPO_BASE_DIR}/isar.lock" > > > # Generate reprepro config for current distro if it doesn't exist. > Once it's > > > # generated, this task should do nothing. > > > -do_cache_config() { > > > +repo_config() { > > > if [ ! -e "${CACHE_CONF_DIR}/distributions" ]; then > > > sed -e "s#{CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \ > > > ${WORKDIR}/distributions.in > > ${CACHE_CONF_DIR}/distributions > > > - if [ "${BASE_REPO_KEY}" ] ; then > > > + if [ -n "${KEYFILES}" ]; then > > > + option="" > > > + for key in ${KEYFILES}; do > > > + keyid=$(cat ${key} | gpg --keyid-format 0xlong > --with-colons - 2>/dev/null |grep "^pub:" |awk -F':' '{print $5;}') > > > > I hope this parsing is stable... > > Having used it for quite sometime I dont see an issue. It would be better > if we error out if the key is not present > in the system. Will add it in v2. > On a second thought that condition check is unnecessary at this point. It could just fail at signing when it is not able to find the key. So no V2. > > > > > > + option="${option}${keyid} " > > > + done > > > # To generate Release.gpg > > > - echo "SignWith: yes" >> ${CACHE_CONF_DIR}/distributions > > > + echo "SignWith: ${option}" >> > ${CACHE_CONF_DIR}/distributions > > > fi > > > fi > > > @@ -35,4 +41,14 @@ do_cache_config() { > > > fi > > > } > > > +python do_cache_config() { > > > + for key in d.getVar('BASE_REPO_KEY').split(): > > > + d.appendVar("SRC_URI", " %s" % key) > > > + fetcher = bb.fetch2.Fetch([key], d) > > > > I wonder if that magically addresses the case that changing key file > content > > should also trigger rebuilds. Similar to > > https://github.com/ilbers/isar/issues/60. > > Not sure about that. May be some testing would reveal it. > > > > > > + filename = fetcher.localpath(key) > > > + d.appendVar("KEYFILES", " %s" % filename) > > > + > > > + bb.build.exec_func('repo_config', d) > > > +} > > > + > > > addtask cache_config after do_build > > > > > > > Looks good - if the keyid extraction if actually robust. > > > > Thanks, > Vijai Kumar K > > > Jan > > > > -- > > Siemens AG, Corporate Technology, CT RDA IOT SES-DE > > Corporate Competence Center Embedded Linux >