From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6741460933745311744 X-Received: by 2002:a17:906:6d53:: with SMTP id a19mr17782079ejt.144.1569824222961; Sun, 29 Sep 2019 23:17:02 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a17:906:4c51:: with SMTP id d17ls2582843ejw.8.gmail; Sun, 29 Sep 2019 23:17:02 -0700 (PDT) X-Google-Smtp-Source: APXvYqxPGwl3yAkcQSSN78UjDa5/+yEg3HhUDMS8X5Q772LYBp/hP5j52DkxKcKivb2Pia+zsOeI X-Received: by 2002:a17:906:e92:: with SMTP id p18mr17916918ejf.308.1569824222410; Sun, 29 Sep 2019 23:17:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1569824222; cv=none; d=google.com; s=arc-20160816; b=GzXjLjYsElfGV4nIcgRSAUQuDYUQYGqmCvnR85RDdAqfGZ6cc5glTigMEa+m0TPWm1 c75I/ErOoBZuKQ1rvG0QLPK+PL4D8nUq2LqQekvGnvOoa2/BkUbXryZdjgtoMcxqhdbc PY1S4SYasw95jBgXoPSAeRnPkDrtZkyN3esxHdJpYeL3ABRqbwV6G5UPclhh3GNYdjHV RN6imgVec6Jnc+UWCOdcFRx+2l5lQlqw/wDHPl/D6Hu+8qglQMiEhJa6QVR+H/IexeqT vdn2CzwJ+/A6iuA1d6reCAAb3h3na7BxhxNLRqf2tme7GtSdkPpM6ez+NCrJXspyjbq4 0/AQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:in-reply-to:mime-version :user-agent:date:message-id:from:references:cc:to:subject; bh=sIEcRx8T3YH/pGUY6zHQiMX8wEOK/1US8rrurC8ECGk=; b=VD+JtBkiSztqMyFwTpE09l1pToDZMzb4EfoUtcEtnOl1LUC4idKe7dIPcFf6f+fAhD 2OBpMPVJQ4lf1yy0juTYm5CI2tFGQED/gbvqOv3qhmusATLP7Iv/SUoE2mJ3xMmq6Qaw nJaB/Dubt7cR2KgGyO9/HzvwZBktP5elvMPSw12waBY/ZHud6uTX/UfzafXoJPNgURrQ hr0y7cBbf0gsYodJMl5y9sdH/i5F66gDX0qBFn2S65qCDCM0M6CXDonN8ZnAaUsRp8na Y+/L7rNWETcdKxfl2UK06qUF6arDsWdithTRmcOzp8TyddynMAM/cyj9gdI04xWGyYy5 gUlQ== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of jan.kiszka@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from lizzard.sbs.de (lizzard.sbs.de. [194.138.37.39]) by gmr-mx.google.com with ESMTPS id r3si841665eds.2.2019.09.29.23.17.02 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 29 Sep 2019 23:17:02 -0700 (PDT) Received-SPF: pass (google.com: domain of jan.kiszka@siemens.com designates 194.138.37.39 as permitted sender) client-ip=194.138.37.39; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of jan.kiszka@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by lizzard.sbs.de (8.15.2/8.15.2) with ESMTPS id x8U6H1UC016146 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 30 Sep 2019 08:17:01 +0200 Received: from [167.87.40.9] ([167.87.40.9]) by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id x8U6H0ph016343; Mon, 30 Sep 2019 08:17:01 +0200 Subject: Re: [PATCH] base-apt: Use gpg keyid instead of yes To: vijaikumar.kanagarajan@gmail.com, isar-users@googlegroups.com, henning.schild@siemens.com, claudius.heine.ext@siemens.com Cc: Amy_Fong@mentor.com, Vijai Kumar K References: <20190927211112.29379-1-Vijaikumar_Kangarajan@mentor.com> From: Jan Kiszka Message-ID: <49311e01-52f4-0ae8-ac95-a297e1343a20@siemens.com> Date: Mon, 30 Sep 2019 08:17:00 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: <20190927211112.29379-1-Vijaikumar_Kangarajan@mentor.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-TUID: 6h+I5RaylspG On 27.09.19 23:11, vijaikumar.kanagarajan@gmail.com wrote: > From: Vijai Kumar K > > When using "SignWith: yes", reprepro uses the default gpg key > of the system to sign the repo. The default gpg key might be > different from what is specified in BASE_REPO_KEY, resulting > in using a wrong key for signing. > > Derive and use the keyid from the keyfile supplied instead of > a generic yes option. > > Suggested-by: Amy Fong > Signed-off-by: Vijai Kumar K > --- > meta/recipes-devtools/base-apt/base-apt.bb | 22 +++++++++++++++++++--- > 1 file changed, 19 insertions(+), 3 deletions(-) > > diff --git a/meta/recipes-devtools/base-apt/base-apt.bb b/meta/recipes-devtools/base-apt/base-apt.bb > index 74189f1..c74be86 100644 > --- a/meta/recipes-devtools/base-apt/base-apt.bb > +++ b/meta/recipes-devtools/base-apt/base-apt.bb > @@ -4,6 +4,7 @@ > SRC_URI = "file://distributions.in" > > BASE_REPO_KEY ?= "" > +KEYFILES ?= "" > > CACHE_CONF_DIR = "${REPO_BASE_DIR}/${BASE_DISTRO}/conf" > do_cache_config[dirs] = "${CACHE_CONF_DIR}" > @@ -12,13 +13,18 @@ do_cache_config[lockfiles] = "${REPO_BASE_DIR}/isar.lock" > > # Generate reprepro config for current distro if it doesn't exist. Once it's > # generated, this task should do nothing. > -do_cache_config() { > +repo_config() { > if [ ! -e "${CACHE_CONF_DIR}/distributions" ]; then > sed -e "s#{CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \ > ${WORKDIR}/distributions.in > ${CACHE_CONF_DIR}/distributions > - if [ "${BASE_REPO_KEY}" ] ; then > + if [ -n "${KEYFILES}" ]; then > + option="" > + for key in ${KEYFILES}; do > + keyid=$(cat ${key} | gpg --keyid-format 0xlong --with-colons - 2>/dev/null |grep "^pub:" |awk -F':' '{print $5;}') I hope this parsing is stable... > + option="${option}${keyid} " > + done > # To generate Release.gpg > - echo "SignWith: yes" >> ${CACHE_CONF_DIR}/distributions > + echo "SignWith: ${option}" >> ${CACHE_CONF_DIR}/distributions > fi > fi > > @@ -35,4 +41,14 @@ do_cache_config() { > fi > } > > +python do_cache_config() { > + for key in d.getVar('BASE_REPO_KEY').split(): > + d.appendVar("SRC_URI", " %s" % key) > + fetcher = bb.fetch2.Fetch([key], d) I wonder if that magically addresses the case that changing key file content should also trigger rebuilds. Similar to https://github.com/ilbers/isar/issues/60. > + filename = fetcher.localpath(key) > + d.appendVar("KEYFILES", " %s" % filename) > + > + bb.build.exec_func('repo_config', d) > +} > + > addtask cache_config after do_build > Looks good - if the keyid extraction if actually robust. Jan -- Siemens AG, Corporate Technology, CT RDA IOT SES-DE Corporate Competence Center Embedded Linux