From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6699413522129879040 X-Received: by 2002:aa7:c999:: with SMTP id c25mr54186423edt.134.1560771389233; Mon, 17 Jun 2019 04:36:29 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a17:906:7345:: with SMTP id h5ls511085ejl.16.gmail; Mon, 17 Jun 2019 04:36:28 -0700 (PDT) X-Google-Smtp-Source: APXvYqygsglLI3RUzYr0QnD5fz1KfOUpiIYXE2rbhtTbFKwknAUQQjC+bnIFd1aQh50MaaMTxaOe X-Received: by 2002:a17:906:19d3:: with SMTP id h19mr44407676ejd.300.1560771388816; Mon, 17 Jun 2019 04:36:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560771388; cv=none; d=google.com; s=arc-20160816; b=bPf+PNXFbOq17MC/aWZlfts1+e3jLEcnZ32R/2XjzfungmlgIt5DWscna9sDw10G5N cR1+StOV9lu7VM4a01QPpAmv50l2iwedp6j+u2fRLHfG1+Dop+1UyAeWey+s7zfajSyJ F71pkdRPNR9Qujau3nnPtMITbEB7VgdneUgDFDxDHFrNq119CBsM8G7mi93yMnGC621a Y9kJDybqcdedJBrM264igQnc/X3zH9K+S0c+SEayYoAXHwCZSnUj8SH8H61UzHni7yMu SY/zWQOkLGxUFJCcaLkYcPXFjzbALl1GeF76aAafCbkK1z7F95/NPxaTcJYRia6i3LTp o/gw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:in-reply-to:mime-version :user-agent:date:message-id:from:references:cc:to:subject; bh=FYUV0S1qio1c0jSZ/q6XWy64+elZGfeWLOD27QVsnWE=; b=ZleG2HHtcoJRNZL+Kj+psCPtEw78C0oCt/046wFlHfSatHZ98a1NUa7bj93vpNbkqZ bi2c39YCbz0hMk2XRIw9LArlo9Z03LtJ8Q2dyPJje/elEsTZxyRBeQxDHEN0L/eupm2x WS2bE/9A/T5ohMI7M/zhMwUvE12LY7v9I8/PyVsHPnngfm9fY6zBi3sBMNYEo/RtxE7H oCb2wKAXCu62KnbP9YH4YddeRSM1VQVR7zvUdzolfzTOgqtrwVtevbbYzF1FmX+e0gZg pfXTQJHIQEU9Mi9U0/bfiKTMNdT0P+LtYnMOXyRHUOMReto7/BODwDcz1ytDoZcyAz79 PHxw== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of claudius.heine.ext@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=claudius.heine.ext@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from lizzard.sbs.de (lizzard.sbs.de. [194.138.37.39]) by gmr-mx.google.com with ESMTPS id k51si619086edd.0.2019.06.17.04.36.28 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 17 Jun 2019 04:36:28 -0700 (PDT) Received-SPF: pass (google.com: domain of claudius.heine.ext@siemens.com designates 194.138.37.39 as permitted sender) client-ip=194.138.37.39; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of claudius.heine.ext@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=claudius.heine.ext@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by lizzard.sbs.de (8.15.2/8.15.2) with ESMTPS id x5HBaSm4018200 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 17 Jun 2019 13:36:28 +0200 Received: from [139.25.69.208] (linux-ses-ext02.ppmd.siemens.net [139.25.69.208]) by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id x5HBaSgD012354; Mon, 17 Jun 2019 13:36:28 +0200 Subject: Re: base-apt signing interface could be improved To: "[ext] Henning Schild" , "Amy_Fong@mentor.com" Cc: isar-users References: <20190606154558.7eea07bd@md1za8fc.ad001.siemens.net> <20190614102255.0c782b51@md1za8fc.ad001.siemens.net> <20190617131937.2852d692@md1za8fc.ad001.siemens.net> From: Claudius Heine Message-ID: <51ca3229-73cd-20d6-2c8d-722a4311d13e@siemens.com> Date: Mon, 17 Jun 2019 13:36:27 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0 MIME-Version: 1.0 In-Reply-To: <20190617131937.2852d692@md1za8fc.ad001.siemens.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-TUID: sAmDwaPdvgV+ Hi, On 17/06/2019 13.19, [ext] Henning Schild wrote: > Am Fri, 14 Jun 2019 06:50:58 -0700 > schrieb "Amy_Fong@mentor.com" : > >> On Friday, 14 June 2019 04:23:00 UTC-4, Henning Schild wrote: >>> >>> Am Thu, 13 Jun 2019 09:55:29 -0700 >>> schrieb "Amy_...@mentor.com " >> >: >>> >>>> On Thursday, 6 June 2019 09:46:02 UTC-4, Henning Schild wrote: >>>>> >>>>> Hi, >>>>> >>>>> i just had a quick look at the implementation of the base-apt >>>>> signing for the first time. The interface is not ideal and has >>>>> potential for the signing key and the checking key not actually >>>>> belonging together. >>>>> >>>>> As far as i understand the code i read, Isar will start signing >>>>> base-apt if BASE_REPO_KEY is set to anything. The private key >>>>> it will use to sign the repo is not specified at all, it will >>>>> be whatever gnupg defaults to, given its configuration. >>>>> >>>>> I would suggest to switch from "SignWith yes" to "SignWith >>>>> ", and derive the id from BASE_REPO_KEY. >>>>> >>>>> Further improvements would be to actually configure gnupg >>>>> inside Isar and not rely on an outside configuration. Relying >>>>> on the outside config means that all (multi)configs will have >>>>> to use the same keypair. So we would add >>>>> >>>>> BASE_REPO_KEY_PRIVATE and ..._PASSPHRASE >>>>> >>>>> Now we would create a new gpg homedir next to where we store >>>>> base-apt. We would import that one key there and potentially >>>>> unlock it with its passphrase. If we clean and rebuild we get a >>>>> working gpghome for sure. >>>>> >>>>> Henning >>>>> >>>> >>>> Hi, >>>> >>>> Perhaps something like the following ... >>>> >>>> Of course, since BASE_REPO_KEY permits specifying >>>> multiple keys, this raises a question of which keyid? >>> >>> Oh that is a nice hidden feature, indeed one can specify multiple >>> keys there. So that variable should be called BASE_REPO_KEYS >>> instead. >>> >>> And yes reprepro also supports multiple values. So i guess your >>> patch is correct and it would probably sign the repo with all the >>> keys specified. >>> >>> Whether that is what we want is another question, and i am not sure >>> whether "yes" will also use all keys or just the default one. >>> >>>> Amy >>>> >>>> From 5ceb4a2ef97bc7fa6c44cd9ce6f73f9a831773f3 Mon Sep 17 00:00:00 >>>> 2001 From: Amy Fong > >>>> Date: Thu, 13 Jun 2019 12:52:06 -0400 >>>> Subject: [PATCH] base-apt: Use BASE_REPO_KEY for signing >>>> >>>> Extract keyid from BASE_REPO_KEY for signing >>>> >>>> Signed-off-by: Amy Fong > >>>> --- >>>> meta/recipes-devtools/base-apt/base-apt.bb | 9 ++++++++- >>>> 1 file changed, 8 insertions(+), 1 deletion(-) >>>> >>>> diff --git a/meta/recipes-devtools/base-apt/base-apt.bb >>>> b/meta/recipes-devtools/base-apt/base-apt.bb >>>> index 1c0b4c6..81245f7 100644 >>>> --- a/meta/recipes-devtools/base-apt/base-apt.bb >>>> +++ b/meta/recipes-devtools/base-apt/base-apt.bb >>>> @@ -19,8 +19,15 @@ do_cache_config() { >>>> sed -e "s#{CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \ >>>> ${WORKDIR}/distributions.in > >>>> ${CACHE_CONF_DIR}/distributions if [ "${BASE_REPO_KEY}" ] ; then >>>> + option="yes" >>> >>> maybe there is a better name for the variable? >>> >>> Henning >>> >>>> + for key in ${BASE_REPO_KEY}; do >>>> + keyid=$(wget -qO - $key | gpg --keyid-format >>>> 0xlong --with-colons - 2>/dev/null |grep "^pub:" |awk -F':' >>>> '{print $5;}') >>>> + if [ -n "$keyid" ]; then >>>> + option="$keyid" >>>> + fi >>>> + done >>>> # To generate Release.gpg >>>> - echo "SignWith: yes" >> >>>> ${CACHE_CONF_DIR}/distributions >>>> + echo "SignWith: $option" >> >>>> ${CACHE_CONF_DIR}/distributions fi >>>> fi >>>> >>> >> >> How about BASE_REPO_SIGN_KEY? > > I do not understand what you are trying to solve with changing that > name and going back to one-key-only, after you have found that > BASE_REPO_KEY is indeed an array and reprepro also accepts an array. > > Now we need to know what "yes", compared to the array. > > And any tiny patch like this one, without a proper commit message and > description, is not going to lead anywhere good. > > You guys are doing the full story. kas, signed base-apt, multiple keys, > agent-forwarding ... > After you are done you should have a clear picture of what currently > does not work as expected, and how it can be fixes (your initial > implementation). > We can then discuss that implementation and incorporate a full patch > series including docs into kas and Isar. > >> commit 42ee1139e8383fc27e7d98be522cb4d306fd170c (HEAD -> apt_sign) >> Author: Amy Fong >> Date: Thu Jun 13 12:52:06 2019 -0400 >> >> base-apt: Use BASE_REPO_SIGN_KEY for signing >> >> Extract keyid from BASE_REPO_SIGN_KEY for signing >> >> Signed-off-by: Amy Fong >> >> diff --git a/meta/recipes-devtools/base-apt/base-apt.bb >> b/meta/recipes-devtools/base-apt/base-apt.bb >> index 1c0b4c6..c896add 100644 >> --- a/meta/recipes-devtools/base-apt/base-apt.bb >> +++ b/meta/recipes-devtools/base-apt/base-apt.bb >> @@ -18,9 +18,14 @@ do_cache_config() { >> if [ ! -e "${CACHE_CONF_DIR}/distributions" ]; then >> sed -e "s#{CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \ >> ${WORKDIR}/distributions.in > >> ${CACHE_CONF_DIR}/distributions >> - if [ "${BASE_REPO_KEY}" ] ; then >> + if [ "${BASE_REPO_SIGN_KEY}" ] ; then >> + option="yes" >> + keyid=$(wget -qO - "${BASE_REPO_SIGN_KEY}" | gpg > > Using wget, but that is most likely a "file:///" URI. And whenever you > do networking in a task, you need to take care of proxies. Fetching should not be done like this anyway. If something needs to be fetched then it should be part of the SRC_URI and be fetched by the do_fetch task. The reasons for this are offline reproducibility among others. regards, Claudius > > Henning > >> --keyid-format 0xlong --with-colons - 2>/dev/null |grep "^pub:" |awk >> -F':' '{print $5;}') >> + if [ -n "$keyid" ]; then >> + option="$keyid" >> + fi >> # To generate Release.gpg >> - echo "SignWith: yes" >> ${CACHE_CONF_DIR}/distributions >> + echo "SignWith: $option" >> >> ${CACHE_CONF_DIR}/distributions fi >> fi >> >> > -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch@denx.de