From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6699413522129879040 Date: Fri, 14 Jun 2019 06:50:58 -0700 (PDT) From: "Amy_Fong@mentor.com" To: isar-users Message-Id: In-Reply-To: <20190614102255.0c782b51@md1za8fc.ad001.siemens.net> References: <20190606154558.7eea07bd@md1za8fc.ad001.siemens.net> <20190614102255.0c782b51@md1za8fc.ad001.siemens.net> Subject: Re: base-apt signing interface could be improved MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_926_1701599054.1560520258605" X-Google-Token: EMLMjugFp3KL15q7mfU0 X-Google-IP: 192.94.38.34 X-TUID: 5Bpf6BHhDsGu ------=_Part_926_1701599054.1560520258605 Content-Type: multipart/alternative; boundary="----=_Part_927_880577435.1560520258606" ------=_Part_927_880577435.1560520258606 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On Friday, 14 June 2019 04:23:00 UTC-4, Henning Schild wrote: > > Am Thu, 13 Jun 2019 09:55:29 -0700 > schrieb "Amy_...@mentor.com " >: > > > On Thursday, 6 June 2019 09:46:02 UTC-4, Henning Schild wrote: > > > > > > Hi, > > > > > > i just had a quick look at the implementation of the base-apt > > > signing for the first time. The interface is not ideal and has > > > potential for the signing key and the checking key not actually > > > belonging together. > > > > > > As far as i understand the code i read, Isar will start signing > > > base-apt if BASE_REPO_KEY is set to anything. The private key it > > > will use to sign the repo is not specified at all, it will be > > > whatever gnupg defaults to, given its configuration. > > > > > > I would suggest to switch from "SignWith yes" to "SignWith > > > ", and derive the id from BASE_REPO_KEY. > > > > > > Further improvements would be to actually configure gnupg inside > > > Isar and not rely on an outside configuration. Relying on the > > > outside config means that all (multi)configs will have to use the > > > same keypair. So we would add > > > > > > BASE_REPO_KEY_PRIVATE and ..._PASSPHRASE > > > > > > Now we would create a new gpg homedir next to where we store > > > base-apt. We would import that one key there and potentially unlock > > > it with its passphrase. If we clean and rebuild we get a working > > > gpghome for sure. > > > > > > Henning > > > > > > > Hi, > > > > Perhaps something like the following ... > > > > Of course, since BASE_REPO_KEY permits specifying > > multiple keys, this raises a question of which keyid? > > Oh that is a nice hidden feature, indeed one can specify multiple keys > there. So that variable should be called BASE_REPO_KEYS instead. > > And yes reprepro also supports multiple values. So i guess your patch > is correct and it would probably sign the repo with all the keys > specified. > > Whether that is what we want is another question, and i am not sure > whether "yes" will also use all keys or just the default one. > > > Amy > > > > From 5ceb4a2ef97bc7fa6c44cd9ce6f73f9a831773f3 Mon Sep 17 00:00:00 2001 > > From: Amy Fong > > > Date: Thu, 13 Jun 2019 12:52:06 -0400 > > Subject: [PATCH] base-apt: Use BASE_REPO_KEY for signing > > > > Extract keyid from BASE_REPO_KEY for signing > > > > Signed-off-by: Amy Fong > > > --- > > meta/recipes-devtools/base-apt/base-apt.bb | 9 ++++++++- > > 1 file changed, 8 insertions(+), 1 deletion(-) > > > > diff --git a/meta/recipes-devtools/base-apt/base-apt.bb > > b/meta/recipes-devtools/base-apt/base-apt.bb > > index 1c0b4c6..81245f7 100644 > > --- a/meta/recipes-devtools/base-apt/base-apt.bb > > +++ b/meta/recipes-devtools/base-apt/base-apt.bb > > @@ -19,8 +19,15 @@ do_cache_config() { > > sed -e "s#{CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \ > > ${WORKDIR}/distributions.in > > > ${CACHE_CONF_DIR}/distributions if [ "${BASE_REPO_KEY}" ] ; then > > + option="yes" > > maybe there is a better name for the variable? > > Henning > > > + for key in ${BASE_REPO_KEY}; do > > + keyid=$(wget -qO - $key | gpg --keyid-format 0xlong > > --with-colons - 2>/dev/null |grep "^pub:" |awk -F':' '{print $5;}') > > + if [ -n "$keyid" ]; then > > + option="$keyid" > > + fi > > + done > > # To generate Release.gpg > > - echo "SignWith: yes" >> ${CACHE_CONF_DIR}/distributions > > + echo "SignWith: $option" >> > > ${CACHE_CONF_DIR}/distributions fi > > fi > > > How about BASE_REPO_SIGN_KEY? commit 42ee1139e8383fc27e7d98be522cb4d306fd170c (HEAD -> apt_sign) Author: Amy Fong Date: Thu Jun 13 12:52:06 2019 -0400 base-apt: Use BASE_REPO_SIGN_KEY for signing Extract keyid from BASE_REPO_SIGN_KEY for signing Signed-off-by: Amy Fong diff --git a/meta/recipes-devtools/base-apt/base-apt.bb b/meta/recipes-devtools/base-apt/base-apt.bb index 1c0b4c6..c896add 100644 --- a/meta/recipes-devtools/base-apt/base-apt.bb +++ b/meta/recipes-devtools/base-apt/base-apt.bb @@ -18,9 +18,14 @@ do_cache_config() { if [ ! -e "${CACHE_CONF_DIR}/distributions" ]; then sed -e "s#{CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \ ${WORKDIR}/distributions.in > ${CACHE_CONF_DIR}/distributions - if [ "${BASE_REPO_KEY}" ] ; then + if [ "${BASE_REPO_SIGN_KEY}" ] ; then + option="yes" + keyid=$(wget -qO - "${BASE_REPO_SIGN_KEY}" | gpg --keyid-format 0xlong --with-colons - 2>/dev/null |grep "^pub:" |awk -F':' '{print $5;}') + if [ -n "$keyid" ]; then + option="$keyid" + fi # To generate Release.gpg - echo "SignWith: yes" >> ${CACHE_CONF_DIR}/distributions + echo "SignWith: $option" >> ${CACHE_CONF_DIR}/distributions fi fi ------=_Part_927_880577435.1560520258606 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable


On Friday, 14 June 2019 04:23:00 UTC-4, Henning Sc= hild wrote:
Am Thu, 13 Jun 201= 9 09:55:29 -0700
schrieb "Amy_...@mentor.com" <amy.f...@gmail.com>:

> On Thursday, 6 June 2019 09:46:02 UTC-4, Henning Schild wrote:
> >
> > Hi,=20
> >
> > i just had a quick look at the implementation of the base-apt
> > signing for the first time. The interface is not ideal and ha= s
> > potential for the signing key and the checking key not actual= ly
> > belonging together.=20
> >
> > As far as i understand the code i read, Isar will start signi= ng=20
> > base-apt if BASE_REPO_KEY is set to anything. The private key= it
> > will use to sign the repo is not specified at all, it will be
> > whatever gnupg defaults to, given its configuration.=20
> >
> > I would suggest to switch from "SignWith yes" to &q= uot;SignWith
> > <keyid>", and derive the id from BASE_REPO_KEY.=20
> >
> > Further improvements would be to actually configure gnupg ins= ide
> > Isar and not rely on an outside configuration. Relying on the
> > outside config means that all (multi)configs will have to use= the
> > same keypair. So we would add=20
> >
> > BASE_REPO_KEY_PRIVATE and ..._PASSPHRASE=20
> >
> > Now we would create a new gpg homedir next to where we store
> > base-apt. We would import that one key there and potentially = unlock
> > it with its passphrase. If we clean and rebuild we get a work= ing
> > gpghome for sure.=20
> >
> > Henning=20
> > =C2=A0
>=20
> Hi,
>=20
> Perhaps something like the following ...=20
>=20
> Of course, since BASE_REPO_KEY permits specifying
> multiple keys, this raises a question of which keyid?

Oh that is a nice hidden feature, indeed one can specify multiple keys
there. So that variable should be called BASE_REPO_KEYS instead.

And yes reprepro also supports multiple values. So i guess your patch
is correct and it would probably sign the repo with all the keys
specified.

Whether that is what we want is another question, and i am not sure
whether "yes" will also use all keys or just the default one.

> Amy
>=20
> From 5ceb4a2ef97bc7fa6c44cd9ce6f73f9a831773f3 Mon Sep 17 00:0= 0:00 2001
> From: Amy Fong <Amy_...@mentor.com>
> Date: Thu, 13 Jun 2019 12:52:06 -0400
> Subject: [PATCH] base-apt: Use BASE_REPO_KEY for signing
>=20
> Extract keyid from BASE_REPO_KEY for signing
>=20
> Signed-off-by: Amy Fong <Amy_...@mentor.com>
> ---
> =C2=A0meta/recipes-devtools/base-apt/base-apt.bb | 9 ++++++++-
> =C2=A01 file changed, 8 insertions(+), 1 deletion(-)
>=20
> diff --git a/meta/recipes-devtools/base-apt/base-apt.bb=20
> b/meta/recipes-devtools/base-apt/base-apt.bb
> index 1c0b4c6..81245f7 100644
> --- a/meta/recipes-devtools/base-apt/base-apt.bb
> +++ b/meta/recipes-devtools/base-apt/base-apt.bb
> @@ -19,8 +19,15 @@ do_cache_config() {
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0sed -e "s#{CODENAME}#"= ${BASE_DISTRO_CODENAME}"#g" \
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0${WORKDIR}/distributions.in >
> ${CACHE_CONF_DIR}/distributions if [ "${BASE_REPO_KEY}&q= uot; ] ; then
> + =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0option=3D"yes"= ;

maybe there is a better name for the variable?

Henning

> + =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0for key in ${BASE_REPO_= KEY}; do
> + =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0keyid=3D$= (wget -qO - $key | gpg --keyid-format 0xlong=20
> --with-colons - 2>/dev/null |grep "^pub:" |awk -F'= ;:' '{print $5;}')
> + =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0if [ -n &= quot;$keyid" ]; then
> + =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0option=3D"$keyid"
> + =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0fi
> + =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0done
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0# To generate Rele= ase.gpg
> - =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0echo "SignWith: ye= s" >> ${CACHE_CONF_DIR}/distributions
> + =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0echo "SignWith: $o= ption" >>
> ${CACHE_CONF_DIR}/distributions fi
> =C2=A0 =C2=A0 =C2=A0fi
> =C2=A0

How about BASE_REPO_SIGN_KEY?

commit 42ee1139e8383fc27e7d98be522cb4d306fd170c (HEAD ->= ; apt_sign)
Author: Amy Fong <Amy_Fong@mentor.com>
Date:=C2=A0 =C2=A0Thu Jun 13 12:52:06 2019 -0400

=C2=A0 =C2=A0 base-apt: Use BASE_REPO_SIGN_KEY for signing
=C2= =A0 =C2=A0=C2=A0
=C2=A0 =C2=A0 Extract keyid from BASE_REPO_SIGN_= KEY for signing
=C2=A0 =C2=A0=C2=A0
=C2=A0 =C2=A0 Signe= d-off-by: Amy Fong <Amy_Fong@mentor.com>

dif= f --git a/meta/recipes-devtools/base-apt/base-apt.bb b/meta/recipes-devtool= s/base-apt/base-apt.bb
index 1c0b4c6..c896add 100644
--= - a/meta/recipes-devtools/base-apt/base-apt.bb
+++ b/meta/recipes= -devtools/base-apt/base-apt.bb
@@ -18,9 +18,14 @@ do_cache_config= () {
=C2=A0 =C2=A0 =C2=A0if [ ! -e "${CACHE_CONF_DIR}/distri= butions" ]; then
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0sed -e &q= uot;s#{CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \
= =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0${WORKDIR}/distributions.in= > ${CACHE_CONF_DIR}/distributions
-=C2=A0 =C2=A0 =C2=A0 =C2= =A0 if [ "${BASE_REPO_KEY}" ] ; then
+=C2=A0 =C2=A0 =C2= =A0 =C2=A0 if [ "${BASE_REPO_SIGN_KEY}" ] ; then
+=C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 option=3D"yes"
+= =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 keyid=3D$(wget -qO - "${BASE= _REPO_SIGN_KEY}" | gpg --keyid-format 0xlong --with-colons - 2>/dev= /null |grep "^pub:" |awk -F':' '{print $5;}')
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 if [ -n "$keyid"= ; ]; then
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 option=3D"$keyid"
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 fi
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0# T= o generate Release.gpg
-=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= echo "SignWith: yes" >> ${CACHE_CONF_DIR}/distributions
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 echo "SignWith: $op= tion" >> ${CACHE_CONF_DIR}/distributions
=C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A0fi
=C2=A0 =C2=A0 =C2=A0fi
=C2=A0

------=_Part_927_880577435.1560520258606-- ------=_Part_926_1701599054.1560520258605--