From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6699413522129879040 Date: Thu, 13 Jun 2019 09:55:29 -0700 (PDT) From: "Amy_Fong@mentor.com" To: isar-users Message-Id: In-Reply-To: <20190606154558.7eea07bd@md1za8fc.ad001.siemens.net> References: <20190606154558.7eea07bd@md1za8fc.ad001.siemens.net> Subject: Re: base-apt signing interface could be improved MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_417_1593128986.1560444929586" X-Google-Token: EIGAiugF-D0MunXLuN00 X-Google-IP: 192.94.38.34 X-TUID: jGaHoF2larE3 ------=_Part_417_1593128986.1560444929586 Content-Type: multipart/alternative; boundary="----=_Part_418_640148365.1560444929587" ------=_Part_418_640148365.1560444929587 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On Thursday, 6 June 2019 09:46:02 UTC-4, Henning Schild wrote: > > Hi, > > i just had a quick look at the implementation of the base-apt signing > for the first time. The interface is not ideal and has potential for > the signing key and the checking key not actually belonging together. > > As far as i understand the code i read, Isar will start signing > base-apt if BASE_REPO_KEY is set to anything. The private key it will > use to sign the repo is not specified at all, it will be whatever gnupg > defaults to, given its configuration. > > I would suggest to switch from "SignWith yes" to "SignWith ", > and derive the id from BASE_REPO_KEY. > > Further improvements would be to actually configure gnupg inside Isar > and not rely on an outside configuration. Relying on the outside config > means that all (multi)configs will have to use the same keypair. > So we would add > > BASE_REPO_KEY_PRIVATE and ..._PASSPHRASE > > Now we would create a new gpg homedir next to where we store base-apt. > We would import that one key there and potentially unlock it with its > passphrase. If we clean and rebuild we get a working gpghome for sure. > > Henning > Hi, Perhaps something like the following ... Of course, since BASE_REPO_KEY permits specifying multiple keys, this raises a question of which keyid? Amy >>From 5ceb4a2ef97bc7fa6c44cd9ce6f73f9a831773f3 Mon Sep 17 00:00:00 2001 From: Amy Fong Date: Thu, 13 Jun 2019 12:52:06 -0400 Subject: [PATCH] base-apt: Use BASE_REPO_KEY for signing Extract keyid from BASE_REPO_KEY for signing Signed-off-by: Amy Fong --- meta/recipes-devtools/base-apt/base-apt.bb | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/meta/recipes-devtools/base-apt/base-apt.bb b/meta/recipes-devtools/base-apt/base-apt.bb index 1c0b4c6..81245f7 100644 --- a/meta/recipes-devtools/base-apt/base-apt.bb +++ b/meta/recipes-devtools/base-apt/base-apt.bb @@ -19,8 +19,15 @@ do_cache_config() { sed -e "s#{CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \ ${WORKDIR}/distributions.in > ${CACHE_CONF_DIR}/distributions if [ "${BASE_REPO_KEY}" ] ; then + option="yes" + for key in ${BASE_REPO_KEY}; do + keyid=$(wget -qO - $key | gpg --keyid-format 0xlong --with-colons - 2>/dev/null |grep "^pub:" |awk -F':' '{print $5;}') + if [ -n "$keyid" ]; then + option="$keyid" + fi + done # To generate Release.gpg - echo "SignWith: yes" >> ${CACHE_CONF_DIR}/distributions + echo "SignWith: $option" >> ${CACHE_CONF_DIR}/distributions fi fi -- 2.20.1 ------=_Part_418_640148365.1560444929587 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable


On Thursday, 6 June 2019 09:46:02 UTC-4, Henning S= child wrote:
Hi,

i just had a quick look at the implementation of the base-apt signing
for the first time. The interface is not ideal and has potential for
the signing key and the checking key not actually belonging together.

As far as i understand the code i read, Isar will start signing
base-apt if BASE_REPO_KEY is set to anything. The private key it will
use to sign the repo is not specified at all, it will be whatever gnupg
defaults to, given its configuration.

I would suggest to switch from "SignWith yes" to "SignWi= th <keyid>",
and derive the id from BASE_REPO_KEY.

Further improvements would be to actually configure gnupg inside Isar
and not rely on an outside configuration. Relying on the outside config
means that all (multi)configs will have to use the same keypair.
So we would add

BASE_REPO_KEY_PRIVATE and ..._PASSPHRASE

Now we would create a new gpg homedir next to where we store base-apt.
We would import that one key there and potentially unlock it with its
passphrase. If we clean and rebuild we get a working gpghome for sure.

Henning

Hi,

Perhaps something like the foll= owing ...

Of course, since BASE_REPO_KEY permits specifying
multiple keys, this raises a question of which keyid?

Amy

From 5ceb4a2ef97bc7fa6c44cd9ce6f73f9a831773f3 Mon Se= p 17 00:00:00 2001
From: Amy Fong <Amy_Fong@mentor.com>
Date: Thu, 13 Jun 2019 12:52:06 -0400
Subject: [PATCH] bas= e-apt: Use BASE_REPO_KEY for signing

Extract keyid= from BASE_REPO_KEY for signing

Signed-off-by: Amy= Fong <Amy_Fong@mentor.com>
---
=C2=A0meta/recipe= s-devtools/base-apt/base-apt.bb | 9 ++++++++-
=C2=A01 file change= d, 8 insertions(+), 1 deletion(-)

diff --git a/met= a/recipes-devtools/base-apt/base-apt.bb b/meta/recipes-devtools/base-apt/ba= se-apt.bb
index 1c0b4c6..81245f7 100644
--- a/meta/reci= pes-devtools/base-apt/base-apt.bb
+++ b/meta/recipes-devtools/bas= e-apt/base-apt.bb
@@ -19,8 +19,15 @@ do_cache_config() {
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0sed -e "s#{CODENAME}#"${BASE_= DISTRO_CODENAME}"#g" \
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0${WORKDIR}/distributions.in > ${CACHE_CONF_DIR}/distrib= utions
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0if [ "${BASE_REPO_K= EY}" ] ; then
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 opt= ion=3D"yes"
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = for key in ${BASE_REPO_KEY}; do
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 keyid=3D$(wget -qO - $key | gpg --keyid-format 0xl= ong --with-colons - 2>/dev/null |grep "^pub:" |awk -F':= 9; '{print $5;}')
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 if [ -n "$keyid" ]; then
+=C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 option=3D"= $keyid"
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 fi
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 done
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0# To generate Release.gp= g
-=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 echo "SignWith:= yes" >> ${CACHE_CONF_DIR}/distributions
+=C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 echo "SignWith: $option" >>= ${CACHE_CONF_DIR}/distributions
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0fi
=C2=A0 =C2=A0 =C2=A0fi
=C2=A0
--=C2=A0<= /div>
2.20.1

=C2=A0
------=_Part_418_640148365.1560444929587-- ------=_Part_417_1593128986.1560444929586--