diff mbox series

[v4,2/2] oeqa/selftest/cases/signing.py: Re-enable self-test

Message ID 20250131064352.2613105-2-zboszor@gmail.com
State New
Headers show
Series [v4,1/2] rpm-sequoia: New recipe for version 1.7.0 | expand

Commit Message

Zoltán Böszörményi Jan. 31, 2025, 6:43 a.m. UTC 
Enable building rpm with rpm-seqouia for the test.

Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
---
 meta/lib/oeqa/selftest/cases/signing.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Mathieu Dubois-Briand Feb. 1, 2025, 2:37 p.m. UTC | #1 
On Fri Jan 31, 2025 at 7:43 AM CET, Zoltán Böszörményi wrote:
> Enable building rpm with rpm-seqouia for the test.
>
> Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
> ---

Sorry, I still get some errors while building:

2025-02-01 14:28:32,979 - oe-selftest - INFO - 9: 40/54 602/618 (56.20s) (0 failed) (signing.Signing.test_signing_packages)
2025-02-01 14:28:32,979 - oe-selftest - INFO - testtools.testresult.real._StringException: Traceback (most recent call last):
  File "/srv/pokybuild/yocto-worker/oe-selftest-debian/build/meta/lib/oeqa/selftest/cases/signing.py", line 113, in test_signing_packages
    runCmd('%s/rpmkeys --define "_dbpath %s" --import %s' %
  File "/srv/pokybuild/yocto-worker/oe-selftest-debian/build/meta/lib/oeqa/utils/commands.py", line 214, in runCmd
    raise AssertionError("Command '%s' returned non-zero exit status %d:\n%s" % (command, result.status, exc_output))
AssertionError: Command '/srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/tmp/work/core2-64-poky-linux/ed/1.20.2/recipe-sysroot-native/usr/bin/rpmkeys --define "_dbpath /tmp/oeqa-rpmdbsj05eco3" --import /srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/meta-selftest/files/signing/key.pub' returned non-zero exit status 1:
error: Certificate 7B31316B5D64AD52:
  Policy rejects 7B31316B5D64AD52: No binding signature at time 2025-02-01T14:28:26Z
error: /srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/meta-selftest/files/signing/key.pub: key 1 import failed.

https://autobuilder.yoctoproject.org/valkyrie/#/builders/35/builds/893/steps/14/logs/stdio

Do you mind having a look at this ?
Zoltán Böszörményi Feb. 2, 2025, 8:44 a.m. UTC | #2 
2025. 02. 01. 15:37 keltezéssel, Mathieu Dubois-Briand írta:
> On Fri Jan 31, 2025 at 7:43 AM CET, Zoltán Böszörményi wrote:
>> Enable building rpm with rpm-seqouia for the test.
>>
>> Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
>> ---
> Sorry, I still get some errors while building:
>
> 2025-02-01 14:28:32,979 - oe-selftest - INFO - 9: 40/54 602/618 (56.20s) (0 failed) (signing.Signing.test_signing_packages)
> 2025-02-01 14:28:32,979 - oe-selftest - INFO - testtools.testresult.real._StringException: Traceback (most recent call last):
>    File "/srv/pokybuild/yocto-worker/oe-selftest-debian/build/meta/lib/oeqa/selftest/cases/signing.py", line 113, in test_signing_packages
>      runCmd('%s/rpmkeys --define "_dbpath %s" --import %s' %
>    File "/srv/pokybuild/yocto-worker/oe-selftest-debian/build/meta/lib/oeqa/utils/commands.py", line 214, in runCmd
>      raise AssertionError("Command '%s' returned non-zero exit status %d:\n%s" % (command, result.status, exc_output))
> AssertionError: Command '/srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/tmp/work/core2-64-poky-linux/ed/1.20.2/recipe-sysroot-native/usr/bin/rpmkeys --define "_dbpath /tmp/oeqa-rpmdbsj05eco3" --import /srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/meta-selftest/files/signing/key.pub' returned non-zero exit status 1:
> error: Certificate 7B31316B5D64AD52:
>    Policy rejects 7B31316B5D64AD52: No binding signature at time 2025-02-01T14:28:26Z
> error: /srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/meta-selftest/files/signing/key.pub: key 1 import failed.
>
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/35/builds/893/steps/14/logs/stdio
>
> Do you mind having a look at this ?

I have run the self test on a Fedora 41 host and it succeeded there.

Probably you need to fix the crypto policy to allow such a cert with a
"no binding signature" or replace the cert.

This github issue may have some useful pointers:
https://github.com/rpm-software-management/rpm-sequoia/issues/46
Zoltán Böszörményi Feb. 3, 2025, 10:11 a.m. UTC | #3 
2025. 02. 02. 9:44 keltezéssel, Zoltan Boszormenyi via lists.openembedded.org írta:
> 2025. 02. 01. 15:37 keltezéssel, Mathieu Dubois-Briand írta:
>> On Fri Jan 31, 2025 at 7:43 AM CET, Zoltán Böszörményi wrote:
>>> Enable building rpm with rpm-seqouia for the test.
>>>
>>> Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
>>> ---
>> Sorry, I still get some errors while building:
>>
>> 2025-02-01 14:28:32,979 - oe-selftest - INFO - 9: 40/54 602/618 (56.20s) (0 failed) 
>> (signing.Signing.test_signing_packages)
>> 2025-02-01 14:28:32,979 - oe-selftest - INFO - 
>> testtools.testresult.real._StringException: Traceback (most recent call last):
>>    File 
>> "/srv/pokybuild/yocto-worker/oe-selftest-debian/build/meta/lib/oeqa/selftest/cases/signing.py", 
>> line 113, in test_signing_packages
>>      runCmd('%s/rpmkeys --define "_dbpath %s" --import %s' %
>>    File 
>> "/srv/pokybuild/yocto-worker/oe-selftest-debian/build/meta/lib/oeqa/utils/commands.py", 
>> line 214, in runCmd
>>      raise AssertionError("Command '%s' returned non-zero exit status %d:\n%s" % 
>> (command, result.status, exc_output))
>> AssertionError: Command 
>> '/srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/tmp/work/core2-64-poky-linux/ed/1.20.2/recipe-sysroot-native/usr/bin/rpmkeys 
>> --define "_dbpath /tmp/oeqa-rpmdbsj05eco3" --import 
>> /srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/meta-selftest/files/signing/key.pub' 
>> returned non-zero exit status 1:
>> error: Certificate 7B31316B5D64AD52:
>>    Policy rejects 7B31316B5D64AD52: No binding signature at time 2025-02-01T14:28:26Z
>> error: 
>> /srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/meta-selftest/files/signing/key.pub: 
>> key 1 import failed.
>>
>> https://autobuilder.yoctoproject.org/valkyrie/#/builders/35/builds/893/steps/14/logs/stdio
>>
>> Do you mind having a look at this ?
>
> I have run the self test on a Fedora 41 host and it succeeded there.
>
> Probably you need to fix the crypto policy to allow such a cert with a
> "no binding signature" or replace the cert.
>
> This github issue may have some useful pointers:
> https://github.com/rpm-software-management/rpm-sequoia/issues/46

Can you please try this below?

Setting the envvar SEQUOIA_CRYPTO_POLICY to an empty string
will use the built-in default policy. See
https://github.com/rpm-software-management/rpm-sequoia/blob/main/src/lib.rs#L54

===============================================
diff --git a/meta/lib/oeqa/selftest/cases/signing.py b/meta/lib/oeqa/selftest/cases/signing.py
index 51d1c3fa64..9a820ebc72 100644
--- a/meta/lib/oeqa/selftest/cases/signing.py
+++ b/meta/lib/oeqa/selftest/cases/signing.py
@@ -71,7 +71,6 @@ class Signing(OESelftestTestCase):
          """
          import oe.packagedata

-        self.skipTest('This test requires rpm-sequoia support in rpm')
          self.setup_gpg()

          package_classes = get_bb_var('PACKAGE_CLASSES')
@@ -84,9 +83,14 @@ class Signing(OESelftestTestCase):
          feature += 'RPM_GPG_PASSPHRASE = "test123"\n'
          feature += 'RPM_GPG_NAME = "testuser"\n'
          feature += 'GPG_PATH = "%s"\n' % self.gpg_dir
+        feature += 'PACKAGECONFIG:append:pn-rpm-native = " sequoia"\n'
+        feature += 'PACKAGECONFIG:append:pn-rpm = " sequoia"\n'

          self.write_config(feature)

+        # Test rpm-sequoia's default built-in policy
+        os.environ['SEQUOIA_CRYPTO_POLICY'] = ''
+
          bitbake('-c clean %s' % test_recipe)
          bitbake('-f -c package_write_rpm %s' % test_recipe)

@@ -152,6 +156,9 @@ class Signing(OESelftestTestCase):

          self.write_config(feature)

+        # Test rpm-sequoia's default built-in policy
+        os.environ['SEQUOIA_CRYPTO_POLICY'] = ''
+
          with self.create_new_builddir(os.environ['BUILDDIR'], builddir):

              os.environ["PATH"] = nsysroot + ":" + os.environ["PATH"]
@@ -198,6 +205,9 @@ class LockedSignatures(OESelftestTestCase):
          feature += 'SIGGEN_LOCKEDSIGS_TASKSIG_CHECK = "warn"\n'
          self.write_config(feature)

+        # Test rpm-sequoia's default built-in policy
+        os.environ['SEQUOIA_CRYPTO_POLICY'] = ''
+
          # Build a locked recipe
          bitbake(test_recipe)

===============================================

It succeeded for me:

$ oe-selftest -r signing
...
2025-02-03 10:53:11,900 - oe-selftest - INFO - oe-selftest () - Ran 3 tests in 2801.617s
2025-02-03 10:53:11,900 - oe-selftest - INFO - oe-selftest - OK - All required tests 
passed (successes=3, skipped=0, failures=0, errors=0)

As for an actual crypto policy for rpm-sequoia, I am not sure
how appropriate it would be to create a recipe for Fedora's
crypto-policies package in Yocto.
Alexander Kanavin Feb. 3, 2025, 11:18 a.m. UTC | #4 
I would recommend you send this change as a proper patch. You should
not be asking integrators to produce patches out of ad hoc mailing
list tweaks.

Alex

On Mon, 3 Feb 2025 at 11:11, Böszörményi Zoltán <zboszor@gmail.com> wrote:
>
> 2025. 02. 02. 9:44 keltezéssel, Zoltan Boszormenyi via lists.openembedded.org írta:
> > 2025. 02. 01. 15:37 keltezéssel, Mathieu Dubois-Briand írta:
> >> On Fri Jan 31, 2025 at 7:43 AM CET, Zoltán Böszörményi wrote:
> >>> Enable building rpm with rpm-seqouia for the test.
> >>>
> >>> Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
> >>> ---
> >> Sorry, I still get some errors while building:
> >>
> >> 2025-02-01 14:28:32,979 - oe-selftest - INFO - 9: 40/54 602/618 (56.20s) (0 failed)
> >> (signing.Signing.test_signing_packages)
> >> 2025-02-01 14:28:32,979 - oe-selftest - INFO -
> >> testtools.testresult.real._StringException: Traceback (most recent call last):
> >>    File
> >> "/srv/pokybuild/yocto-worker/oe-selftest-debian/build/meta/lib/oeqa/selftest/cases/signing.py",
> >> line 113, in test_signing_packages
> >>      runCmd('%s/rpmkeys --define "_dbpath %s" --import %s' %
> >>    File
> >> "/srv/pokybuild/yocto-worker/oe-selftest-debian/build/meta/lib/oeqa/utils/commands.py",
> >> line 214, in runCmd
> >>      raise AssertionError("Command '%s' returned non-zero exit status %d:\n%s" %
> >> (command, result.status, exc_output))
> >> AssertionError: Command
> >> '/srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/tmp/work/core2-64-poky-linux/ed/1.20.2/recipe-sysroot-native/usr/bin/rpmkeys
> >> --define "_dbpath /tmp/oeqa-rpmdbsj05eco3" --import
> >> /srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/meta-selftest/files/signing/key.pub'
> >> returned non-zero exit status 1:
> >> error: Certificate 7B31316B5D64AD52:
> >>    Policy rejects 7B31316B5D64AD52: No binding signature at time 2025-02-01T14:28:26Z
> >> error:
> >> /srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/meta-selftest/files/signing/key.pub:
> >> key 1 import failed.
> >>
> >> https://autobuilder.yoctoproject.org/valkyrie/#/builders/35/builds/893/steps/14/logs/stdio
> >>
> >> Do you mind having a look at this ?
> >
> > I have run the self test on a Fedora 41 host and it succeeded there.
> >
> > Probably you need to fix the crypto policy to allow such a cert with a
> > "no binding signature" or replace the cert.
> >
> > This github issue may have some useful pointers:
> > https://github.com/rpm-software-management/rpm-sequoia/issues/46
>
> Can you please try this below?
>
> Setting the envvar SEQUOIA_CRYPTO_POLICY to an empty string
> will use the built-in default policy. See
> https://github.com/rpm-software-management/rpm-sequoia/blob/main/src/lib.rs#L54
>
> ===============================================
> diff --git a/meta/lib/oeqa/selftest/cases/signing.py b/meta/lib/oeqa/selftest/cases/signing.py
> index 51d1c3fa64..9a820ebc72 100644
> --- a/meta/lib/oeqa/selftest/cases/signing.py
> +++ b/meta/lib/oeqa/selftest/cases/signing.py
> @@ -71,7 +71,6 @@ class Signing(OESelftestTestCase):
>           """
>           import oe.packagedata
>
> -        self.skipTest('This test requires rpm-sequoia support in rpm')
>           self.setup_gpg()
>
>           package_classes = get_bb_var('PACKAGE_CLASSES')
> @@ -84,9 +83,14 @@ class Signing(OESelftestTestCase):
>           feature += 'RPM_GPG_PASSPHRASE = "test123"\n'
>           feature += 'RPM_GPG_NAME = "testuser"\n'
>           feature += 'GPG_PATH = "%s"\n' % self.gpg_dir
> +        feature += 'PACKAGECONFIG:append:pn-rpm-native = " sequoia"\n'
> +        feature += 'PACKAGECONFIG:append:pn-rpm = " sequoia"\n'
>
>           self.write_config(feature)
>
> +        # Test rpm-sequoia's default built-in policy
> +        os.environ['SEQUOIA_CRYPTO_POLICY'] = ''
> +
>           bitbake('-c clean %s' % test_recipe)
>           bitbake('-f -c package_write_rpm %s' % test_recipe)
>
> @@ -152,6 +156,9 @@ class Signing(OESelftestTestCase):
>
>           self.write_config(feature)
>
> +        # Test rpm-sequoia's default built-in policy
> +        os.environ['SEQUOIA_CRYPTO_POLICY'] = ''
> +
>           with self.create_new_builddir(os.environ['BUILDDIR'], builddir):
>
>               os.environ["PATH"] = nsysroot + ":" + os.environ["PATH"]
> @@ -198,6 +205,9 @@ class LockedSignatures(OESelftestTestCase):
>           feature += 'SIGGEN_LOCKEDSIGS_TASKSIG_CHECK = "warn"\n'
>           self.write_config(feature)
>
> +        # Test rpm-sequoia's default built-in policy
> +        os.environ['SEQUOIA_CRYPTO_POLICY'] = ''
> +
>           # Build a locked recipe
>           bitbake(test_recipe)
>
> ===============================================
>
> It succeeded for me:
>
> $ oe-selftest -r signing
> ...
> 2025-02-03 10:53:11,900 - oe-selftest - INFO - oe-selftest () - Ran 3 tests in 2801.617s
> 2025-02-03 10:53:11,900 - oe-selftest - INFO - oe-selftest - OK - All required tests
> passed (successes=3, skipped=0, failures=0, errors=0)
>
> As for an actual crypto policy for rpm-sequoia, I am not sure
> how appropriate it would be to create a recipe for Fedora's
> crypto-policies package in Yocto.
>
Zoltán Böszörményi Feb. 3, 2025, 11:24 a.m. UTC | #5 
2025. 02. 03. 12:18 keltezéssel, Alexander Kanavin írta:
> I would recommend you send this change as a proper patch. You should
> not be asking integrators to produce patches out of ad hoc mailing
> list tweaks.

I implicitly asked to switch the host distro. :)

Seriously, I will send it as a proper patch soon.

> Alex
>
> On Mon, 3 Feb 2025 at 11:11, Böszörményi Zoltán <zboszor@gmail.com> wrote:
>> 2025. 02. 02. 9:44 keltezéssel, Zoltan Boszormenyi via lists.openembedded.org írta:
>>> 2025. 02. 01. 15:37 keltezéssel, Mathieu Dubois-Briand írta:
>>>> On Fri Jan 31, 2025 at 7:43 AM CET, Zoltán Böszörményi wrote:
>>>>> Enable building rpm with rpm-seqouia for the test.
>>>>>
>>>>> Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
>>>>> ---
>>>> Sorry, I still get some errors while building:
>>>>
>>>> 2025-02-01 14:28:32,979 - oe-selftest - INFO - 9: 40/54 602/618 (56.20s) (0 failed)
>>>> (signing.Signing.test_signing_packages)
>>>> 2025-02-01 14:28:32,979 - oe-selftest - INFO -
>>>> testtools.testresult.real._StringException: Traceback (most recent call last):
>>>>     File
>>>> "/srv/pokybuild/yocto-worker/oe-selftest-debian/build/meta/lib/oeqa/selftest/cases/signing.py",
>>>> line 113, in test_signing_packages
>>>>       runCmd('%s/rpmkeys --define "_dbpath %s" --import %s' %
>>>>     File
>>>> "/srv/pokybuild/yocto-worker/oe-selftest-debian/build/meta/lib/oeqa/utils/commands.py",
>>>> line 214, in runCmd
>>>>       raise AssertionError("Command '%s' returned non-zero exit status %d:\n%s" %
>>>> (command, result.status, exc_output))
>>>> AssertionError: Command
>>>> '/srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/tmp/work/core2-64-poky-linux/ed/1.20.2/recipe-sysroot-native/usr/bin/rpmkeys
>>>> --define "_dbpath /tmp/oeqa-rpmdbsj05eco3" --import
>>>> /srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/meta-selftest/files/signing/key.pub'
>>>> returned non-zero exit status 1:
>>>> error: Certificate 7B31316B5D64AD52:
>>>>     Policy rejects 7B31316B5D64AD52: No binding signature at time 2025-02-01T14:28:26Z
>>>> error:
>>>> /srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/meta-selftest/files/signing/key.pub:
>>>> key 1 import failed.
>>>>
>>>> https://autobuilder.yoctoproject.org/valkyrie/#/builders/35/builds/893/steps/14/logs/stdio
>>>>
>>>> Do you mind having a look at this ?
>>> I have run the self test on a Fedora 41 host and it succeeded there.
>>>
>>> Probably you need to fix the crypto policy to allow such a cert with a
>>> "no binding signature" or replace the cert.
>>>
>>> This github issue may have some useful pointers:
>>> https://github.com/rpm-software-management/rpm-sequoia/issues/46
>> Can you please try this below?
>>
>> Setting the envvar SEQUOIA_CRYPTO_POLICY to an empty string
>> will use the built-in default policy. See
>> https://github.com/rpm-software-management/rpm-sequoia/blob/main/src/lib.rs#L54
>>
>> ===============================================
>> diff --git a/meta/lib/oeqa/selftest/cases/signing.py b/meta/lib/oeqa/selftest/cases/signing.py
>> index 51d1c3fa64..9a820ebc72 100644
>> --- a/meta/lib/oeqa/selftest/cases/signing.py
>> +++ b/meta/lib/oeqa/selftest/cases/signing.py
>> @@ -71,7 +71,6 @@ class Signing(OESelftestTestCase):
>>            """
>>            import oe.packagedata
>>
>> -        self.skipTest('This test requires rpm-sequoia support in rpm')
>>            self.setup_gpg()
>>
>>            package_classes = get_bb_var('PACKAGE_CLASSES')
>> @@ -84,9 +83,14 @@ class Signing(OESelftestTestCase):
>>            feature += 'RPM_GPG_PASSPHRASE = "test123"\n'
>>            feature += 'RPM_GPG_NAME = "testuser"\n'
>>            feature += 'GPG_PATH = "%s"\n' % self.gpg_dir
>> +        feature += 'PACKAGECONFIG:append:pn-rpm-native = " sequoia"\n'
>> +        feature += 'PACKAGECONFIG:append:pn-rpm = " sequoia"\n'
>>
>>            self.write_config(feature)
>>
>> +        # Test rpm-sequoia's default built-in policy
>> +        os.environ['SEQUOIA_CRYPTO_POLICY'] = ''
>> +
>>            bitbake('-c clean %s' % test_recipe)
>>            bitbake('-f -c package_write_rpm %s' % test_recipe)
>>
>> @@ -152,6 +156,9 @@ class Signing(OESelftestTestCase):
>>
>>            self.write_config(feature)
>>
>> +        # Test rpm-sequoia's default built-in policy
>> +        os.environ['SEQUOIA_CRYPTO_POLICY'] = ''
>> +
>>            with self.create_new_builddir(os.environ['BUILDDIR'], builddir):
>>
>>                os.environ["PATH"] = nsysroot + ":" + os.environ["PATH"]
>> @@ -198,6 +205,9 @@ class LockedSignatures(OESelftestTestCase):
>>            feature += 'SIGGEN_LOCKEDSIGS_TASKSIG_CHECK = "warn"\n'
>>            self.write_config(feature)
>>
>> +        # Test rpm-sequoia's default built-in policy
>> +        os.environ['SEQUOIA_CRYPTO_POLICY'] = ''
>> +
>>            # Build a locked recipe
>>            bitbake(test_recipe)
>>
>> ===============================================
>>
>> It succeeded for me:
>>
>> $ oe-selftest -r signing
>> ...
>> 2025-02-03 10:53:11,900 - oe-selftest - INFO - oe-selftest () - Ran 3 tests in 2801.617s
>> 2025-02-03 10:53:11,900 - oe-selftest - INFO - oe-selftest - OK - All required tests
>> passed (successes=3, skipped=0, failures=0, errors=0)
>>
>> As for an actual crypto policy for rpm-sequoia, I am not sure
>> how appropriate it would be to create a recipe for Fedora's
>> crypto-policies package in Yocto.
>>
Richard Purdie Feb. 3, 2025, 12:29 p.m. UTC | #6 
On Mon, 2025-02-03 at 11:11 +0100, Zoltan Boszormenyi via lists.openembedded.org wrote:
> 2025. 02. 02. 9:44 keltezéssel, Zoltan Boszormenyi via lists.openembedded.org írta:
> > 2025. 02. 01. 15:37 keltezéssel, Mathieu Dubois-Briand írta:
> > > On Fri Jan 31, 2025 at 7:43 AM CET, Zoltán Böszörményi wrote:
> > > > Enable building rpm with rpm-seqouia for the test.
> > > > 
> > > > Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
> > > > ---
> > > Sorry, I still get some errors while building:
> > > 
> > > 2025-02-01 14:28:32,979 - oe-selftest - INFO - 9: 40/54 602/618 (56.20s) (0 failed) 
> > > (signing.Signing.test_signing_packages)
> > > 2025-02-01 14:28:32,979 - oe-selftest - INFO - 
> > > testtools.testresult.real._StringException: Traceback (most recent call last):
> > >    File 
> > > "/srv/pokybuild/yocto-worker/oe-selftest-debian/build/meta/lib/oeqa/selftest/cases/signing.py", 
> > > line 113, in test_signing_packages
> > >      runCmd('%s/rpmkeys --define "_dbpath %s" --import %s' %
> > >    File 
> > > "/srv/pokybuild/yocto-worker/oe-selftest-debian/build/meta/lib/oeqa/utils/commands.py", 
> > > line 214, in runCmd
> > >      raise AssertionError("Command '%s' returned non-zero exit status %d:\n%s" % 
> > > (command, result.status, exc_output))
> > > AssertionError: Command 
> > > '/srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/tmp/work/core2-64-poky-linux/ed/1.20.2/recipe-sysroot-native/usr/bin/rpmkeys 
> > > --define "_dbpath /tmp/oeqa-rpmdbsj05eco3" --import 
> > > /srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/meta-selftest/files/signing/key.pub' 
> > > returned non-zero exit status 1:
> > > error: Certificate 7B31316B5D64AD52:
> > >    Policy rejects 7B31316B5D64AD52: No binding signature at time 2025-02-01T14:28:26Z
> > > error: 
> > > /srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/meta-selftest/files/signing/key.pub: 
> > > key 1 import failed.
> > > 
> > > https://autobuilder.yoctoproject.org/valkyrie/#/builders/35/builds/893/steps/14/logs/stdio
> > > 
> > > Do you mind having a look at this ?
> > 
> > I have run the self test on a Fedora 41 host and it succeeded there.
> > 
> > Probably you need to fix the crypto policy to allow such a cert with a
> > "no binding signature" or replace the cert.
> > 
> > This github issue may have some useful pointers:
> > https://github.com/rpm-software-management/rpm-sequoia/issues/46
> 
> Can you please try this below?
> 
> Setting the envvar SEQUOIA_CRYPTO_POLICY to an empty string
> will use the built-in default policy. See
> https://github.com/rpm-software-management/rpm-sequoia/blob/main/src/lib.rs#L54
> 
> ===============================================
> diff --git a/meta/lib/oeqa/selftest/cases/signing.py b/meta/lib/oeqa/selftest/cases/signing.py
> index 51d1c3fa64..9a820ebc72 100644
> --- a/meta/lib/oeqa/selftest/cases/signing.py
> +++ b/meta/lib/oeqa/selftest/cases/signing.py
> @@ -71,7 +71,6 @@ class Signing(OESelftestTestCase):
>           """
>           import oe.packagedata
> 
> -        self.skipTest('This test requires rpm-sequoia support in rpm')
>           self.setup_gpg()
> 
>           package_classes = get_bb_var('PACKAGE_CLASSES')
> @@ -84,9 +83,14 @@ class Signing(OESelftestTestCase):
>           feature += 'RPM_GPG_PASSPHRASE = "test123"\n'
>           feature += 'RPM_GPG_NAME = "testuser"\n'
>           feature += 'GPG_PATH = "%s"\n' % self.gpg_dir
> +        feature += 'PACKAGECONFIG:append:pn-rpm-native = " sequoia"\n'
> +        feature += 'PACKAGECONFIG:append:pn-rpm = " sequoia"\n'
> 
>           self.write_config(feature)
> 
> +        # Test rpm-sequoia's default built-in policy
> +        os.environ['SEQUOIA_CRYPTO_POLICY'] = ''
> +
>           bitbake('-c clean %s' % test_recipe)
>           bitbake('-f -c package_write_rpm %s' % test_recipe)
> 
> @@ -152,6 +156,9 @@ class Signing(OESelftestTestCase):
> 
>           self.write_config(feature)
> 
> +        # Test rpm-sequoia's default built-in policy
> +        os.environ['SEQUOIA_CRYPTO_POLICY'] = ''
> +
>           with self.create_new_builddir(os.environ['BUILDDIR'], builddir):
> 
>               os.environ["PATH"] = nsysroot + ":" + os.environ["PATH"]
> @@ -198,6 +205,9 @@ class LockedSignatures(OESelftestTestCase):
>           feature += 'SIGGEN_LOCKEDSIGS_TASKSIG_CHECK = "warn"\n'
>           self.write_config(feature)
> 
> +        # Test rpm-sequoia's default built-in policy
> +        os.environ['SEQUOIA_CRYPTO_POLICY'] = ''
> +
>           # Build a locked recipe
>           bitbake(test_recipe)

Given the way bitbake clears the environment except for allowed
variables, will that setting make it to where it needs to?

I've not looked at the specific test so it is possible it can work but
it looks a bit unusual to me.

Cheers,

Richard
Alexander Kanavin Feb. 3, 2025, 12:35 p.m. UTC | #7 
Also we need to set it where the signing actually happens, not only in the
test.


Alex

On Mon 3. Feb 2025 at 13.29, Richard Purdie <
richard.purdie@linuxfoundation.org> wrote:

> On Mon, 2025-02-03 at 11:11 +0100, Zoltan Boszormenyi via
> lists.openembedded.org wrote:
> > 2025. 02. 02. 9:44 keltezéssel, Zoltan Boszormenyi via
> lists.openembedded.org írta:
> > > 2025. 02. 01. 15:37 keltezéssel, Mathieu Dubois-Briand írta:
> > > > On Fri Jan 31, 2025 at 7:43 AM CET, Zoltán Böszörményi wrote:
> > > > > Enable building rpm with rpm-seqouia for the test.
> > > > >
> > > > > Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
> > > > > ---
> > > > Sorry, I still get some errors while building:
> > > >
> > > > 2025-02-01 14:28:32,979 - oe-selftest - INFO - 9: 40/54 602/618
> (56.20s) (0 failed)
> > > > (signing.Signing.test_signing_packages)
> > > > 2025-02-01 14:28:32,979 - oe-selftest - INFO -
> > > > testtools.testresult.real._StringException: Traceback (most recent
> call last):
> > > >    File
> > > >
> "/srv/pokybuild/yocto-worker/oe-selftest-debian/build/meta/lib/oeqa/selftest/cases/signing.py",
>
> > > > line 113, in test_signing_packages
> > > >      runCmd('%s/rpmkeys --define "_dbpath %s" --import %s' %
> > > >    File
> > > >
> "/srv/pokybuild/yocto-worker/oe-selftest-debian/build/meta/lib/oeqa/utils/commands.py",
>
> > > > line 214, in runCmd
> > > >      raise AssertionError("Command '%s' returned non-zero exit
> status %d:\n%s" %
> > > > (command, result.status, exc_output))
> > > > AssertionError: Command
> > > >
> '/srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/tmp/work/core2-64-poky-linux/ed/1.20.2/recipe-sysroot-native/usr/bin/rpmkeys
>
> > > > --define "_dbpath /tmp/oeqa-rpmdbsj05eco3" --import
> > > >
> /srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/meta-selftest/files/signing/key.pub'
>
> > > > returned non-zero exit status 1:
> > > > error: Certificate 7B31316B5D64AD52:
> > > >    Policy rejects 7B31316B5D64AD52: No binding signature at time
> 2025-02-01T14:28:26Z
> > > > error:
> > > >
> /srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/meta-selftest/files/signing/key.pub:
>
> > > > key 1 import failed.
> > > >
> > > >
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/35/builds/893/steps/14/logs/stdio
> > > >
> > > > Do you mind having a look at this ?
> > >
> > > I have run the self test on a Fedora 41 host and it succeeded there.
> > >
> > > Probably you need to fix the crypto policy to allow such a cert with a
> > > "no binding signature" or replace the cert.
> > >
> > > This github issue may have some useful pointers:
> > > https://github.com/rpm-software-management/rpm-sequoia/issues/46
> >
> > Can you please try this below?
> >
> > Setting the envvar SEQUOIA_CRYPTO_POLICY to an empty string
> > will use the built-in default policy. See
> >
> https://github.com/rpm-software-management/rpm-sequoia/blob/main/src/lib.rs#L54
> >
> > ===============================================
> > diff --git a/meta/lib/oeqa/selftest/cases/signing.py
> b/meta/lib/oeqa/selftest/cases/signing.py
> > index 51d1c3fa64..9a820ebc72 100644
> > --- a/meta/lib/oeqa/selftest/cases/signing.py
> > +++ b/meta/lib/oeqa/selftest/cases/signing.py
> > @@ -71,7 +71,6 @@ class Signing(OESelftestTestCase):
> >           """
> >           import oe.packagedata
> >
> > -        self.skipTest('This test requires rpm-sequoia support in rpm')
> >           self.setup_gpg()
> >
> >           package_classes = get_bb_var('PACKAGE_CLASSES')
> > @@ -84,9 +83,14 @@ class Signing(OESelftestTestCase):
> >           feature += 'RPM_GPG_PASSPHRASE = "test123"\n'
> >           feature += 'RPM_GPG_NAME = "testuser"\n'
> >           feature += 'GPG_PATH = "%s"\n' % self.gpg_dir
> > +        feature += 'PACKAGECONFIG:append:pn-rpm-native = " sequoia"\n'
> > +        feature += 'PACKAGECONFIG:append:pn-rpm = " sequoia"\n'
> >
> >           self.write_config(feature)
> >
> > +        # Test rpm-sequoia's default built-in policy
> > +        os.environ['SEQUOIA_CRYPTO_POLICY'] = ''
> > +
> >           bitbake('-c clean %s' % test_recipe)
> >           bitbake('-f -c package_write_rpm %s' % test_recipe)
> >
> > @@ -152,6 +156,9 @@ class Signing(OESelftestTestCase):
> >
> >           self.write_config(feature)
> >
> > +        # Test rpm-sequoia's default built-in policy
> > +        os.environ['SEQUOIA_CRYPTO_POLICY'] = ''
> > +
> >           with self.create_new_builddir(os.environ['BUILDDIR'],
> builddir):
> >
> >               os.environ["PATH"] = nsysroot + ":" + os.environ["PATH"]
> > @@ -198,6 +205,9 @@ class LockedSignatures(OESelftestTestCase):
> >           feature += 'SIGGEN_LOCKEDSIGS_TASKSIG_CHECK = "warn"\n'
> >           self.write_config(feature)
> >
> > +        # Test rpm-sequoia's default built-in policy
> > +        os.environ['SEQUOIA_CRYPTO_POLICY'] = ''
> > +
> >           # Build a locked recipe
> >           bitbake(test_recipe)
>
> Given the way bitbake clears the environment except for allowed
> variables, will that setting make it to where it needs to?
>
> I've not looked at the specific test so it is possible it can work but
> it looks a bit unusual to me.
>
> Cheers,
>
> Richard
>
diff mbox series

Patch

diff --git a/meta/lib/oeqa/selftest/cases/signing.py b/meta/lib/oeqa/selftest/cases/signing.py
index 51d1c3fa64..4df45ba032 100644
--- a/meta/lib/oeqa/selftest/cases/signing.py
+++ b/meta/lib/oeqa/selftest/cases/signing.py
@@ -71,7 +71,6 @@  class Signing(OESelftestTestCase):
         """
         import oe.packagedata
 
-        self.skipTest('This test requires rpm-sequoia support in rpm')
         self.setup_gpg()
 
         package_classes = get_bb_var('PACKAGE_CLASSES')
@@ -84,6 +83,8 @@  class Signing(OESelftestTestCase):
         feature += 'RPM_GPG_PASSPHRASE = "test123"\n'
         feature += 'RPM_GPG_NAME = "testuser"\n'
         feature += 'GPG_PATH = "%s"\n' % self.gpg_dir
+        feature += 'PACKAGECONFIG:append:pn-rpm-native = " sequoia"\n'
+        feature += 'PACKAGECONFIG:append:pn-rpm = " sequoia"\n'
 
         self.write_config(feature)