| Message ID | 20250530090019.668412-1-marcin.bajer@salwatorska.pl |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-oe] signing: export rule specific environment variables with Digicert infrastructure | expand |
On 5/30/25 11:00, Marcin Bajer via lists.openembedded.org wrote: > Digicert cloud HSM requires more variables to be exported i.e. `SM_HOST`, `SM_API_KEY`, `SM_CLIENT_CERT_FILE`. The signing provides might inject needed configuration to `meta-signing.env.d` directory in form of *.env files. In exisiting code in `signing_prepare` call source all *.env files from `meta-signing.env.d` this allows to export only variables common for all signing rules. In case, unique settings per signing rule are needed those are overwritten (sourcing next file will overwrite previously defined variables). Proposed patch allows to export signing `rule` specific variables. For example to set SM_API_KEY for rauc rule it is needed to defined in env file as `export SIGNING_PKCS11_SM_API_KEY_rauc_=abcde` . Added logic remove prefix SIGNING_PKCS11_ and surfix _rauc_ end export the variable. 1. The Signed-off-by line is missing. Please make sure to use "git commit --signoff" when committing. 2. This should be sent to meta-oe mailing list, not to this one: openembedded-devel@lists.openembedded.org - could you please resend it there? 3. While at it, could you please also add some line-breaks in the commit message, and fix some typos? (end->and, surfix->suffix, to defined->to be defined...) > --- > meta-oe/classes/signing.bbclass | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass > index f52d861b76..cefd115355 100644 > --- a/meta-oe/classes/signing.bbclass > +++ b/meta-oe/classes/signing.bbclass > @@ -263,6 +263,12 @@ signing_prepare() { > signing_prepare[vardeps] += "signing_get_uri signing_get_module" > > signing_use_role() { > + > + #import all variables dedicated to this signing rule > + for env in $(ls "${STAGING_DIR_NATIVE}/var/lib/meta-signing.env.d"); do > + eval $(cat ${STAGING_DIR_NATIVE}/var/lib/meta-signing.env.d/$env | grep "^export SIGNING_PKCS11_.*_${1}_" | sed -e "s/SIGNING_PKCS11_//" -e "s/_${1}_//" ) > + done > + > local role="${1}" > > export PKCS11_MODULE_PATH="$(signing_get_module $role)" > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#217505): https://lists.openembedded.org/g/openembedded-core/message/217505 > Mute This Topic: https://lists.openembedded.org/mt/113378796/6084445 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [skandigraun@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass index f52d861b76..cefd115355 100644 --- a/meta-oe/classes/signing.bbclass +++ b/meta-oe/classes/signing.bbclass @@ -263,6 +263,12 @@ signing_prepare() { signing_prepare[vardeps] += "signing_get_uri signing_get_module" signing_use_role() { + + #import all variables dedicated to this signing rule + for env in $(ls "${STAGING_DIR_NATIVE}/var/lib/meta-signing.env.d"); do + eval $(cat ${STAGING_DIR_NATIVE}/var/lib/meta-signing.env.d/$env | grep "^export SIGNING_PKCS11_.*_${1}_" | sed -e "s/SIGNING_PKCS11_//" -e "s/_${1}_//" ) + done + local role="${1}" export PKCS11_MODULE_PATH="$(signing_get_module $role)"