| Message ID | 20250203122444.1513238-2-zboszor@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | [v5,1/2] rpm-sequoia: New recipe for version 1.7.0 | expand |
On Mon, 3 Feb 2025 at 13:24, Zoltán Böszörményi <zboszor@gmail.com> wrote: > + # Test rpm-sequoia's default built-in policy > + os.environ['SEQUOIA_CRYPTO_POLICY'] = '' > + > + # Test rpm-sequoia's default built-in policy > + os.environ['SEQUOIA_CRYPTO_POLICY'] = '' > + > + # Test rpm-sequoia's default built-in policy > + os.environ['SEQUOIA_CRYPTO_POLICY'] = '' > + This should be set just before the signing actually happens, and not only in the test. Alex
2025. 02. 03. 13:37 keltezéssel, Alexander Kanavin írta: > On Mon, 3 Feb 2025 at 13:24, Zoltán Böszörményi <zboszor@gmail.com> wrote: >> + # Test rpm-sequoia's default built-in policy >> + os.environ['SEQUOIA_CRYPTO_POLICY'] = '' >> + >> + # Test rpm-sequoia's default built-in policy >> + os.environ['SEQUOIA_CRYPTO_POLICY'] = '' >> + >> + # Test rpm-sequoia's default built-in policy >> + os.environ['SEQUOIA_CRYPTO_POLICY'] = '' >> + > This should be set just before the signing actually happens, and not > only in the test. I decided to actually ship a crypto policy file in the rpm-sequoia recipe, so dnf / rpm can use it on the target system. It is also used in sign_rpm.bbclass and in the test case. I have already confirmed on my Fedora build host, that with no policy file present (either at the default path by renaming Fedora's own file in /etc to simulate a non-rpm based host or using a non-existing path in SEQUOIA_CRYPTO_POLICY) the signing test case fails. I will send the new series once the test case succeeds with everything in place properly.
2025. 02. 04. 13:25 keltezéssel, Zoltan Boszormenyi via lists.openembedded.org írta: > 2025. 02. 03. 13:37 keltezéssel, Alexander Kanavin írta: >> On Mon, 3 Feb 2025 at 13:24, Zoltán Böszörményi <zboszor@gmail.com> wrote: >>> + # Test rpm-sequoia's default built-in policy >>> + os.environ['SEQUOIA_CRYPTO_POLICY'] = '' >>> + >>> + # Test rpm-sequoia's default built-in policy >>> + os.environ['SEQUOIA_CRYPTO_POLICY'] = '' >>> + >>> + # Test rpm-sequoia's default built-in policy >>> + os.environ['SEQUOIA_CRYPTO_POLICY'] = '' >>> + >> This should be set just before the signing actually happens, and not >> only in the test. > > I decided to actually ship a crypto policy file in the rpm-sequoia > recipe, so dnf / rpm can use it on the target system. It is also used > in sign_rpm.bbclass and in the test case. > > I have already confirmed on my Fedora build host, > that with no policy file present (either at the default path by > renaming Fedora's own file in /etc to simulate a non-rpm based > host or using a non-existing path in SEQUOIA_CRYPTO_POLICY) the signing test case fails. > I will send the new series once the test case succeeds with > everything in place properly. I just sent the v6 series.
diff --git a/meta/lib/oeqa/selftest/cases/signing.py b/meta/lib/oeqa/selftest/cases/signing.py index 51d1c3fa64..9a820ebc72 100644 --- a/meta/lib/oeqa/selftest/cases/signing.py +++ b/meta/lib/oeqa/selftest/cases/signing.py @@ -71,7 +71,6 @@ class Signing(OESelftestTestCase): """ import oe.packagedata - self.skipTest('This test requires rpm-sequoia support in rpm') self.setup_gpg() package_classes = get_bb_var('PACKAGE_CLASSES') @@ -84,9 +83,14 @@ class Signing(OESelftestTestCase): feature += 'RPM_GPG_PASSPHRASE = "test123"\n' feature += 'RPM_GPG_NAME = "testuser"\n' feature += 'GPG_PATH = "%s"\n' % self.gpg_dir + feature += 'PACKAGECONFIG:append:pn-rpm-native = " sequoia"\n' + feature += 'PACKAGECONFIG:append:pn-rpm = " sequoia"\n' self.write_config(feature) + # Test rpm-sequoia's default built-in policy + os.environ['SEQUOIA_CRYPTO_POLICY'] = '' + bitbake('-c clean %s' % test_recipe) bitbake('-f -c package_write_rpm %s' % test_recipe) @@ -152,6 +156,9 @@ class Signing(OESelftestTestCase): self.write_config(feature) + # Test rpm-sequoia's default built-in policy + os.environ['SEQUOIA_CRYPTO_POLICY'] = '' + with self.create_new_builddir(os.environ['BUILDDIR'], builddir): os.environ["PATH"] = nsysroot + ":" + os.environ["PATH"] @@ -198,6 +205,9 @@ class LockedSignatures(OESelftestTestCase): feature += 'SIGGEN_LOCKEDSIGS_TASKSIG_CHECK = "warn"\n' self.write_config(feature) + # Test rpm-sequoia's default built-in policy + os.environ['SEQUOIA_CRYPTO_POLICY'] = '' + # Build a locked recipe bitbake(test_recipe)
Enable building rpm with rpm-seqouia for the test. Set SEQUOIA_CRYPTO_POLICY="" to use the default built-in crypto policy. Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com> --- meta/lib/oeqa/selftest/cases/signing.py | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-)