new file mode 100644
@@ -0,0 +1,51 @@
+[hash_algorithms]
+md5.collision_resistance = "never"
+md5.second_preimage_resistance = "never"
+sha1.collision_resistance = "always"
+sha1.second_preimage_resistance = "always"
+ripemd160.collision_resistance = "never"
+ripemd160.second_preimage_resistance = "never"
+sha224.collision_resistance = "always"
+sha224.second_preimage_resistance = "always"
+sha256.collision_resistance = "always"
+sha256.second_preimage_resistance = "always"
+sha384.collision_resistance = "always"
+sha384.second_preimage_resistance = "always"
+sha512.collision_resistance = "always"
+sha512.second_preimage_resistance = "always"
+default_disposition = "never"
+
+[symmetric_algorithms]
+idea = "never"
+tripledes = "never"
+cast5 = "never"
+blowfish = "never"
+aes128 = "always"
+aes192 = "never"
+aes256 = "always"
+twofish = "never"
+camellia128 = "always"
+camellia192 = "never"
+camellia256 = "always"
+default_disposition = "never"
+
+[asymmetric_algorithms]
+rsa1024 = "never"
+rsa2048 = "always"
+rsa3072 = "always"
+rsa4096 = "always"
+dsa1024 = "always"
+dsa2048 = "always"
+dsa3072 = "always"
+dsa4096 = "always"
+nistp256 = "always"
+nistp384 = "always"
+nistp521 = "always"
+cv25519 = "always"
+elgamal1024 = "never"
+elgamal2048 = "never"
+elgamal3072 = "never"
+elgamal4096 = "never"
+brainpoolp256 = "never"
+brainpoolp512 = "never"
+default_disposition = "never"
@@ -21,6 +21,7 @@ class Signing(OESelftestTestCase):
gpg_dir = ""
pub_key_path = ""
secret_key_path = ""
+ sequoia_config_path = ""
def setup_gpg(self):
bitbake('gnupg-native -c addto_recipe_sysroot')
@@ -30,6 +31,7 @@ class Signing(OESelftestTestCase):
self.pub_key_path = os.path.join(self.testlayer_path, 'files', 'signing', "key.pub")
self.secret_key_path = os.path.join(self.testlayer_path, 'files', 'signing', "key.secret")
+ self.sequoia_config_path = os.path.join(self.testlayer_path, 'files', 'signing', "rpm-sequoia.config")
nsysroot = get_bb_var("RECIPE_SYSROOT_NATIVE", "gnupg-native")
@@ -71,7 +73,6 @@ class Signing(OESelftestTestCase):
"""
import oe.packagedata
- self.skipTest('This test requires rpm-sequoia support in rpm')
self.setup_gpg()
package_classes = get_bb_var('PACKAGE_CLASSES')
@@ -84,6 +85,8 @@ class Signing(OESelftestTestCase):
feature += 'RPM_GPG_PASSPHRASE = "test123"\n'
feature += 'RPM_GPG_NAME = "testuser"\n'
feature += 'GPG_PATH = "%s"\n' % self.gpg_dir
+ feature += 'PACKAGECONFIG:append:pn-rpm-native = " sequoia"\n'
+ feature += 'PACKAGECONFIG:append:pn-rpm = " sequoia"\n'
self.write_config(feature)
@@ -106,6 +109,9 @@ class Signing(OESelftestTestCase):
pkg_deploy = os.path.join(deploy_dir_rpm, package_arch, '.'.join((pf, package_arch, 'rpm')))
+ # Use our crypto policy file for runCmd('rpmkeys')
+ os.environ['SEQUOIA_CRYPTO_POLICY'] = self.sequoia_config_path
+
# Use a temporary rpmdb
rpmdb = tempfile.mkdtemp(prefix='oeqa-rpmdb')
@@ -118,6 +124,9 @@ class Signing(OESelftestTestCase):
self.assertIn('digests signatures OK', ret.output, 'Package signed incorrectly.')
shutil.rmtree(rpmdb)
+ # Make sure SEQUOIA_CRYPTO_POLICY envvar is unset
+ del os.environ['SEQUOIA_CRYPTO_POLICY']
+
#Check that an image can be built from signed packages
self.add_command_to_tearDown('bitbake -c clean core-image-minimal')
bitbake('-c clean core-image-minimal')
Enable building rpm with rpm-seqouia for the test. sign_rpm.bbclass already takes care of signing rpm packages. Add a crypto policy file (identical to the one shipped by rpm-sequoia) and use its path in SEQUOIA_CRYPTO_POLICY envvar for runCmd('rpmkeys') commands. Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com> --- .../files/signing/rpm-sequoia.config | 51 +++++++++++++++++++ meta/lib/oeqa/selftest/cases/signing.py | 11 +++- 2 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 meta-selftest/files/signing/rpm-sequoia.config