diff mbox series

[v6,3/3] oeqa/selftest/cases/signing.py: Re-enable self-test

Message ID 20250205043637.2649428-3-zboszor@gmail.com
State New
Headers show
Series [v6,1/3] rpm-sequoia: New recipe for version 1.7.0 | expand

Commit Message

Böszörményi Zoltán Feb. 5, 2025, 4:36 a.m. UTC
Enable building rpm with rpm-seqouia for the test.

sign_rpm.bbclass already takes care of signing rpm packages.

Add a crypto policy file (identical to the one shipped by
rpm-sequoia) and use its path in SEQUOIA_CRYPTO_POLICY envvar
for runCmd('rpmkeys') commands.

Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
---
 .../files/signing/rpm-sequoia.config          | 51 +++++++++++++++++++
 meta/lib/oeqa/selftest/cases/signing.py       | 11 +++-
 2 files changed, 61 insertions(+), 1 deletion(-)
 create mode 100644 meta-selftest/files/signing/rpm-sequoia.config

Comments

Alexander Kanavin Feb. 5, 2025, 11:04 a.m. UTC | #1
On Wed, 5 Feb 2025 at 05:36, Zoltán Böszörményi <zboszor@gmail.com> wrote:
> Add a crypto policy file (identical to the one shipped by
> rpm-sequoia) and use its path in SEQUOIA_CRYPTO_POLICY envvar
> for runCmd('rpmkeys') commands.

This complicated maintaining the policy file even further. Rather, you
should set the location of the policy in the rpm recipe where the
wrappers are defined:

do_install:append:class-native() {
        for tool in ${WRAPPER_TOOLS}; do
                test -x ${D}$tool && create_wrapper ${D}$tool \
                        RPM_CONFIGDIR=${STAGING_LIBDIR_NATIVE}/rpm \
                        RPM_ETCCONFIGDIR=${STAGING_DIR_NATIVE} \

MAGIC=${STAGING_DIR_NATIVE}${datadir_native}/misc/magic.mgc \
                        RPM_NO_CHROOT_FOR_SCRIPTS=1
        done
}

This should allow dropping patch 2/3 (the tweak to sign_rpm class) as well.

Alex
Böszörményi Zoltán Feb. 5, 2025, 3:19 p.m. UTC | #2
2025. 02. 05. 12:04 keltezéssel, Alexander Kanavin írta:
> On Wed, 5 Feb 2025 at 05:36, Zoltán Böszörményi <zboszor@gmail.com> wrote:
>> Add a crypto policy file (identical to the one shipped by
>> rpm-sequoia) and use its path in SEQUOIA_CRYPTO_POLICY envvar
>> for runCmd('rpmkeys') commands.
> This complicated maintaining the policy file even further. Rather, you
> should set the location of the policy in the rpm recipe where the
> wrappers are defined:
>
> do_install:append:class-native() {
>          for tool in ${WRAPPER_TOOLS}; do
>                  test -x ${D}$tool && create_wrapper ${D}$tool \
>                          RPM_CONFIGDIR=${STAGING_LIBDIR_NATIVE}/rpm \
>                          RPM_ETCCONFIGDIR=${STAGING_DIR_NATIVE} \
>
> MAGIC=${STAGING_DIR_NATIVE}${datadir_native}/misc/magic.mgc \
>                          RPM_NO_CHROOT_FOR_SCRIPTS=1
>          done
> }
>
> This should allow dropping patch 2/3 (the tweak to sign_rpm class) as well.

Thanks for the pointers, I am running the self test with this.
diff mbox series

Patch

diff --git a/meta-selftest/files/signing/rpm-sequoia.config b/meta-selftest/files/signing/rpm-sequoia.config
new file mode 100644
index 0000000000..cec1d1550b
--- /dev/null
+++ b/meta-selftest/files/signing/rpm-sequoia.config
@@ -0,0 +1,51 @@ 
+[hash_algorithms]
+md5.collision_resistance = "never"
+md5.second_preimage_resistance = "never"
+sha1.collision_resistance = "always"
+sha1.second_preimage_resistance = "always"
+ripemd160.collision_resistance = "never"
+ripemd160.second_preimage_resistance = "never"
+sha224.collision_resistance = "always"
+sha224.second_preimage_resistance = "always"
+sha256.collision_resistance = "always"
+sha256.second_preimage_resistance = "always"
+sha384.collision_resistance = "always"
+sha384.second_preimage_resistance = "always"
+sha512.collision_resistance = "always"
+sha512.second_preimage_resistance = "always"
+default_disposition = "never"
+
+[symmetric_algorithms]
+idea = "never"
+tripledes = "never"
+cast5 = "never"
+blowfish = "never"
+aes128 = "always"
+aes192 = "never"
+aes256 = "always"
+twofish = "never"
+camellia128 = "always"
+camellia192 = "never"
+camellia256 = "always"
+default_disposition = "never"
+
+[asymmetric_algorithms]
+rsa1024 = "never"
+rsa2048 = "always"
+rsa3072 = "always"
+rsa4096 = "always"
+dsa1024 = "always"
+dsa2048 = "always"
+dsa3072 = "always"
+dsa4096 = "always"
+nistp256 = "always"
+nistp384 = "always"
+nistp521 = "always"
+cv25519 = "always"
+elgamal1024 = "never"
+elgamal2048 = "never"
+elgamal3072 = "never"
+elgamal4096 = "never"
+brainpoolp256 = "never"
+brainpoolp512 = "never"
+default_disposition = "never"
diff --git a/meta/lib/oeqa/selftest/cases/signing.py b/meta/lib/oeqa/selftest/cases/signing.py
index 51d1c3fa64..f01a464d1d 100644
--- a/meta/lib/oeqa/selftest/cases/signing.py
+++ b/meta/lib/oeqa/selftest/cases/signing.py
@@ -21,6 +21,7 @@  class Signing(OESelftestTestCase):
     gpg_dir = ""
     pub_key_path = ""
     secret_key_path = ""
+    sequoia_config_path = ""
 
     def setup_gpg(self):
         bitbake('gnupg-native -c addto_recipe_sysroot')
@@ -30,6 +31,7 @@  class Signing(OESelftestTestCase):
 
         self.pub_key_path = os.path.join(self.testlayer_path, 'files', 'signing', "key.pub")
         self.secret_key_path = os.path.join(self.testlayer_path, 'files', 'signing', "key.secret")
+        self.sequoia_config_path = os.path.join(self.testlayer_path, 'files', 'signing', "rpm-sequoia.config")
 
         nsysroot = get_bb_var("RECIPE_SYSROOT_NATIVE", "gnupg-native")
 
@@ -71,7 +73,6 @@  class Signing(OESelftestTestCase):
         """
         import oe.packagedata
 
-        self.skipTest('This test requires rpm-sequoia support in rpm')
         self.setup_gpg()
 
         package_classes = get_bb_var('PACKAGE_CLASSES')
@@ -84,6 +85,8 @@  class Signing(OESelftestTestCase):
         feature += 'RPM_GPG_PASSPHRASE = "test123"\n'
         feature += 'RPM_GPG_NAME = "testuser"\n'
         feature += 'GPG_PATH = "%s"\n' % self.gpg_dir
+        feature += 'PACKAGECONFIG:append:pn-rpm-native = " sequoia"\n'
+        feature += 'PACKAGECONFIG:append:pn-rpm = " sequoia"\n'
 
         self.write_config(feature)
 
@@ -106,6 +109,9 @@  class Signing(OESelftestTestCase):
 
         pkg_deploy = os.path.join(deploy_dir_rpm, package_arch, '.'.join((pf, package_arch, 'rpm')))
 
+        # Use our crypto policy file for runCmd('rpmkeys')
+        os.environ['SEQUOIA_CRYPTO_POLICY'] = self.sequoia_config_path
+
         # Use a temporary rpmdb
         rpmdb = tempfile.mkdtemp(prefix='oeqa-rpmdb')
 
@@ -118,6 +124,9 @@  class Signing(OESelftestTestCase):
         self.assertIn('digests signatures OK', ret.output, 'Package signed incorrectly.')
         shutil.rmtree(rpmdb)
 
+        # Make sure SEQUOIA_CRYPTO_POLICY envvar is unset
+        del os.environ['SEQUOIA_CRYPTO_POLICY']
+
         #Check that an image can be built from signed packages
         self.add_command_to_tearDown('bitbake -c clean core-image-minimal')
         bitbake('-c clean core-image-minimal')