| Message ID | 20250627-signing-set-ca-v4-0-b8fe358664c6@leica-geosystems.com |
|---|---|
| Headers | show |
| Series | signing.bbclass: add certificate chain handling | expand |
I have to use -p0 to apply the patches, default is -p1, it would be good to adjust your patch generation to use -p1 in future. On Fri, Jun 27, 2025 at 5:18 AM Johannes Schneider <johannes.schneider@leica-geosystems.com> wrote: > > Adding support for handling a complex PKI setup to the signing.bbclass > > Since a (soft)HSM can only store a single certificate in one slot, the > relation between a leaf certificate, and it's signing intermediary (or > root) certificate has to be stored outside of the HSM, in the form of > some additional metadata. This additional data is stored in an > environment variable, which is setup and manipulated by a set of > helper functions: signing_{get,set,has}_ca. > > This patch-stack also does some cleanup of now superfluous code parts. > > --- > V4: > - rebase onto meta-openembedded/master > > v3: added use-case to commit message of "signing.bbclass: add signing_get_intermediate_certs" > > v3: > - reword commit message and comments following review suggestions > - forsee local.conf overrides for the CA > > --- > > To: jlu@pengutronix.de > Cc: bsp-development.geo@leica-geosystems.com > Cc: openembedded-devel@lists.openembedded.org > Cc: raj.khem@gmail.com > > --- > Johannes Schneider (6): > signing.bbclass: refactor signing_import_cert_from_* > signing.bbclass: add set|get|has_ca functions > signing.bbclass: add get_root_cert > signing.bbclass: add signing_get_intermediate_certs > signing.bbclass: add signing_extract_cert helpers > signing.bbclass: remove signing_import_cert_chain_from_pem > > meta-oe/classes/signing.bbclass | 172 ++++++++++++++++++++++++++++++++-------- > 1 file changed, 137 insertions(+), 35 deletions(-) > --- > base-commit: 5b4e26adb80784be59e5b82c098ec050c93c1ca4 > change-id: 20250618-signing-set-ca-f398259222f5 > > Best regards, > -- > Johannes Schneider <johannes.schneider@leica-geosystems.com> >
Hoi > I have to use -p0 to apply the patches, default is -p1, it would be > good to adjust your patch generation to use -p1 in future. sorry for the inconvenience! Fixed it for the future -- via global .gitconfig: [diff] ## disable 'a/' and 'b/' to easily copy paths out noprefix = true ## but keep it in format-patch/send-mail for upstreaming [format] prefix = true gruß Johannes ________________________________________ From: Khem Raj <raj.khem@gmail.com> Sent: Saturday, June 28, 2025 20:07 To: SCHNEIDER Johannes Cc: jlu@pengutronix.de; GEO-CHHER-bsp-development; openembedded-devel@lists.openembedded.org Subject: Re: [PATCH meta-oe v4 0/6] signing.bbclass: add certificate chain handling [Some people who received this message don't often get email from raj.khem@gmail.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] This email is not from Hexagon’s Office 365 instance. Please be careful while clicking links, opening attachments, or replying to this email. I have to use -p0 to apply the patches, default is -p1, it would be good to adjust your patch generation to use -p1 in future. On Fri, Jun 27, 2025 at 5:18 AM Johannes Schneider <johannes.schneider@leica-geosystems.com> wrote: > > Adding support for handling a complex PKI setup to the signing.bbclass > > Since a (soft)HSM can only store a single certificate in one slot, the > relation between a leaf certificate, and it's signing intermediary (or > root) certificate has to be stored outside of the HSM, in the form of > some additional metadata. This additional data is stored in an > environment variable, which is setup and manipulated by a set of > helper functions: signing_{get,set,has}_ca. > > This patch-stack also does some cleanup of now superfluous code parts. > > --- > V4: > - rebase onto meta-openembedded/master > > v3: added use-case to commit message of "signing.bbclass: add signing_get_intermediate_certs" > > v3: > - reword commit message and comments following review suggestions > - forsee local.conf overrides for the CA > > --- > > To: jlu@pengutronix.de > Cc: bsp-development.geo@leica-geosystems.com > Cc: openembedded-devel@lists.openembedded.org > Cc: raj.khem@gmail.com > > --- > Johannes Schneider (6): > signing.bbclass: refactor signing_import_cert_from_* > signing.bbclass: add set|get|has_ca functions > signing.bbclass: add get_root_cert > signing.bbclass: add signing_get_intermediate_certs > signing.bbclass: add signing_extract_cert helpers > signing.bbclass: remove signing_import_cert_chain_from_pem > > meta-oe/classes/signing.bbclass | 172 ++++++++++++++++++++++++++++++++-------- > 1 file changed, 137 insertions(+), 35 deletions(-) > --- > base-commit: 5b4e26adb80784be59e5b82c098ec050c93c1ca4 > change-id: 20250618-signing-set-ca-f398259222f5 > > Best regards, > -- > Johannes Schneider <johannes.schneider@leica-geosystems.com> >
Adding support for handling a complex PKI setup to the signing.bbclass Since a (soft)HSM can only store a single certificate in one slot, the relation between a leaf certificate, and it's signing intermediary (or root) certificate has to be stored outside of the HSM, in the form of some additional metadata. This additional data is stored in an environment variable, which is setup and manipulated by a set of helper functions: signing_{get,set,has}_ca. This patch-stack also does some cleanup of now superfluous code parts. --- V4: - rebase onto meta-openembedded/master v3: added use-case to commit message of "signing.bbclass: add signing_get_intermediate_certs" v3: - reword commit message and comments following review suggestions - forsee local.conf overrides for the CA --- To: jlu@pengutronix.de Cc: bsp-development.geo@leica-geosystems.com Cc: openembedded-devel@lists.openembedded.org Cc: raj.khem@gmail.com --- Johannes Schneider (6): signing.bbclass: refactor signing_import_cert_from_* signing.bbclass: add set|get|has_ca functions signing.bbclass: add get_root_cert signing.bbclass: add signing_get_intermediate_certs signing.bbclass: add signing_extract_cert helpers signing.bbclass: remove signing_import_cert_chain_from_pem meta-oe/classes/signing.bbclass | 172 ++++++++++++++++++++++++++++++++-------- 1 file changed, 137 insertions(+), 35 deletions(-) --- base-commit: 5b4e26adb80784be59e5b82c098ec050c93c1ca4 change-id: 20250618-signing-set-ca-f398259222f5 Best regards,