Message ID | 20230920143340.135812-1-a.fatoum@pengutronix.de |
---|---|
State | New |
Headers | show |
Series | [meta-oe] signing.bbclass: don't export OPENSSL environment variables globally | expand |
On Wed, 2023-09-20 at 16:33 +0200, Ahmad Fatoum wrote: > OPENSSL_{MODULES,ENGINES,CONF} and SSL_CERT_{DIR,FILE} are currently > exported globally for any recipe that inherits signing. This not only > affects the tasks that use the signing infrastructure, but also unrelated > tasks like e.g. do_fetch. Avoid this by exporting the variables only > for these tasks that actually call signing_prepare. > > This resolves a breakage I observed on Ubuntu 18.04, where the host > tool wget is called with the environment variables set and then fails > with a SSL error (exit code 5). > > Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de> Reviewed-by: Jan Lübbe <jlu@pengutronix.de> > --- > meta-oe/classes/signing.bbclass | 12 ++++++------ > 1 file changed, 6 insertions(+), 6 deletions(-) > > diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass > index 5c74a319e4f9..79944e3fe91c 100644 > --- a/meta-oe/classes/signing.bbclass > +++ b/meta-oe/classes/signing.bbclass > @@ -224,6 +224,12 @@ signing_import_install() { > } > > signing_prepare() { > + export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules" > + export OPENSSL_ENGINES="${STAGING_LIBDIR_NATIVE}/engines-3" > + export OPENSSL_CONF="${STAGING_LIBDIR_NATIVE}/ssl-3/openssl.cnf" > + export SSL_CERT_DIR="${STAGING_LIBDIR_NATIVE}/ssl-3/certs" > + export SSL_CERT_FILE="${STAGING_LIBDIR_NATIVE}/ssl-3/cert.pem" > + > if [ -f ${OPENSSL_CONF} ]; then > echo "Using '${OPENSSL_CONF}' for OpenSSL configuration" > else > @@ -308,9 +314,3 @@ signing_get_module() { > python () { > signing_class_prepare(d) > } > - > -export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules" > -export OPENSSL_ENGINES="${STAGING_LIBDIR_NATIVE}/engines-3" > -export OPENSSL_CONF="${STAGING_LIBDIR_NATIVE}/ssl-3/openssl.cnf" > -export SSL_CERT_DIR="${STAGING_LIBDIR_NATIVE}/ssl-3/certs" > -export SSL_CERT_FILE="${STAGING_LIBDIR_NATIVE}/ssl-3/cert.pem"
diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass index 5c74a319e4f9..79944e3fe91c 100644 --- a/meta-oe/classes/signing.bbclass +++ b/meta-oe/classes/signing.bbclass @@ -224,6 +224,12 @@ signing_import_install() { } signing_prepare() { + export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules" + export OPENSSL_ENGINES="${STAGING_LIBDIR_NATIVE}/engines-3" + export OPENSSL_CONF="${STAGING_LIBDIR_NATIVE}/ssl-3/openssl.cnf" + export SSL_CERT_DIR="${STAGING_LIBDIR_NATIVE}/ssl-3/certs" + export SSL_CERT_FILE="${STAGING_LIBDIR_NATIVE}/ssl-3/cert.pem" + if [ -f ${OPENSSL_CONF} ]; then echo "Using '${OPENSSL_CONF}' for OpenSSL configuration" else @@ -308,9 +314,3 @@ signing_get_module() { python () { signing_class_prepare(d) } - -export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules" -export OPENSSL_ENGINES="${STAGING_LIBDIR_NATIVE}/engines-3" -export OPENSSL_CONF="${STAGING_LIBDIR_NATIVE}/ssl-3/openssl.cnf" -export SSL_CERT_DIR="${STAGING_LIBDIR_NATIVE}/ssl-3/certs" -export SSL_CERT_FILE="${STAGING_LIBDIR_NATIVE}/ssl-3/cert.pem"
OPENSSL_{MODULES,ENGINES,CONF} and SSL_CERT_{DIR,FILE} are currently exported globally for any recipe that inherits signing. This not only affects the tasks that use the signing infrastructure, but also unrelated tasks like e.g. do_fetch. Avoid this by exporting the variables only for these tasks that actually call signing_prepare. This resolves a breakage I observed on Ubuntu 18.04, where the host tool wget is called with the environment variables set and then fails with a SSL error (exit code 5). Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de> --- meta-oe/classes/signing.bbclass | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-)