From patchwork Sun Apr 3 19:50:44 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ferry Toth X-Patchwork-Id: 6198 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C52F7C43219 for ; Mon, 4 Apr 2022 18:46:43 +0000 (UTC) Received: from mailfilter05-out31.webhostingserver.nl (mailfilter05-out31.webhostingserver.nl [141.138.168.205]) by mx.groups.io with SMTP id smtpd.web08.26720.1649015468667037948 for ; Sun, 03 Apr 2022 12:51:09 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=softfail (domain: gmail.com, ip: 141.138.168.205, mailfrom: fntoth@gmail.com) X-Halon-ID: 663bdfbb-b387-11ec-a6ae-001a4a4cb933 Received: from s198.webhostingserver.nl (s198.webhostingserver.nl [141.138.168.154]) by mailfilter05.webhostingserver.nl (Halon) with ESMTPSA id 663bdfbb-b387-11ec-a6ae-001a4a4cb933; Sun, 03 Apr 2022 21:51:05 +0200 (CEST) Received: from [2a02:a466:68ed:1:a97:eb0e:d916:69ac] (helo=delfion.fritz.box) by s198.webhostingserver.nl with esmtpa (Exim 4.94.2) (envelope-from ) id 1nb6Fd-009Srb-Ia; Sun, 03 Apr 2022 21:51:05 +0200 From: Ferry Toth To: openembedded-core@lists.openembedded.org Cc: Richard Purdie , Xavier Berger , Alexander Kanavin , Ferry Toth Subject: [PATCH v2 1/3] gpg-sign: Add parameters to gpg signature function Date: Sun, 3 Apr 2022 21:50:44 +0200 Message-Id: <20220403195046.7060-3-fntoth@gmail.com> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220403195046.7060-1-fntoth@gmail.com> References: <20220403195046.7060-1-fntoth@gmail.com> MIME-Version: 1.0 X-Antivirus-Scanner: Clean mail though you should still use an Antivirus List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 04 Apr 2022 18:46:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/163969 From: Xavier Berger output_suffix: If defined, add output_suffix as file name extension. use_sha256: If True, use sha256 for gpg as digest algorithm Signed-off-by: Xavier Berger Signed-off-by: Ferry Toth --- meta/lib/oe/gpg_sign.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py index 1bce6cb792..aa9bb49f2c 100644 --- a/meta/lib/oe/gpg_sign.py +++ b/meta/lib/oe/gpg_sign.py @@ -58,7 +58,7 @@ class LocalSigner(object): for i in range(0, len(files), sign_chunk): subprocess.check_output(shlex.split(cmd + ' '.join(files[i:i+sign_chunk])), stderr=subprocess.STDOUT) - def detach_sign(self, input_file, keyid, passphrase_file, passphrase=None, armor=True): + def detach_sign(self, input_file, keyid, passphrase_file, passphrase=None, armor=True, output_suffix=None, use_sha256=False): """Create a detached signature of a file""" if passphrase_file and passphrase: @@ -71,6 +71,10 @@ class LocalSigner(object): cmd += ['--homedir', self.gpg_path] if armor: cmd += ['--armor'] + if output_suffix: + cmd += ['-o', input_file + "." + output_suffix] + if use_sha256: + cmd += ['--digest-algo', "SHA256"] #gpg > 2.1 supports password pipes only through the loopback interface #gpg < 2.1 errors out if given unknown parameters From patchwork Sun Apr 3 19:50:45 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ferry Toth X-Patchwork-Id: 6197 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4EB84C48BE6 for ; Mon, 4 Apr 2022 18:46:43 +0000 (UTC) Received: from mailfilter02-out31.webhostingserver.nl (mailfilter02-out31.webhostingserver.nl [141.138.168.75]) by mx.groups.io with SMTP id smtpd.web09.26554.1649015472638609662 for ; Sun, 03 Apr 2022 12:51:13 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=softfail (domain: gmail.com, ip: 141.138.168.75, mailfrom: fntoth@gmail.com) X-Halon-ID: 68c03ff5-b387-11ec-8db1-001a4a4cb922 Received: from s198.webhostingserver.nl (s198.webhostingserver.nl [141.138.168.154]) by mailfilter02.webhostingserver.nl (Halon) with ESMTPSA id 68c03ff5-b387-11ec-8db1-001a4a4cb922; Sun, 03 Apr 2022 21:51:10 +0200 (CEST) Received: from [2a02:a466:68ed:1:a97:eb0e:d916:69ac] (helo=delfion.fritz.box) by s198.webhostingserver.nl with esmtpa (Exim 4.94.2) (envelope-from ) id 1nb6Fh-009Srb-OM; Sun, 03 Apr 2022 21:51:09 +0200 From: Ferry Toth To: openembedded-core@lists.openembedded.org Cc: Richard Purdie , Xavier Berger , Alexander Kanavin , Ferry Toth Subject: [PATCH v2 2/3] package_manager: sign DEB package feeds Date: Sun, 3 Apr 2022 21:50:45 +0200 Message-Id: <20220403195046.7060-4-fntoth@gmail.com> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220403195046.7060-1-fntoth@gmail.com> References: <20220403195046.7060-1-fntoth@gmail.com> MIME-Version: 1.0 X-Antivirus-Scanner: Clean mail though you should still use an Antivirus List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 04 Apr 2022 18:46:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/163970 From: Ferry Toth Implement debian package repository signature. For each Release file created in repository subdirectory, a signature Release.gpg is created. Signature is performed using gpg backend when the following variables are set in local.conf: PACKAGE_CLASSES += "sign_package_feed" PACKAGE_FEED_GPG_NAME = "" PACKAGE_FEED_GPG_PASSPHRASE_FILE="" Signed-off-by: Xavier Berger Signed-off-by: Ferry Toth --- meta/lib/oe/package_manager/deb/__init__.py | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/meta/lib/oe/package_manager/deb/__init__.py b/meta/lib/oe/package_manager/deb/__init__.py index 9f112ae25b..86ddb130ad 100644 --- a/meta/lib/oe/package_manager/deb/__init__.py +++ b/meta/lib/oe/package_manager/deb/__init__.py @@ -53,6 +53,7 @@ class DpkgIndexer(Indexer): index_cmds = [] deb_dirs_found = False + index_sign_files = set() for arch in arch_list: arch_dir = os.path.join(self.deploy_dir, arch) if not os.path.isdir(arch_dir): @@ -62,7 +63,10 @@ class DpkgIndexer(Indexer): cmd += "%s -fcn Packages > Packages.gz;" % gzip - with open(os.path.join(arch_dir, "Release"), "w+") as release: + release_file = os.path.join(arch_dir, "Release") + index_sign_files.add(release_file) + + with open(release_file, "w+") as release: release.write("Label: %s\n" % arch) cmd += "PSEUDO_UNLOAD=1 %s release . >> Release" % apt_ftparchive @@ -76,8 +80,17 @@ class DpkgIndexer(Indexer): return oe.utils.multiprocess_launch(create_index, index_cmds, self.d) - if self.d.getVar('PACKAGE_FEED_SIGN') == '1': - raise NotImplementedError('Package feed signing not implementd for dpkg') + if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1': + signer = get_signer(self.d, self.d.getVar('PACKAGE_FEED_GPG_BACKEND', True)) + else: + signer = None + if signer: + for f in index_sign_files: + signer.detach_sign(f, + self.d.getVar('PACKAGE_FEED_GPG_NAME', True), + self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True), + output_suffix="gpg", + use_sha256=True) class PMPkgsList(PkgsList): From patchwork Sun Apr 3 19:50:46 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ferry Toth X-Patchwork-Id: 14202 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org From: "Ferry Toth" Subject: [PATCH v2 3/3] apt: add apt selftest to test signed package feeds Date: Sun, 3 Apr 2022 21:50:46 +0200 Message-Id: <20220403195046.7060-5-fntoth@gmail.com> In-Reply-To: <20220403195046.7060-1-fntoth@gmail.com> References: <20220403195046.7060-1-fntoth@gmail.com> MIME-Version: 1.0 List-id: To: openembedded-core@lists.openembedded.org Cc: Richard Purdie , Xavier Berger , Alexander Kanavin , Ferry Toth From: Ferry Toth Since Gatesgarth apt (1.8.2) has become more strict and doesn’t allow unsigned repositories by default. Currently when building images this requirement is worked around by using [allow-insecure=yes] and equivalently when performing selftest. Patches "gpg-sign: Add parameters to gpg signature function" and "package_manager: sign DEB package feeds" enable signed DEB package feeds. This patch adds a runtime test for apt derived from the test_testimage_dnf test. It creates a signed deb package feed, runs a qemu image to install the key and performs some package management. To be able to install the key the gnupg package is added to the testimage. Signed-off-by: Ferry Toth --- meta/lib/oeqa/runtime/cases/apt.py | 16 ++++++--- meta/lib/oeqa/selftest/cases/runtime_test.py | 38 ++++++++++++++++++++ 2 files changed, 49 insertions(+), 5 deletions(-) diff --git a/meta/lib/oeqa/runtime/cases/apt.py b/meta/lib/oeqa/runtime/cases/apt.py index 53745df93f..49f8714730 100644 --- a/meta/lib/oeqa/runtime/cases/apt.py +++ b/meta/lib/oeqa/runtime/cases/apt.py @@ -21,7 +21,7 @@ class AptRepoTest(AptTest): @classmethod def setUpClass(cls): - service_repo = os.path.join(cls.tc.td['DEPLOY_DIR_DEB'], 'all') + service_repo = os.path.join(cls.tc.td['DEPLOY_DIR_DEB'], '') cls.repo_server = HTTPService(service_repo, '0.0.0.0', port=cls.tc.target.server_port, logger=cls.tc.logger) @@ -32,13 +32,18 @@ class AptRepoTest(AptTest): cls.repo_server.stop() def setup_source_config_for_package_install(self): - apt_get_source_server = 'http://%s:%s/' % (self.tc.target.server_ip, self.repo_server.port) + apt_get_source_server = 'http:\/\/%s:%s' % (self.tc.target.server_ip, self.repo_server.port) apt_get_sourceslist_dir = '/etc/apt/' - self.target.run('cd %s; echo deb [ allow-insecure=yes ] %s ./ > sources.list' % (apt_get_sourceslist_dir, apt_get_source_server)) + self.target.run("cd %s; cp sources.list sources.list.bak; sed -i 's/\[trusted=yes\] http:\/\/bogus_ip:bogus_port/%s/g' sources.list" % (apt_get_sourceslist_dir, apt_get_source_server)) def cleanup_source_config_for_package_install(self): apt_get_sourceslist_dir = '/etc/apt/' - self.target.run('cd %s; rm sources.list' % (apt_get_sourceslist_dir)) + self.target.run('cd %s; mv sources.list.bak sources.list' % (apt_get_sourceslist_dir)) + + def setup_key(self): + # the key is found on the target /etc/pki/packagefeed-gpg/ + # named PACKAGEFEED-GPG-KEY-poky-branch + self.target.run('cd %s; apt-key add P*' % ('/etc/pki/packagefeed-gpg')) @skipIfNotFeature('package-management', 'Test requires package-management to be in IMAGE_FEATURES') @@ -47,7 +52,8 @@ class AptRepoTest(AptTest): @OEHasPackage(['apt']) def test_apt_install_from_repo(self): self.setup_source_config_for_package_install() + self.setup_key() self.pkg('update') self.pkg('remove --yes run-postinsts-dev') - self.pkg('install --yes --allow-unauthenticated run-postinsts-dev') + self.pkg('install --yes run-postinsts-dev') self.cleanup_source_config_for_package_install() diff --git a/meta/lib/oeqa/selftest/cases/runtime_test.py b/meta/lib/oeqa/selftest/cases/runtime_test.py index 642f0eb637..7a75b95a99 100644 --- a/meta/lib/oeqa/selftest/cases/runtime_test.py +++ b/meta/lib/oeqa/selftest/cases/runtime_test.py @@ -162,6 +162,44 @@ class TestImage(OESelftestTestCase): bitbake('core-image-full-cmdline socat') bitbake('-c testimage core-image-full-cmdline') + def test_testimage_apt(self): + """ + Summary: Check package feeds functionality for apt + Expected: 1. Check that remote package feeds can be accessed + Product: oe-core + Author: Ferry Toth + """ + if get_bb_var('DISTRO') == 'poky-tiny': + self.skipTest('core-image-full-cmdline not buildable for poky-tiny') + + features = 'INHERIT += "testimage"\n' + features += 'TEST_SUITES = "ping ssh apt.AptRepoTest.test_apt_install_from_repo"\n' + # We don't yet know what the server ip and port will be - they will be patched + # in at the start of the on-image test + features += 'PACKAGE_FEED_URIS = "http://bogus_ip:bogus_port"\n' + features += 'EXTRA_IMAGE_FEATURES += "package-management"\n' + features += 'PACKAGE_CLASSES = "package_deb"\n' + # We need gnupg on the target to install keys + features += 'IMAGE_INSTALL:append:pn-core-image-full-cmdline = " gnupg"\n' + + bitbake('gnupg-native -c addto_recipe_sysroot') + + # Enable package feed signing + self.gpg_home = tempfile.mkdtemp(prefix="oeqa-feed-sign-") + self.track_for_cleanup(self.gpg_home) + signing_key_dir = os.path.join(self.testlayer_path, 'files', 'signing') + runCmd('gpgconf --list-dirs --homedir %s; gpg -v --batch --homedir %s --import %s' % (self.gpg_home, self.gpg_home, os.path.join(signing_key_dir, 'key.secret')), native_sysroot=get_bb_var("RECIPE_SYSROOT_NATIVE", "gnupg-native"), shell=True) + features += 'INHERIT += "sign_package_feed"\n' + features += 'PACKAGE_FEED_GPG_NAME = "testuser"\n' + features += 'PACKAGE_FEED_GPG_PASSPHRASE_FILE = "%s"\n' % os.path.join(signing_key_dir, 'key.passphrase') + features += 'GPG_PATH = "%s"\n' % self.gpg_home + features += 'PSEUDO_IGNORE_PATHS .= ",%s"\n' % self.gpg_home + self.write_config(features) + + # Build core-image-sato and testimage + bitbake('core-image-full-cmdline socat') + bitbake('-c testimage core-image-full-cmdline') + def test_testimage_virgl_gtk_sdl(self): """ Summary: Check host-assisted accelerate OpenGL functionality in qemu with gtk and SDL frontends