[PATCH 1/2] lib/oe/package_manager.py (rpm): Signature check is enabled by default

[PATCH 1/2] lib/oe/package_manager.py (rpm): Signature check is enabled by default

[Otavio Salvador]

The dnf has GPG signature check enabled by default. It has been confimed using:

,----
| root@qemux86-64:~# grep gpgcheck /etc/dnf/dnf.conf
| gpgcheck=1
`----

Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
---

 meta/lib/oe/package_manager.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/meta/lib/oe/package_manager.py b/meta/lib/oe/package_manager.py
index 658c964277..1501291657 100644
--- a/meta/lib/oe/package_manager.py
+++ b/meta/lib/oe/package_manager.py
@@ -549,7 +549,6 @@ class RpmPM(PackageManager):
             return
 
         if self.d.getVar('PACKAGE_FEED_SIGN') == '1':
-            gpg_opts = 'repo_gpgcheck=1\n'
             gpg_opts += 'gpgkey=file://%s/pki/packagefeed-gpg/PACKAGEFEED-GPG-KEY-%s-%s\n' % (self.d.getVar('sysconfdir'), self.d.getVar('DISTRO'), self.d.getVar('DISTRO_CODENAME'))
         else:
             gpg_opts = ''
-- 
2.14.2

[PATCH 2/2] lib/oe/package_manager.py (rpm): Allow use of non-signed feeds

[Otavio Salvador]

When we wish to use the package feed for local development, it does
not uses GPG signed feeds by default but dnf does. We need to
configure the GPG signature check out so it works out of box.

Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
---

 meta/lib/oe/package_manager.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/lib/oe/package_manager.py b/meta/lib/oe/package_manager.py
index 1501291657..51870c0609 100644
--- a/meta/lib/oe/package_manager.py
+++ b/meta/lib/oe/package_manager.py
@@ -551,7 +551,7 @@ class RpmPM(PackageManager):
         if self.d.getVar('PACKAGE_FEED_SIGN') == '1':
             gpg_opts += 'gpgkey=file://%s/pki/packagefeed-gpg/PACKAGEFEED-GPG-KEY-%s-%s\n' % (self.d.getVar('sysconfdir'), self.d.getVar('DISTRO'), self.d.getVar('DISTRO_CODENAME'))
         else:
-            gpg_opts = ''
+            gpg_opts = 'gpgcheck=0\n'
 
         bb.utils.mkdirhier(oe.path.join(self.target_rootfs, "etc", "yum.repos.d"))
         remote_uris = self.construct_uris(feed_uris.split(), feed_base_paths.split())
-- 
2.14.2

Re: [PATCH 1/2] lib/oe/package_manager.py (rpm): Signature check is enabled by default

[Alexander Kanavin]

On 09/30/2017 09:06 PM, Otavio Salvador wrote:
> The dnf has GPG signature check enabled by default. It has been confimed using:
> 
> ,----
> | root@qemux86-64:~# grep gpgcheck /etc/dnf/dnf.conf
> | gpgcheck=1
...
>           if self.d.getVar('PACKAGE_FEED_SIGN') == '1':
> -            gpg_opts = 'repo_gpgcheck=1\n'
>               gpg_opts += 'gpgkey=file://%s/pki/packagefeed-gpg/PACKAGEFEED-GPG-KEY-%s-%s\n' % (self.d.getVar('sysconfdir'), self.d.getVar('DISTRO'), self.d.getVar('DISTRO_CODENAME'))


NAK both patches, I'm afraid. gpgcheck and repo_gpgcheck are two 
different options, which control different things, and you thoroughly 
confused them here.

Alex

Re: [PATCH 2/2] lib/oe/package_manager.py (rpm): Allow use of non-signed feeds

[Alexander Kanavin]

On 09/30/2017 09:06 PM, Otavio Salvador wrote:
> When we wish to use the package feed for local development, it does
> not uses GPG signed feeds by default but dnf does. We need to
> configure the GPG signature check out so it works out of box.
>> @@ -551,7 +551,7 @@ class RpmPM(PackageManager):
>           if self.d.getVar('PACKAGE_FEED_SIGN') == '1':
>               gpg_opts += 'gpgkey=file://%s/pki/packagefeed-gpg/PACKAGEFEED-GPG-KEY-%s-%s\n' % (self.d.getVar('sysconfdir'), self.d.getVar('DISTRO'), self.d.getVar('DISTRO_CODENAME'))
>           else:
> -            gpg_opts = ''
> +            gpg_opts = 'gpgcheck=0\n'
>   

Again, 'gpcheck' option has nothing to do with verifying signed package 
feeds. NAK.


Alex

Re: [PATCH 1/2] lib/oe/package_manager.py (rpm): Signature check is enabled by default

[Otavio Salvador]

On Sun, Oct 1, 2017 at 4:36 AM, Alexander Kanavin
<alexander.kanavin@linux.intel.com> wrote:
> On 09/30/2017 09:06 PM, Otavio Salvador wrote:
>>
>> The dnf has GPG signature check enabled by default. It has been confimed
>> using:
>>
>> ,----
>> | root@qemux86-64:~# grep gpgcheck /etc/dnf/dnf.conf
>> | gpgcheck=1
>
> ...
>>
>>           if self.d.getVar('PACKAGE_FEED_SIGN') == '1':
>> -            gpg_opts = 'repo_gpgcheck=1\n'
>>               gpg_opts +=
>> 'gpgkey=file://%s/pki/packagefeed-gpg/PACKAGEFEED-GPG-KEY-%s-%s\n' %
>> (self.d.getVar('sysconfdir'), self.d.getVar('DISTRO'),
>> self.d.getVar('DISTRO_CODENAME'))
>
>
>
> NAK both patches, I'm afraid. gpgcheck and repo_gpgcheck are two different
> options, which control different things, and you thoroughly confused them
> here.

I did test both patches and this is not what I figured. Did you test it?


-- 
Otavio Salvador                             O.S. Systems
http://www.ossystems.com.br        http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854            Mobile: +1 (347) 903-9750

Re: [PATCH 2/2] lib/oe/package_manager.py (rpm): Allow use of non-signed feeds

[Otavio Salvador]

On Sun, Oct 1, 2017 at 4:39 AM, Alexander Kanavin
<alexander.kanavin@linux.intel.com> wrote:
> On 09/30/2017 09:06 PM, Otavio Salvador wrote:
>>
>> When we wish to use the package feed for local development, it does
>> not uses GPG signed feeds by default but dnf does. We need to
>> configure the GPG signature check out so it works out of box.
>>>
>>> @@ -551,7 +551,7 @@ class RpmPM(PackageManager):
>>
>>           if self.d.getVar('PACKAGE_FEED_SIGN') == '1':
>>               gpg_opts +=
>> 'gpgkey=file://%s/pki/packagefeed-gpg/PACKAGEFEED-GPG-KEY-%s-%s\n' %
>> (self.d.getVar('sysconfdir'), self.d.getVar('DISTRO'),
>> self.d.getVar('DISTRO_CODENAME'))
>>           else:
>> -            gpg_opts = ''
>> +            gpg_opts = 'gpgcheck=0\n'
>>
>
>
> Again, 'gpcheck' option has nothing to do with verifying signed package
> feeds. NAK.

Oh really? so tell me why it fixed my error?

Without this patch I need to use:

dnf install --nogpgcheck <pkg>

and it is sub-optimal as I did not enabled signed support.

-- 
Otavio Salvador                             O.S. Systems
http://www.ossystems.com.br        http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854            Mobile: +1 (347) 903-9750

Re: [PATCH 1/2] lib/oe/package_manager.py (rpm): Signature check is enabled by default

[Alexander Kanavin]

On 10/02/2017 01:00 AM, Otavio Salvador wrote:

>> NAK both patches, I'm afraid. gpgcheck and repo_gpgcheck are two different
>> options, which control different things, and you thoroughly confused them
>> here.
> 
> I did test both patches and this is not what I figured. Did you test it?

>> Again, 'gpcheck' option has nothing to do with verifying signed package
>> feeds. NAK.
> 
> Oh really? so tell me why it fixed my error?
> 
> Without this patch I need to use:
> 
> dnf install --nogpgcheck <pkg>
> 
> and it is sub-optimal as I did not enabled signed support.


Oe-core has support for two different things:

1. Signing and verifying individual package files. This feature is 
controlled by RPM_SIGN_PACKAGES option in build configuration and dnf's 
gpgcheck config file option at runtime.

2. Signing and verifying repository metadata. This feature is controlled 
by PACKAGE_FEED_SIGN option and repo_gpgcheck config file option 
respectively.

The above two things are completely orthogonal, and can be enabled and 
disabled independently of each other. Now please look at your patches 
keeping this in mind.

I assure you, both of the patches are incorrect. Exactly why is left as 
an exercise for the reader.

Alex

Re: [PATCH 1/2] lib/oe/package_manager.py (rpm): Signature check is enabled by default

[Otavio Salvador]

Alexander,

On Mon, Oct 2, 2017 at 8:01 AM, Alexander Kanavin
<alexander.kanavin@linux.intel.com> wrote:
> On 10/02/2017 01:00 AM, Otavio Salvador wrote:
>
>>> NAK both patches, I'm afraid. gpgcheck and repo_gpgcheck are two
>>> different
>>> options, which control different things, and you thoroughly confused them
>>> here.
>>
>>
>> I did test both patches and this is not what I figured. Did you test it?
>
>
>>> Again, 'gpcheck' option has nothing to do with verifying signed package
>>> feeds. NAK.
>>
>>
>> Oh really? so tell me why it fixed my error?
>>
>> Without this patch I need to use:
>>
>> dnf install --nogpgcheck <pkg>
>>
>> and it is sub-optimal as I did not enabled signed support.
>
> Oe-core has support for two different things:
>
> 1. Signing and verifying individual package files. This feature is
> controlled by RPM_SIGN_PACKAGES option in build configuration and dnf's
> gpgcheck config file option at runtime.
>
> 2. Signing and verifying repository metadata. This feature is controlled by
> PACKAGE_FEED_SIGN option and repo_gpgcheck config file option respectively.
>
> The above two things are completely orthogonal, and can be enabled and
> disabled independently of each other. Now please look at your patches
> keeping this in mind.
>
> I assure you, both of the patches are incorrect. Exactly why is left as an
> exercise for the reader.

I assure you I did test both patches. I leave as an exercise to you to
show me what it breaks.

Also, keeping "exercises" for contributors is not something which
helps to gather more contributions. It solved the dnf install
requirement for my test and seems to be the right thing to do. I may
be missing something but please point it or give me a case test.

-- 
Otavio Salvador                             O.S. Systems
http://www.ossystems.com.br        http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854            Mobile: +1 (347) 903-9750

Re: [PATCH 1/2] lib/oe/package_manager.py (rpm): Signature check is enabled by default

[Alexander Kanavin]

On 10/02/2017 04:09 PM, Otavio Salvador wrote:

> I assure you I did test both patches. I leave as an exercise to you to
> show me what it breaks.
> 
> Also, keeping "exercises" for contributors is not something which
> helps to gather more contributions. It solved the dnf install
> requirement for my test and seems to be the right thing to do. I may
> be missing something but please point it or give me a case test.

The first patch is removing the addition of 'repo_gpgcheck=1' option to 
dnf config gile when repo feed signing/verification is enabled. Dnf does 
not enable that feature by default, and so the option must be present in 
dnf config file when repo feed signature verification is in use.

The second patch adds 'gpgcheck=0' when repo feed signing is disabled, 
which will also disable package verification at runtime, ignoring the 
altogether different build setting controlling that. As I've already 
explained to you, package signing and feed signing are two different 
things, with their own sets of options.

Test case 1:

- enable feed signing, check that resulting dnf.conf file has feed 
verification (repo_gpgcheck option) enabled

Test case 2:

- enable package signing, disable package feed signing, check that the 
resulting dnf.conf file has package verification enabled.

Both test cases will fail with your patches.

Alex

Re: [PATCH 1/2] lib/oe/package_manager.py (rpm): Signature check is enabled by default

[Otavio Salvador]

On Mon, Oct 2, 2017 at 10:56 AM, Alexander Kanavin
<alexander.kanavin@linux.intel.com> wrote:
> On 10/02/2017 04:09 PM, Otavio Salvador wrote:
>
>> I assure you I did test both patches. I leave as an exercise to you to
>> show me what it breaks.
>>
>> Also, keeping "exercises" for contributors is not something which
>> helps to gather more contributions. It solved the dnf install
>> requirement for my test and seems to be the right thing to do. I may
>> be missing something but please point it or give me a case test.
>
>
> The first patch is removing the addition of 'repo_gpgcheck=1' option to dnf
> config gile when repo feed signing/verification is enabled. Dnf does not
> enable that feature by default, and so the option must be present in dnf
> config file when repo feed signature verification is in use.
>
> The second patch adds 'gpgcheck=0' when repo feed signing is disabled, which
> will also disable package verification at runtime, ignoring the altogether
> different build setting controlling that. As I've already explained to you,
> package signing and feed signing are two different things, with their own
> sets of options.
>
> Test case 1:
>
> - enable feed signing, check that resulting dnf.conf file has feed
> verification (repo_gpgcheck option) enabled
>
> Test case 2:
>
> - enable package signing, disable package feed signing, check that the
> resulting dnf.conf file has package verification enabled.
>
> Both test cases will fail with your patches.

I sent a v2 making it clear it disabled package signature check. It
works for my test case. I dropped the repo_gpgcheck removal patch.

-- 
Otavio Salvador                             O.S. Systems
http://www.ossystems.com.br        http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854            Mobile: +1 (347) 903-9750

Re: [PATCH 2/2] lib/oe/package_manager.py (rpm): Allow use of non-signed feeds

[Neal Gompa]

On Sun, Oct 1, 2017 at 6:01 PM, Otavio Salvador
<otavio.salvador@ossystems.com.br> wrote:
> On Sun, Oct 1, 2017 at 4:39 AM, Alexander Kanavin
> <alexander.kanavin@linux.intel.com> wrote:
>> On 09/30/2017 09:06 PM, Otavio Salvador wrote:
>>>
>>> When we wish to use the package feed for local development, it does
>>> not uses GPG signed feeds by default but dnf does. We need to
>>> configure the GPG signature check out so it works out of box.
>>>>
>>>> @@ -551,7 +551,7 @@ class RpmPM(PackageManager):
>>>
>>>           if self.d.getVar('PACKAGE_FEED_SIGN') == '1':
>>>               gpg_opts +=
>>> 'gpgkey=file://%s/pki/packagefeed-gpg/PACKAGEFEED-GPG-KEY-%s-%s\n' %
>>> (self.d.getVar('sysconfdir'), self.d.getVar('DISTRO'),
>>> self.d.getVar('DISTRO_CODENAME'))
>>>           else:
>>> -            gpg_opts = ''
>>> +            gpg_opts = 'gpgcheck=0\n'
>>>
>>
>>
>> Again, 'gpcheck' option has nothing to do with verifying signed package
>> feeds. NAK.
>
> Oh really? so tell me why it fixed my error?
>
> Without this patch I need to use:
>
> dnf install --nogpgcheck <pkg>
>
> and it is sub-optimal as I did not enabled signed support.
>

This logic is kind of dumb, but basically, this is how this works:

gpgcheck - controls pkg_gpgcheck and repo_gpgcheck. With gpgcheck=1,
DNF defaults to pkg_gpgcheck=1 and repo_gpgcheck=0, but if gpgcheck=0,
repo_gpgcheck is forced off.
pkg_gpgcheck (not currently working)
repo_gpgcheck - enable repo_gpgcheck, this is default to 0 (thus, disabled)

At some point, this needs to be fixed in libdnf and dnf so that the
options are saner...



-- 
真実はいつも一つ！/ Always, there's only one truth!

Re: [PATCH 2/2] lib/oe/package_manager.py (rpm): Allow use of non-signed feeds

[Alexander Kanavin]

On 11/06/2017 07:04 AM, Neal Gompa wrote:

> This logic is kind of dumb, but basically, this is how this works:
> 
> gpgcheck - controls pkg_gpgcheck and repo_gpgcheck. With gpgcheck=1,
> DNF defaults to pkg_gpgcheck=1 and repo_gpgcheck=0, but if gpgcheck=0,
> repo_gpgcheck is forced off.
> pkg_gpgcheck (not currently working)
> repo_gpgcheck - enable repo_gpgcheck, this is default to 0 (thus, disabled)
> 
> At some point, this needs to be fixed in libdnf and dnf so that the
> options are saner...

Dnf documentation claims otherwise: gpgcheck is for package signing and 
repo_gpgcheck is for feed signing, one is not dependent on the other.

I looked at the code, and couldn't find any spot where one overrides or 
controls the other. Can you point it out please? Until then, I think the 
current code is correct.

Alex