* Signed RPMs
@ 2016-02-04 21:57 Chris Trobridge
2016-02-05 8:00 ` Markus Lehtonen
0 siblings, 1 reply; 4+ messages in thread
From: Chris Trobridge @ 2016-02-04 21:57 UTC (permalink / raw)
To: yocto
[-- Attachment #1: Type: text/plain, Size: 3872 bytes --]
Hi,
I have been testing out the facility for generating signed RPMs.
It's currently failing to find 'build/tmp/sysroots/x86_64-linux/etc/RPM-GPG-PUBKEY', log listed at end.
I couldn't find a lot of documentation but from what I could find, I added the following to local.conf:
INHERIT += " sign_rpm"RPM_GPG_NAME = "chris"RPM_GPG_PUBKEY = "/home/chris/mykey.pub"RPM_GPG_PASSPHRASE_FILE = "/home/chris/mypassphrase"
It needed 'python-pexpect' installing (fedora 22) to run at all but after that it worked to an extent as I had to correct the stored passphrase to correct other errors.
At this stage of the build there is very little in 'build/tmp/sysroots/x86_64-linux/etc/' (just quilt related) but I also find it curious that it is looking for the variable name rather than it value.
Now I was following the the Aug patch notes "'RPM_GPG_PUBKEY = "<path_to_pubkey>" in bitbake config pointing to the public key (in "armor" format).".
Since then there was a patch "Automatically export public keys used for package(feed) signing" that obsoletes RPM_GPG_PUBKEY (and overwrites it) but I'm still not clear how/where to put the public key so it will end up in the staging directory. Also, 'package_manager.py' copies the file named by RPM_GPG_PUBKEY to the location os.path.join(self.deploy_dir, 'RPM-GPG-KEY-%s' % distro_version). I presume this copies from the staging directory to the deployment directory.
So what I would like to know is where to put the RPM GPG public key so that it gets copied to the staging directory?
For the time being, I have copied it in by hand.
Thanks,Chris
Summary: 1 task failed:poky/meta/recipes-core/os-release/os-release.bb, do_compile
DEBUG: Executing python function do_compileERROR: Error executing a python function in /home/chris/yocto/poky/meta/recipes-core/os-release/os-release.bb:
The stack trace of python calls that resulted in this exception/failure was:File: '/home/chris/yocto/poky/meta/recipes-core/os-release/os-release.bb', lineno: 16, function: <module> 0012: distro_version = d.getVar('DISTRO_VERSION', True) or "oe.0" 0013: shutil.copy2(rpm_gpg_pubkey, d.expand('/home/chris/yocto/build/tmp/work/all-poky-linux/os-release/1.0-r0/os-release-1.0/rpm-gpg/RPM-GPG-KEY-%s' % distro_version)) 0014: 0015: *** 0016:do_compile(d) 0017:File: '/home/chris/yocto/poky/meta/recipes-core/os-release/os-release.bb', lineno: 13, function: do_compile 0009:do_fetch[noexec] = "1" 0010:do_unpack[noexec] = "1" 0011:do_patch[noexec] = "1" 0012:do_configure[noexec] = "1" *** 0013: 0014:# Other valid fields: BUILD_ID ID_LIKE ANSI_COLOR CPE_NAME 0015:# HOME_URL SUPPORT_URL BUG_REPORT_URL 0016:OS_RELEASE_FIELDS = "ID ID_LIKE NAME VERSION VERSION_ID PRETTY_NAME" 0017:File: '/usr/lib64/python2.7/shutil.py', lineno: 130, function: copy2 0126: 0127: """ 0128: if os.path.isdir(dst): 0129: dst = os.path.join(dst, os.path.basename(src)) *** 0130: copyfile(src, dst) 0131: copystat(src, dst) 0132: 0133:def ignore_patterns(*patterns): 0134: """Function that can be used as copytree() ignore parameter.File: '/usr/lib64/python2.7/shutil.py', lineno: 82, function: copyfile 0078: # XXX What about other special files? (sockets, devices...) 0079: if stat.S_ISFIFO(st.st_mode): 0080: raise SpecialFileError("`%s` is a named pipe" % fn) 0081: *** 0082: with open(src, 'rb') as fsrc: 0083: with open(dst, 'wb') as fdst: 0084: copyfileobj(fsrc, fdst) 0085: 0086:def copymode(src, dst):Exception: IOError: [Errno 2] No such file or directory: '/home/chris/yocto/build/tmp/sysroots/x86_64-linux/etc/RPM-GPG-PUBKEY'
DEBUG: Python function do_compile finishedERROR: Function failed: do_compile
[-- Attachment #2: Type: text/html, Size: 6360 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Signed RPMs
2016-02-04 21:57 Signed RPMs Chris Trobridge
@ 2016-02-05 8:00 ` Markus Lehtonen
2016-02-05 9:15 ` Chris Trobridge
0 siblings, 1 reply; 4+ messages in thread
From: Markus Lehtonen @ 2016-02-05 8:00 UTC (permalink / raw)
To: Chris Trobridge, yocto
Hi Chris,
On 04/02/16 23:57, "Chris Trobridge" <yocto-bounces@yoctoproject.org on behalf of christrobridge@hotmail.com> wrote:
>Hi,
>I have been testing out the facility for generating signed RPMs.
>
>It's currently failing to find 'build/tmp/sysroots/x86_64-linux/etc/RPM-GPG-PUBKEY', log listed at end.
>
>I couldn't find a lot of documentation but from what I could find, I added the following to local.conf:
Unfortunately the documentation is rather scarce. The header of 'meta/classes/sign_rpm.bbclass' lists everything needed.
>INHERIT += " sign_rpm"
>RPM_GPG_NAME = "chris"
>RPM_GPG_PUBKEY = "/home/chris/mykey.pub"
>RPM_GPG_PASSPHRASE_FILE = "/home/chris/mypassphrase"
The "RPM_GPG_PUBKEY" setting is not used anymore as automatic exporting of the public key was enabled a while ago.
>It needed 'python-pexpect' installing (fedora 22) to run at all but after that it worked to an extent as I had to correct the stored passphrase to correct other errors.
Thanks for pointing that out. That should be added as a sanity check.
>At this stage of the build there is very little in 'build/tmp/sysroots/x86_64-linux/etc/' (just quilt related) but I also find it curious that it is looking for the variable name rather than it value.
>
>Now I was following the the Aug patch notes "'RPM_GPG_PUBKEY = "<path_to_pubkey>" in bitbake config pointing to the public key (in "armor" format).".
>
>Since then there was a patch "Automatically export public keys used for package(feed) signing" that obsoletes RPM_GPG_PUBKEY (and overwrites it) but I'm still not clear how/where to put the public key so it will end up in the staging directory. Also, 'package_manager.py' copies the file named by RPM_GPG_PUBKEY to the location os.path.join(self.deploy_dir, 'RPM-GPG-KEY-%s' % distro_version). I presume this copies from the staging directory to the deployment directory.
As said above, the "RPM_GPG_PUBKEY" setting in local.conf is obsolete (instead, it is set behind the scenes by sign_rpm.bbclass). You do not need to have the public key available in a file anywhere. It is exported (from gpg) to the sysroot by meta/recipes-core/meta/signing-keys.bb recipe. All recipes/tasks utilizing the pubkey(s) should depend on signing-keys.bb.
>So what I would like to know is where to put the RPM GPG public key so that it gets copied to the staging directory?
You do not need to put it anywhere.
>For the time being, I have copied it in by hand.
That really should not be needed. What version of poky are you using? I was not able to reproduce your problem. Try building signing-keys, does it copy the pubkey to the correct place?
Cheers,
Markus
>Thanks,
>
>Chris
>
>Summary: 1 task failed:
>poky/meta/recipes-core/os-release/os-release.bb, do_compile
>
>
>DEBUG: Executing python function do_compile
>ERROR: Error executing a python function in /home/chris/yocto/poky/meta/recipes-core/os-release/os-release.bb:
>
>The stack trace of python calls that resulted in this exception/failure was:
>File: '/home/chris/yocto/poky/meta/recipes-core/os-release/os-release.bb', lineno: 16, function: <module>
> 0012: distro_version = d.getVar('DISTRO_VERSION', True) or "oe.0"
> 0013: shutil.copy2(rpm_gpg_pubkey, d.expand('/home/chris/yocto/build/tmp/work/all-poky-linux/os-release/1.0-r0/os-release-1.0/rpm-gpg/RPM-GPG-KEY-%s' % distro_version))
> 0014:
> 0015:
> *** 0016:do_compile(d)
> 0017:
>File: '/home/chris/yocto/poky/meta/recipes-core/os-release/os-release.bb', lineno: 13, function: do_compile
> 0009:do_fetch[noexec] = "1"
> 0010:do_unpack[noexec] = "1"
> 0011:do_patch[noexec] = "1"
> 0012:do_configure[noexec] = "1"
> *** 0013:
> 0014:# Other valid fields: BUILD_ID ID_LIKE ANSI_COLOR CPE_NAME
> 0015:# HOME_URL SUPPORT_URL BUG_REPORT_URL
> 0016:OS_RELEASE_FIELDS = "ID ID_LIKE NAME VERSION VERSION_ID PRETTY_NAME"
> 0017:
>File: '/usr/lib64/python2.7/shutil.py', lineno: 130, function: copy2
> 0126:
> 0127: """
> 0128: if os.path.isdir(dst):
> 0129: dst = os.path.join(dst, os.path.basename(src))
> *** 0130: copyfile(src, dst)
> 0131: copystat(src, dst)
> 0132:
> 0133:def ignore_patterns(*patterns):
> 0134: """Function that can be used as copytree() ignore parameter.
>File: '/usr/lib64/python2.7/shutil.py', lineno: 82, function: copyfile
> 0078: # XXX What about other special files? (sockets, devices...)
> 0079: if stat.S_ISFIFO(st.st_mode):
> 0080: raise SpecialFileError("`%s` is a named pipe" % fn)
> 0081:
> *** 0082: with open(src, 'rb') as fsrc:
> 0083: with open(dst, 'wb') as fdst:
> 0084: copyfileobj(fsrc, fdst)
> 0085:
> 0086:def copymode(src, dst):
>Exception: IOError: [Errno 2] No such file or directory: '/home/chris/yocto/build/tmp/sysroots/x86_64-linux/etc/RPM-GPG-PUBKEY'
>
>DEBUG: Python function do_compile finished
>ERROR: Function failed: do_compile
>
>
>
>--
>_______________________________________________
>yocto mailing list
>yocto@yoctoproject.org
>https://lists.yoctoproject.org/listinfo/yocto
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Signed RPMs
2016-02-05 8:00 ` Markus Lehtonen
@ 2016-02-05 9:15 ` Chris Trobridge
2016-02-05 10:53 ` Markus Lehtonen
0 siblings, 1 reply; 4+ messages in thread
From: Chris Trobridge @ 2016-02-05 9:15 UTC (permalink / raw)
To: Markus Lehtonen, yocto
[-- Attachment #1: Type: text/plain, Size: 1028 bytes --]
> Date: Fri, 5 Feb 2016 10:00:50 +0200
> Subject: Re: [yocto] Signed RPMs
> From: markus.lehtonen@linux.intel.com
> To: christrobridge@hotmail.com; yocto@yoctoproject.org
>
> Hi Chris,
>
> ...
>
> That really should not be needed. What version of poky are you using? I was not able to reproduce your problem. Try building signing-keys, does it copy the pubkey to the correct place?>
This could well be the issue - I need gobject introspection so I am using poky-contrib ("akanavin/gobject-introspection-experimental:7145f5b9dbd84a26fe4b5ee6ab9077b1ff1ee3a5").
I got another error later building the rootfs that mentioned not finding DSA. It may be related to not having a suitable poky, but also I am using an ECDSA key pair generated with gpg2.
I have cloned a fresh poky (main) instance, switched to a DSA signing key and built the signing-keys target from that fine, with the RPM-GPG-PUBKEY in sysroots. So I will bear this in mind in future.
> Cheers,
> Markus
>
Cheers,Chris
[-- Attachment #2: Type: text/html, Size: 1736 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Signed RPMs
2016-02-05 9:15 ` Chris Trobridge
@ 2016-02-05 10:53 ` Markus Lehtonen
0 siblings, 0 replies; 4+ messages in thread
From: Markus Lehtonen @ 2016-02-05 10:53 UTC (permalink / raw)
To: Chris Trobridge, yocto
On 05/02/16 11:15, "Chris Trobridge" <christrobridge@hotmail.com> wrote:
>> Date: Fri, 5 Feb 2016 10:00:50 +0200
>> Subject: Re: [yocto] Signed RPMs
>> From: markus.lehtonen@linux.intel.com
>> To: christrobridge@hotmail.com; yocto@yoctoproject.org
>>
>> Hi Chris,
>>
>> ...
>>
>> That really should not be needed. What version of poky are you using? I was not able to reproduce your problem. Try building signing-keys, does it copy the pubkey to the correct place?
>>
>
>
>This could well be the issue - I need gobject introspection so I am using poky-contrib ("akanavin/gobject-introspection-experimental:7145f5b9dbd84a26fe4b5ee6ab9077b1ff1ee3a5").
OK, that is probably the reason. There were at least some dependency problems in the signing feature which were fixed not that long ago.
>I got another error later building the rootfs that mentioned not finding DSA. It may be related to not having a suitable poky, but also I am using an ECDSA key pair generated with gpg2.
I haven't tried signing with ECDSA keys. I've been using too old gpg for that. I probably have to test this, too.
>I have cloned a fresh poky (main) instance, switched to a DSA signing key and built the signing-keys target from that fine, with the RPM-GPG-PUBKEY in sysroots. So I will bear this in mind in future.
Good. Let us know if you have some further issues.
Thanks,
Markus
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-02-05 10:53 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-02-04 21:57 Signed RPMs Chris Trobridge
2016-02-05 8:00 ` Markus Lehtonen
2016-02-05 9:15 ` Chris Trobridge
2016-02-05 10:53 ` Markus Lehtonen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.