From: "Alexandre Belloni" <alexandre.belloni@bootlin.com>
To: Ferry Toth <fntoth@gmail.com>
Cc: Richard Purdie <richard.purdie@linuxfoundation.org>,
openembedded-core@lists.openembedded.org,
Xavier Berger <xavier.berger@biologic.net>,
Alexander Kanavin <alex@linutronix.de>
Subject: Re: [OE-core] [PATCH v3 1/1] apt: add apt selftest to test signed package feeds
Date: Wed, 13 Apr 2022 00:34:57 +0200 [thread overview]
Message-ID: <YlX+kXROqKZgyaUI@mail.local> (raw)
In-Reply-To: <3993add1-31c5-0c2d-88ae-e4f11dfb3859@gmail.com>
On 13/04/2022 00:20:40+0200, Ferry Toth wrote:
> Hi,
>
> Op 12-04-2022 om 23:51 schreef Richard Purdie:
> > On Tue, 2022-04-12 at 23:48 +0200, Alexandre Belloni wrote:
> > > On 12/04/2022 23:32:49+0200, Ferry Toth wrote:
> > > > Hi
> > > >
> > > > Op 12-04-2022 om 16:16 schreef Alexandre Belloni:
> > > > > Hello,
> > > > >
> > > > > On 11/04/2022 22:50:36+0200, Ferry Toth wrote:
> > > > > > From: Ferry Toth <ftoth@exalondelft.nl>
> > > > > >
> > > > > > Since Gatesgarth apt (1.8.2) has become more strict and doesn’t allow unsigned repositories by default.
> > > > > > Currently when building images this requirement is worked around by using [allow-insecure=yes] and
> > > > > > equivalently when performing selftest.
> > > > > >
> > > > > > Patches "gpg-sign: Add parameters to gpg signature function" and "package_manager: sign DEB package feeds"
> > > > > > enable signed DEB package feeds. This patch adds a runtime test for apt derived from the test_testimage_dnf
> > > > > > test. It creates a signed deb package feed, runs a qemu image to install the key and performs some package
> > > > > > management. To be able to install the key the gnupg package is added to the testimage.
> > > > > >
> > > > >
> > > > > This went through the autobuilders and it seems this still fails:
> > > >
> > > > That is disappointing.
> > > >
> > > > > https://autobuilder.yoctoproject.org/typhoon/#/builders/87/builds/3437/steps/15/logs/stdio
> > > > >
> > > > > ERROR: package-index-1.0-r0 do_package_index: Could not get gpg version: Command '['/home/pokybuild/yocto-worker/oe-selftest-ubuntu/build/build-st-34525/tmp/hosttools/gpg', '--agent-program=/home/pokybuild/yocto-worker/oe-selftest-ubuntu/build/build-st-34525/tmp/hosttools/gpg-agent|--auto-expand-secmem', '--version', '--no-permission-warning']' returned non-zero exit status 2.
> > > > > ERROR: Logfile of failure stored in: /home/pokybuild/yocto-worker/oe-selftest-ubuntu/build/build-st-34525/tmp/work/core2-64-poky-linux/package-index/1.0-r0/temp/log.do_package_index.53841
> > > > > NOTE: recipe package-index-1.0-r0: task do_package_index: Failed
> > > >
> > > > In fact package_index is failing, which is outside this patch code.
> > > >
> > > > > ERROR: Task (/home/pokybuild/yocto-worker/oe-selftest-ubuntu/build/meta/recipes-core/meta/package-index.bb:do_package_index) failed with exit code '1'
> > > > >
> > > > > This was ubuntu 16.04 so maybe gpg on the distro is too old (1.4.20) but
> > > > > I'm not sure as I think you are using gnupg-native.
> > > >
> > > > I would have expected gnupg-native, but the log line above shows hosttools
> > > > is being used. But the same would happen for signed rpm and ipk feeds right?
> > > >
> > > > Did we get the correct one tested? I see 55173d in next and then reverted by
> > > > Richard. But that was v2.
> > > >
> > >
> > > This was https://git.yoctoproject.org/poky-contrib/commit/?id=5abda438ce762fc7b8e065e3e9063820c758918e
>
> This is the correct one.
>
> > > Just to be sure, I've started on ubuntu1604 both master and this branch,
> > > we'll see if this reproduces.
> >
> > Firstly, this is occurring in the newly added test so this is being triggered by
> > the new code. I suspect what is happening is that gnupg-native isn't being built
> > before the test and this means that it is falling back to the system gpg. The
> > system gpg is too old on that worker so it fails.
>
> Certainly
>
> > You can probably reproduce locally by not having a gpg on your build system
> > (move it out the way temporarily?).
>
> Thanks for the tip. Not sure if I can remove the package, but IIUC it's the
> executable that needs to be present so I can just move it out of the way.
>
> > If I'm right (and I'm just guessing), the fix is to add the missing dependency
> > to ensure gpg is one we've built.
>
> I know how to add dependency in a recipe, but where to add here?
>
> I already have 'bitbake('gnupg-native -c addto_recipe_sysroot')'
> Should I run 'bitbake('gnupg-native')' before that?
>
> I copied these lines from test_testimage_dnf, shouldn't that have similar
> problems?
>
sign_rpm.bbclass has PACKAGE_WRITE_DEPS += "gnupg-native", doesn't that
solve this issue?
--
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
next prev parent reply other threads:[~2022-04-12 22:34 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-11 20:50 package_manager: support for signed DEB package feeds Ferry Toth
2022-04-11 20:50 ` [PATCH v3 1/1] apt: add apt selftest to test signed " Ferry Toth
2022-04-12 14:16 ` [OE-core] " Alexandre Belloni
2022-04-12 21:32 ` Ferry Toth
2022-04-12 21:48 ` Alexandre Belloni
2022-04-12 21:51 ` Richard Purdie
2022-04-12 22:20 ` Ferry Toth
2022-04-12 22:34 ` Alexandre Belloni [this message]
2022-04-13 7:00 ` Richard Purdie
2022-04-13 13:43 ` Ferry Toth
2022-04-13 14:04 ` Richard Purdie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YlX+kXROqKZgyaUI@mail.local \
--to=alexandre.belloni@bootlin.com \
--cc=alex@linutronix.de \
--cc=fntoth@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=richard.purdie@linuxfoundation.org \
--cc=xavier.berger@biologic.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.