* [PATCH 1/3] bison: prevent checking for textstyle.
@ 2021-10-12 15:44 Dan McGregor
2021-10-12 15:44 ` [PATCH 2/3] Validate shared state against list of keys Dan McGregor
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Dan McGregor @ 2021-10-12 15:44 UTC (permalink / raw)
To: openembedded-core; +Cc: Daniel McGregor
From: Daniel McGregor <daniel.mcgregor@vecima.com>
Bison's autoconf is also very good at finding textstyle, force it
to not find it unless it's explictly enabled.
Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
---
meta/recipes-devtools/bison/bison_3.7.6.bb | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/bison/bison_3.7.6.bb b/meta/recipes-devtools/bison/bison_3.7.6.bb
index c85ae049766..b09ed81d291 100644
--- a/meta/recipes-devtools/bison/bison_3.7.6.bb
+++ b/meta/recipes-devtools/bison/bison_3.7.6.bb
@@ -33,7 +33,9 @@ PACKAGECONFIG[textstyle] = "--with-libtextstyle-prefix,--without-libtextstyle-pr
CACHED_CONFIGUREVARS += "${@bb.utils.contains('PACKAGECONFIG', 'readline', '', ' \
ac_cv_header_readline_history_h=no \
ac_cv_header_readline_readline_h=no \
- gl_cv_lib_readline=no', d)}"
+ gl_cv_lib_readline=no', d)} \
+ ${@bb.utils.contains('PACKAGECONFIG', 'textstyle', '', ' \
+ ac_cv_libtextstyle=no', d)}"
# The automatic m4 path detection gets confused, so force the right value
acpaths = "-I ./m4"
--
2.31.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/3] Validate shared state against list of keys
2021-10-12 15:44 [PATCH 1/3] bison: prevent checking for textstyle Dan McGregor
@ 2021-10-12 15:44 ` Dan McGregor
2021-10-12 15:44 ` [PATCH 3/3] bitbake.conf: Add gpg-agent as a host tool Dan McGregor
[not found] ` <16AD52FF51E4A8C6.16796@lists.openembedded.org>
2 siblings, 0 replies; 4+ messages in thread
From: Dan McGregor @ 2021-10-12 15:44 UTC (permalink / raw)
To: openembedded-core; +Cc: Daniel McGregor
From: Daniel McGregor <daniel.mcgregor@vecima.com>
Allow a user to validate sstate objects against a list of keys, instead
of just any known key in the user's keychain.
Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
---
meta/classes/sstate.bbclass | 5 ++++-
meta/lib/oe/gpg_sign.py | 27 ++++++++++++++++++++++-----
2 files changed, 26 insertions(+), 6 deletions(-)
diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass
index 701a19bc612..3bc92eda3dd 100644
--- a/meta/classes/sstate.bbclass
+++ b/meta/classes/sstate.bbclass
@@ -114,6 +114,9 @@ SSTATE_SIG_KEY ?= ""
SSTATE_SIG_PASSPHRASE ?= ""
# Whether to verify the GnUPG signatures when extracting sstate archives
SSTATE_VERIFY_SIG ?= "0"
+# List of signatures to consider valid.
+SSTATE_VALID_SIGS ??= ""
+SSTATE_VALID_SIGS[vardepvalue] = ""
SSTATE_HASHEQUIV_METHOD ?= "oe.sstatesig.OEOuthashBasic"
SSTATE_HASHEQUIV_METHOD[doc] = "The fully-qualified function used to calculate \
@@ -370,7 +373,7 @@ def sstate_installpkg(ss, d):
bb.warn("No signature file for sstate package %s, skipping acceleration..." % sstatepkg)
return False
signer = get_signer(d, 'local')
- if not signer.verify(sstatepkg + '.sig'):
+ if not signer.verify(sstatepkg + '.sig', d.getVar("SSTATE_VALID_SIGS")):
bb.warn("Cannot verify signature on sstate package %s, skipping acceleration..." % sstatepkg)
return False
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index 492f096eaa7..5b3776165cf 100644
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -109,16 +109,33 @@ class LocalSigner(object):
bb.fatal("Could not get gpg version: %s" % e)
- def verify(self, sig_file):
+ def verify(self, sig_file, valid_sigs = ''):
"""Verify signature"""
- cmd = self.gpg_cmd + ["--verify", "--no-permission-warning"]
+ cmd = self.gpg_cmd + ["--verify", "--no-permission-warning", "--status-fd", "1"]
if self.gpg_path:
cmd += ["--homedir", self.gpg_path]
cmd += [sig_file]
- status = subprocess.call(cmd)
- ret = False if status else True
- return ret
+ status = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+ # Valid if any key matches if unspecified
+ if not valid_sigs:
+ ret = False if status.returncode else True
+ return ret
+
+ import re
+ goodsigs = []
+ sigre = re.compile('^\[GNUPG:\] GOODSIG (\S+)\s(.*)$')
+ for l in status.stdout.decode("utf-8").splitlines():
+ s = sigre.match(l)
+ if s:
+ goodsigs += [s.group(1)]
+
+ for sig in valid_sigs.split():
+ if sig in goodsigs:
+ return True
+ if len(goodsigs):
+ bb.warn('No accepted signatures found. Good signatures found: %s.' % ' '.join(goodsigs))
+ return False
def get_signer(d, backend):
--
2.31.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 3/3] bitbake.conf: Add gpg-agent as a host tool
2021-10-12 15:44 [PATCH 1/3] bison: prevent checking for textstyle Dan McGregor
2021-10-12 15:44 ` [PATCH 2/3] Validate shared state against list of keys Dan McGregor
@ 2021-10-12 15:44 ` Dan McGregor
[not found] ` <16AD52FF51E4A8C6.16796@lists.openembedded.org>
2 siblings, 0 replies; 4+ messages in thread
From: Dan McGregor @ 2021-10-12 15:44 UTC (permalink / raw)
To: openembedded-core; +Cc: Daniel McGregor
From: Daniel McGregor <daniel.mcgregor@vecima.com>
If gpg is used, it will find the first gpg agent in the path, this
may lead to issues where gpg comes from the host, and the agent
comes from a gnupg-native due to package signing. The versions
being out of sync causes gpg to fail.
Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
---
meta/conf/bitbake.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
index f3ff5b776b2..e9ea3f2c9c6 100644
--- a/meta/conf/bitbake.conf
+++ b/meta/conf/bitbake.conf
@@ -498,7 +498,7 @@ HOSTTOOLS += " \
HOSTTOOLS += "${@'ip ping ps scp ssh stty' if (bb.utils.contains_any('IMAGE_CLASSES', 'testimage testsdk', True, False, d) or any(x in (d.getVar("BBINCLUDED") or "") for x in ["testimage.bbclass", "testsdk.bbclass"])) else ''}"
# Link to these if present
-HOSTTOOLS_NONFATAL += "aws gcc-ar gpg ld.bfd ld.gold nc pigz sftp socat ssh sudo"
+HOSTTOOLS_NONFATAL += "aws gcc-ar gpg gpg-agent ld.bfd ld.gold nc pigz sftp socat ssh sudo"
# Temporary add few more detected in bitbake world
HOSTTOOLS_NONFATAL += "join nl size yes zcat"
--
2.31.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [OE-core] [PATCH 2/3] Validate shared state against list of keys
[not found] ` <16AD52FF51E4A8C6.16796@lists.openembedded.org>
@ 2021-10-13 19:40 ` Dan McGregor
0 siblings, 0 replies; 4+ messages in thread
From: Dan McGregor @ 2021-10-13 19:40 UTC (permalink / raw)
To: Daniel McGregor; +Cc: Patches and discussions about the oe-core layer
On Tue, 12 Oct 2021 at 09:45, Dan McGregor via lists.openembedded.org
<danismostlikely=gmail.com@lists.openembedded.org> wrote:
>
> From: Daniel McGregor <daniel.mcgregor@vecima.com>
>
> Allow a user to validate sstate objects against a list of keys, instead
> of just any known key in the user's keychain.
>
> Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
> ---
> meta/classes/sstate.bbclass | 5 ++++-
> meta/lib/oe/gpg_sign.py | 27 ++++++++++++++++++++++-----
> 2 files changed, 26 insertions(+), 6 deletions(-)
>
> diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass
> index 701a19bc612..3bc92eda3dd 100644
> --- a/meta/classes/sstate.bbclass
> +++ b/meta/classes/sstate.bbclass
> @@ -114,6 +114,9 @@ SSTATE_SIG_KEY ?= ""
> SSTATE_SIG_PASSPHRASE ?= ""
> # Whether to verify the GnUPG signatures when extracting sstate archives
> SSTATE_VERIFY_SIG ?= "0"
> +# List of signatures to consider valid.
> +SSTATE_VALID_SIGS ??= ""
> +SSTATE_VALID_SIGS[vardepvalue] = ""
>
> SSTATE_HASHEQUIV_METHOD ?= "oe.sstatesig.OEOuthashBasic"
> SSTATE_HASHEQUIV_METHOD[doc] = "The fully-qualified function used to calculate \
> @@ -370,7 +373,7 @@ def sstate_installpkg(ss, d):
> bb.warn("No signature file for sstate package %s, skipping acceleration..." % sstatepkg)
> return False
> signer = get_signer(d, 'local')
> - if not signer.verify(sstatepkg + '.sig'):
> + if not signer.verify(sstatepkg + '.sig', d.getVar("SSTATE_VALID_SIGS")):
> bb.warn("Cannot verify signature on sstate package %s, skipping acceleration..." % sstatepkg)
> return False
>
> diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
> index 492f096eaa7..5b3776165cf 100644
> --- a/meta/lib/oe/gpg_sign.py
> +++ b/meta/lib/oe/gpg_sign.py
> @@ -109,16 +109,33 @@ class LocalSigner(object):
> bb.fatal("Could not get gpg version: %s" % e)
>
>
> - def verify(self, sig_file):
> + def verify(self, sig_file, valid_sigs = ''):
> """Verify signature"""
> - cmd = self.gpg_cmd + ["--verify", "--no-permission-warning"]
> + cmd = self.gpg_cmd + ["--verify", "--no-permission-warning", "--status-fd", "1"]
> if self.gpg_path:
> cmd += ["--homedir", self.gpg_path]
>
> cmd += [sig_file]
> - status = subprocess.call(cmd)
> - ret = False if status else True
> - return ret
> + status = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
> + # Valid if any key matches if unspecified
> + if not valid_sigs:
> + ret = False if status.returncode else True
> + return ret
> +
> + import re
> + goodsigs = []
> + sigre = re.compile('^\[GNUPG:\] GOODSIG (\S+)\s(.*)$')
Missed the deprecation warning here; don't want to introduce new
issues. Hence v2 for just this patch.
> + for l in status.stdout.decode("utf-8").splitlines():
> + s = sigre.match(l)
> + if s:
> + goodsigs += [s.group(1)]
> +
> + for sig in valid_sigs.split():
> + if sig in goodsigs:
> + return True
> + if len(goodsigs):
> + bb.warn('No accepted signatures found. Good signatures found: %s.' % ' '.join(goodsigs))
> + return False
>
>
> def get_signer(d, backend):
> --
> 2.31.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#156883): https://lists.openembedded.org/g/openembedded-core/message/156883
> Mute This Topic: https://lists.openembedded.org/mt/86265247/3617261
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [danismostlikely@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-10-13 19:40 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-12 15:44 [PATCH 1/3] bison: prevent checking for textstyle Dan McGregor
2021-10-12 15:44 ` [PATCH 2/3] Validate shared state against list of keys Dan McGregor
2021-10-12 15:44 ` [PATCH 3/3] bitbake.conf: Add gpg-agent as a host tool Dan McGregor
[not found] ` <16AD52FF51E4A8C6.16796@lists.openembedded.org>
2021-10-13 19:40 ` [OE-core] [PATCH 2/3] Validate shared state against list of keys Dan McGregor
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).