[PATCH 1/3] bison: prevent checking for textstyle.

[PATCH 1/3] bison: prevent checking for textstyle.

[Dan McGregor]

From: Daniel McGregor <daniel.mcgregor@vecima.com>

Bison's autoconf is also very good at finding textstyle, force it
to not find it unless it's explictly enabled.

Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
---
 meta/recipes-devtools/bison/bison_3.7.6.bb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/bison/bison_3.7.6.bb b/meta/recipes-devtools/bison/bison_3.7.6.bb
index c85ae049766..b09ed81d291 100644
--- a/meta/recipes-devtools/bison/bison_3.7.6.bb
+++ b/meta/recipes-devtools/bison/bison_3.7.6.bb
@@ -33,7 +33,9 @@ PACKAGECONFIG[textstyle] = "--with-libtextstyle-prefix,--without-libtextstyle-pr
 CACHED_CONFIGUREVARS += "${@bb.utils.contains('PACKAGECONFIG', 'readline', '', ' \
                            ac_cv_header_readline_history_h=no \
                            ac_cv_header_readline_readline_h=no \
-                           gl_cv_lib_readline=no', d)}"
+                           gl_cv_lib_readline=no', d)} \
+                         ${@bb.utils.contains('PACKAGECONFIG', 'textstyle', '', ' \
+                           ac_cv_libtextstyle=no', d)}"
 
 # The automatic m4 path detection gets confused, so force the right value
 acpaths = "-I ./m4"
-- 
2.31.1

[PATCH 2/3] Validate shared state against list of keys

[Dan McGregor]

From: Daniel McGregor <daniel.mcgregor@vecima.com>

Allow a user to validate sstate objects against a list of keys, instead
of just any known key in the user's keychain.

Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
---
 meta/classes/sstate.bbclass |  5 ++++-
 meta/lib/oe/gpg_sign.py     | 27 ++++++++++++++++++++++-----
 2 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass
index 701a19bc612..3bc92eda3dd 100644
--- a/meta/classes/sstate.bbclass
+++ b/meta/classes/sstate.bbclass
@@ -114,6 +114,9 @@ SSTATE_SIG_KEY ?= ""
 SSTATE_SIG_PASSPHRASE ?= ""
 # Whether to verify the GnUPG signatures when extracting sstate archives
 SSTATE_VERIFY_SIG ?= "0"
+# List of signatures to consider valid.
+SSTATE_VALID_SIGS ??= ""
+SSTATE_VALID_SIGS[vardepvalue] = ""
 
 SSTATE_HASHEQUIV_METHOD ?= "oe.sstatesig.OEOuthashBasic"
 SSTATE_HASHEQUIV_METHOD[doc] = "The fully-qualified function used to calculate \
@@ -370,7 +373,7 @@ def sstate_installpkg(ss, d):
             bb.warn("No signature file for sstate package %s, skipping acceleration..." % sstatepkg)
             return False
         signer = get_signer(d, 'local')
-        if not signer.verify(sstatepkg + '.sig'):
+        if not signer.verify(sstatepkg + '.sig', d.getVar("SSTATE_VALID_SIGS")):
             bb.warn("Cannot verify signature on sstate package %s, skipping acceleration..." % sstatepkg)
             return False
 
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index 492f096eaa7..5b3776165cf 100644
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -109,16 +109,33 @@ class LocalSigner(object):
             bb.fatal("Could not get gpg version: %s" % e)
 
 
-    def verify(self, sig_file):
+    def verify(self, sig_file, valid_sigs = ''):
         """Verify signature"""
-        cmd = self.gpg_cmd + ["--verify", "--no-permission-warning"]
+        cmd = self.gpg_cmd + ["--verify", "--no-permission-warning", "--status-fd", "1"]
         if self.gpg_path:
             cmd += ["--homedir", self.gpg_path]
 
         cmd += [sig_file]
-        status = subprocess.call(cmd)
-        ret = False if status else True
-        return ret
+        status = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+        # Valid if any key matches if unspecified
+        if not valid_sigs:
+            ret = False if status.returncode else True
+            return ret
+
+        import re
+        goodsigs = []
+        sigre = re.compile('^\[GNUPG:\] GOODSIG (\S+)\s(.*)$')
+        for l in status.stdout.decode("utf-8").splitlines():
+            s = sigre.match(l)
+            if s:
+                goodsigs += [s.group(1)]
+
+        for sig in valid_sigs.split():
+            if sig in goodsigs:
+                return True
+        if len(goodsigs):
+            bb.warn('No accepted signatures found. Good signatures found: %s.' % ' '.join(goodsigs))
+        return False
 
 
 def get_signer(d, backend):
-- 
2.31.1

[PATCH 3/3] bitbake.conf: Add gpg-agent as a host tool

[Dan McGregor]

From: Daniel McGregor <daniel.mcgregor@vecima.com>

If gpg is used, it will find the first gpg agent in the path, this
may lead to issues where gpg comes from the host, and the agent
comes from a gnupg-native due to package signing. The versions
being out of sync causes gpg to fail.

Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
---
 meta/conf/bitbake.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
index f3ff5b776b2..e9ea3f2c9c6 100644
--- a/meta/conf/bitbake.conf
+++ b/meta/conf/bitbake.conf
@@ -498,7 +498,7 @@ HOSTTOOLS += " \
 HOSTTOOLS += "${@'ip ping ps scp ssh stty' if (bb.utils.contains_any('IMAGE_CLASSES', 'testimage testsdk', True, False, d) or any(x in (d.getVar("BBINCLUDED") or "") for x in ["testimage.bbclass", "testsdk.bbclass"])) else ''}"
 
 # Link to these if present
-HOSTTOOLS_NONFATAL += "aws gcc-ar gpg ld.bfd ld.gold nc pigz sftp socat ssh sudo"
+HOSTTOOLS_NONFATAL += "aws gcc-ar gpg gpg-agent ld.bfd ld.gold nc pigz sftp socat ssh sudo"
 
 # Temporary add few more detected in bitbake world
 HOSTTOOLS_NONFATAL += "join nl size yes zcat"
-- 
2.31.1

Re: [OE-core] [PATCH 2/3] Validate shared state against list of keys

[Dan McGregor]

On Tue, 12 Oct 2021 at 09:45, Dan McGregor via lists.openembedded.org
<danismostlikely=gmail.com@lists.openembedded.org> wrote:
>
> From: Daniel McGregor <daniel.mcgregor@vecima.com>
>
> Allow a user to validate sstate objects against a list of keys, instead
> of just any known key in the user's keychain.
>
> Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
> ---
>  meta/classes/sstate.bbclass |  5 ++++-
>  meta/lib/oe/gpg_sign.py     | 27 ++++++++++++++++++++++-----
>  2 files changed, 26 insertions(+), 6 deletions(-)
>
> diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass
> index 701a19bc612..3bc92eda3dd 100644
> --- a/meta/classes/sstate.bbclass
> +++ b/meta/classes/sstate.bbclass
> @@ -114,6 +114,9 @@ SSTATE_SIG_KEY ?= ""
>  SSTATE_SIG_PASSPHRASE ?= ""
>  # Whether to verify the GnUPG signatures when extracting sstate archives
>  SSTATE_VERIFY_SIG ?= "0"
> +# List of signatures to consider valid.
> +SSTATE_VALID_SIGS ??= ""
> +SSTATE_VALID_SIGS[vardepvalue] = ""
>
>  SSTATE_HASHEQUIV_METHOD ?= "oe.sstatesig.OEOuthashBasic"
>  SSTATE_HASHEQUIV_METHOD[doc] = "The fully-qualified function used to calculate \
> @@ -370,7 +373,7 @@ def sstate_installpkg(ss, d):
>              bb.warn("No signature file for sstate package %s, skipping acceleration..." % sstatepkg)
>              return False
>          signer = get_signer(d, 'local')
> -        if not signer.verify(sstatepkg + '.sig'):
> +        if not signer.verify(sstatepkg + '.sig', d.getVar("SSTATE_VALID_SIGS")):
>              bb.warn("Cannot verify signature on sstate package %s, skipping acceleration..." % sstatepkg)
>              return False
>
> diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
> index 492f096eaa7..5b3776165cf 100644
> --- a/meta/lib/oe/gpg_sign.py
> +++ b/meta/lib/oe/gpg_sign.py
> @@ -109,16 +109,33 @@ class LocalSigner(object):
>              bb.fatal("Could not get gpg version: %s" % e)
>
>
> -    def verify(self, sig_file):
> +    def verify(self, sig_file, valid_sigs = ''):
>          """Verify signature"""
> -        cmd = self.gpg_cmd + ["--verify", "--no-permission-warning"]
> +        cmd = self.gpg_cmd + ["--verify", "--no-permission-warning", "--status-fd", "1"]
>          if self.gpg_path:
>              cmd += ["--homedir", self.gpg_path]
>
>          cmd += [sig_file]
> -        status = subprocess.call(cmd)
> -        ret = False if status else True
> -        return ret
> +        status = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
> +        # Valid if any key matches if unspecified
> +        if not valid_sigs:
> +            ret = False if status.returncode else True
> +            return ret
> +
> +        import re
> +        goodsigs = []
> +        sigre = re.compile('^\[GNUPG:\] GOODSIG (\S+)\s(.*)$')

Missed the deprecation warning here; don't want to introduce new
issues. Hence v2 for just this patch.

> +        for l in status.stdout.decode("utf-8").splitlines():
> +            s = sigre.match(l)
> +            if s:
> +                goodsigs += [s.group(1)]
> +
> +        for sig in valid_sigs.split():
> +            if sig in goodsigs:
> +                return True
> +        if len(goodsigs):
> +            bb.warn('No accepted signatures found. Good signatures found: %s.' % ' '.join(goodsigs))
> +        return False
>
>
>  def get_signer(d, backend):
> --
> 2.31.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#156883): https://lists.openembedded.org/g/openembedded-core/message/156883
> Mute This Topic: https://lists.openembedded.org/mt/86265247/3617261
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [danismostlikely@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>