On Wed, 2022-04-13 at 15:43 +0200, Ferry Toth wrote: > Hi, > > Op 13-04-2022 om 09:00 schreef Richard Purdie: > > On Wed, 2022-04-13 at 00:34 +0200, Alexandre Belloni wrote: > > > On 13/04/2022 00:20:40+0200, Ferry Toth wrote: > > > > Hi, > > > > > > > > Op 12-04-2022 om 23:51 schreef Richard Purdie: > > > > > On Tue, 2022-04-12 at 23:48 +0200, Alexandre Belloni wrote: > > > > > > On 12/04/2022 23:32:49+0200, Ferry Toth wrote: > > > > > > > Hi > > > > > > > > > > > > > > Op 12-04-2022 om 16:16 schreef Alexandre Belloni: > > > > > > > > Hello, > > > > > > > > > > > > > > > > On 11/04/2022 22:50:36+0200, Ferry Toth wrote: > > > > > > > > > From: Ferry Toth <[email protected]> > > > > > > > > > > > > > > > > > > Since Gatesgarth apt (1.8.2) has become more strict and > > > > > > > > > doesn’t allow unsigned repositories by default. > > > > > > > > > Currently when building images this requirement is worked > > > > > > > > > around by using [allow-insecure=yes] and > > > > > > > > > equivalently when performing selftest. > > > > > > > > > > > > > > > > > > Patches "gpg-sign: Add parameters to gpg signature function" > > > > > > > > > and "package_manager: sign DEB package feeds" > > > > > > > > > enable signed DEB package feeds. This patch adds a runtime > > > > > > > > > test for apt derived from the test_testimage_dnf > > > > > > > > > test. It creates a signed deb package feed, runs a qemu image > > > > > > > > > to install the key and performs some package > > > > > > > > > management. To be able to install the key the gnupg package > > > > > > > > > is added to the testimage. > > > > > > > > > > > > > > > > > This went through the autobuilders and it seems this still > > > > > > > > fails: > > > > > > > That is disappointing. > > > > > > > > > > > > > > > https://autobuilder.yoctoproject.org/typhoon/#/builders/87/builds/3437/steps/15/logs/stdio > > > > > > > > > > > > > > > > ERROR: package-index-1.0-r0 do_package_index: Could not get gpg > > > > > > > > version: Command > > > > > > > > '['/home/pokybuild/yocto-worker/oe-selftest-ubuntu/build/build-st-34525/tmp/hosttools/gpg', > > > > > > > > > > > > > > > > '--agent-program=/home/pokybuild/yocto-worker/oe-selftest-ubuntu/build/build-st-34525/tmp/hosttools/gpg-agent|--auto-expand-secmem', > > > > > > > > '--version', '--no-permission-warning']' returned non-zero > > > > > > > > exit status 2. > > > > > > > > ERROR: Logfile of failure stored in: > > > > > > > > /home/pokybuild/yocto-worker/oe-selftest-ubuntu/build/build-st-34525/tmp/work/core2-64-poky-linux/package-index/1.0-r0/temp/log.do_package_index.53841 > > > > > > > > NOTE: recipe package-index-1.0-r0: task do_package_index: Failed > > > > > > > In fact package_index is failing, which is outside this patch > > > > > > > code. > > > > > > > > > > > > > > > ERROR: Task > > > > > > > > (/home/pokybuild/yocto-worker/oe-selftest-ubuntu/build/meta/recipes-core/meta/package-index.bb:do_package_index) > > > > > > > > failed with exit code '1' > > > > > > > > > > > > > > > > This was ubuntu 16.04 so maybe gpg on the distro is too old > > > > > > > > (1.4.20) but > > > > > > > > I'm not sure as I think you are using gnupg-native. > > > > > > > I would have expected gnupg-native, but the log line above shows > > > > > > > hosttools > > > > > > > is being used. But the same would happen for signed rpm and ipk > > > > > > > feeds right? > > > > > > > > > > > > > > Did we get the correct one tested? I see 55173d in next and then > > > > > > > reverted by > > > > > > > Richard. But that was v2. > > > > > > > > > > > > > This was > > > > > > https://git.yoctoproject.org/poky-contrib/commit/?id=5abda438ce762fc7b8e065e3e9063820c758918e > > > > This is the correct one. > > > > > > > > > > Just to be sure, I've started on ubuntu1604 both master and this > > > > > > branch, > > > > > > we'll see if this reproduces. > > > > > Firstly, this is occurring in the newly added test so this is being > > > > > triggered by > > > > > the new code. I suspect what is happening is that gnupg-native isn't > > > > > being built > > > > > before the test and this means that it is falling back to the system > > > > > gpg. The > > > > > system gpg is too old on that worker so it fails. > > > > Certainly > > > > > > > > > You can probably reproduce locally by not having a gpg on your build > > > > > system > > > > > (move it out the way temporarily?). > > > > Thanks for the tip. Not sure if I can remove the package, but IIUC it's > > > > the > > > > executable that needs to be present so I can just move it out of the > > > > way. > > > > > > > > > If I'm right (and I'm just guessing), the fix is to add the missing > > > > > dependency > > > > > to ensure gpg is one we've built. > You are right > > > > I know how to add dependency in a recipe, but where to add here? > > > > > > > > I already have 'bitbake('gnupg-native -c addto_recipe_sysroot')' > > > > Should I run 'bitbake('gnupg-native')' before that? > > > > > > > > I copied these lines from test_testimage_dnf, shouldn't that have > > > > similar > > > > problems? > > > > > > > sign_rpm.bbclass has PACKAGE_WRITE_DEPS += "gnupg-native", doesn't that > > > solve this issue? > > Perhaps sign_package_feed.bbclass needs something like: > > > > PACKAGEINDEXDEPS += "gnupg-native:do_populate_sysroot" > > I added this to the end of 'meta/classes/package_deb.bbclass' and that > works. > > Do you agree this is the right place?
No. That builds gpg pieces even when signing isn't enabled so I don't think that is right. > Should I squash with this patch or send in as a separate patch (fixes > 0b4231b5 > <https://git.yoctoproject.org/poky/commit/?id=0b4231b597618e18668b8340f4209cd364b2b2d0> > > "package_manager: sign DEB package feeds")? I think we can likely make this change a separate commit since it will have it's own explanation with it. Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#164324): https://lists.openembedded.org/g/openembedded-core/message/164324 Mute This Topic: https://lists.openembedded.org/mt/90405081/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
