Re: [OE-core] [PATCH] sstate.bbclass: Only sign packages at the time of their creation

[Tobias Hagelborn]

Validated by "compromising" a signed .zst sstate file and verifying
that it is not used but rather build from scratch, the old archive
persists until the modified .zst or corresponding .sig file is removed.
Prior to the change, the modified .zst archive was singed as is.

Cheers
Tobias

________________________________
From: openembedded-core@lists.openembedded.org 
<openembedded-core@lists.openembedded.org> on behalf of Tobias Hagelborn 
<tobias.hagelb...@axis.com>
Sent: Friday, December 22, 2023 7:09 AM
To: openembedded-core@lists.openembedded.org 
<openembedded-core@lists.openembedded.org>
Subject: [OE-core] [PATCH] sstate.bbclass: Only sign packages at the time of 
their creation

From: Tobias Hagelborn <tobia...@axis.com>

The purpose of the change is to never sign a package not created by
the build itself.

sstate_create_package is refactored into Python and re-designed
to handle signing inside the function. Thus, the signing should never
apply to existing sstate packages. The function is therefore renamed
into sstate_create_and_sign_package.
The creation of the archive remains in a separate shellscript function.

Co-authored-by: Peter Kjellerstedt <peter.kjellerst...@axis.com>
Signed-off-by: Tobias Hagelborn <tobias.hagelb...@axis.com>
---
 meta/classes-global/sstate.bbclass | 128 ++++++++++++++++++++---------
 1 file changed, 87 insertions(+), 41 deletions(-)

diff --git a/meta/classes-global/sstate.bbclass 
b/meta/classes-global/sstate.bbclass
index 9330433bb2..bc7bdbe7d5 100644
--- a/meta/classes-global/sstate.bbclass
+++ b/meta/classes-global/sstate.bbclass
@@ -703,9 +703,7 @@ def sstate_package(ss, d):
     if d.getVar('SSTATE_SKIP_CREATION') == '1':
         return

-    sstate_create_package = ['sstate_report_unihash', 'sstate_create_pkgdirs', 
'sstate_create_package']
-    if d.getVar('SSTATE_SIG_KEY'):
-        sstate_create_package.append('sstate_sign_package')
+    sstate_create_package = ['sstate_report_unihash', 'sstate_create_pkgdirs', 
'sstate_create_and_sign_package']

     for f in (d.getVar('SSTATECREATEFUNCS') or '').split() + \
              sstate_create_package + \
@@ -817,19 +815,91 @@ python sstate_create_pkgdirs () {
         bb.utils.mkdirhier(os.path.dirname(d.getVar('SSTATE_PKG')))
 }

-#
-# Shell function to generate a sstate package from a directory
-# set as SSTATE_BUILDDIR. Will be run from within SSTATE_BUILDDIR.
-#
-sstate_create_package () {
-       # Exit early if it already exists
-       if [ -e ${SSTATE_PKG} ]; then
-               touch ${SSTATE_PKG} 2>/dev/null || true
-               return
-       fi
+# Create sstate package
+# If enabled, sign the package.
+# Package and signature are created in a sub-directory
+# and renamed in place once created.
+python sstate_create_and_sign_package () {
+    from pathlib import Path
+
+    # Best effort touch
+    def touch(file):
+        try:
+            file.touch()
+        except:
+            pass
+
+    def update_file(src, dst, force=False):
+        if dst.is_symlink() and not dst.exists():
+            force=True
+        try:
+            # This relies on that src is a temporary file that can be renamed
+            # or left as is.
+            if force:
+                src.rename(dst)
+            else:
+                os.link(src, dst)
+            return True
+        except:
+            pass
+
+        if dst.exists():
+            touch(dst)
+
+        return False

-       TFILE=`mktemp ${SSTATE_PKG}.XXXXXXXX`
+    verify_sig = (
+        bb.utils.to_boolean(d.getVar("SSTATE_VERIFY_SIG")) and
+        bool(d.getVar("SSTATE_SIG_KEY"))
+    )

+    sstate_pkg = Path(d.getVar("SSTATE_PKG"))
+    sstate_pkg_sig = Path(str(sstate_pkg) + ".sig")
+    if verify_sig:
+        if sstate_pkg.exists() and sstate_pkg_sig.exists():
+            touch(sstate_pkg)
+            touch(sstate_pkg_sig)
+            return
+    else:
+        if sstate_pkg.exists():
+            touch(sstate_pkg)
+            return
+
+    from tempfile import TemporaryDirectory
+    if not sstate_pkg.parent.is_dir():
+        sstate_pkg.parent.mkdir(parents=True, exist_ok=True)
+
+    with TemporaryDirectory(dir=sstate_pkg.parent) as tmp_dir:
+        tmp_pkg = Path(tmp_dir) / sstate_pkg.name
+        localdata = d.createCopy()
+        localdata.setVar("SSTATE_PKG", str(tmp_pkg))
+        bb.build.exec_func('sstate_archive_package', localdata)
+
+        force = False
+        if verify_sig:
+            from oe.gpg_sign import get_signer
+            signer = get_signer(d, 'local')
+            signer.detach_sign(str(tmp_pkg), d.getVar('SSTATE_SIG_KEY'), None,
+                                d.getVar('SSTATE_SIG_PASSPHRASE'), armor=False)
+
+            tmp_pkg_sig = Path(tmp_dir) / sstate_pkg_sig.name
+            if not update_file(tmp_pkg_sig, sstate_pkg_sig):
+                # If the created signature file could not be copied into place,
+                # then we should not use the sstate package either.
+                return
+
+            # If the .sig file was updated, then the sstate package must also
+            # be updated.
+            force = True
+
+        update_file(tmp_pkg, sstate_pkg, force)
+}
+
+# Shell function to generate a sstate package from a directory
+# set as SSTATE_BUILDDIR. Will be run from within SSTATE_BUILDDIR.
+# The calling function handles moving the sstate package into the final
+# destination.
+sstate_archive_package () {
         OPT="-cS"
         ZSTD="zstd -${SSTATE_ZSTD_CLEVEL} -T${ZSTD_THREADS}"
         # Use pzstd if available
@@ -840,42 +910,18 @@ sstate_create_package () {
         # Need to handle empty directories
         if [ "$(ls -A)" ]; then
                 set +e
-               tar -I "$ZSTD" $OPT -f $TFILE *
+               tar -I "$ZSTD" $OPT -f ${SSTATE_PKG} *
                 ret=$?
                 if [ $ret -ne 0 ] && [ $ret -ne 1 ]; then
                         exit 1
                 fi
                 set -e
         else
-               tar -I "$ZSTD" $OPT --file=$TFILE --files-from=/dev/null
-       fi
-       chmod 0664 $TFILE
-       # Skip if it was already created by some other process
-       if [ -h ${SSTATE_PKG} ] && [ ! -e ${SSTATE_PKG} ]; then
-               # There is a symbolic link, but it links to nothing.
-               # Forcefully replace it with the new file.
-               ln -f $TFILE ${SSTATE_PKG} || true
-       elif [ ! -e ${SSTATE_PKG} ]; then
-               # Move into place using ln to attempt an atomic op.
-               # Abort if it already exists
-               ln $TFILE ${SSTATE_PKG} || true
-       else
-               touch ${SSTATE_PKG} 2>/dev/null || true
+               tar -I "$ZSTD" $OPT --file=${SSTATE_PKG} --files-from=/dev/null
         fi
-       rm $TFILE
+       chmod 0664 ${SSTATE_PKG}
 }

-python sstate_sign_package () {
-    from oe.gpg_sign import get_signer
-
-
-    signer = get_signer(d, 'local')
-    sstate_pkg = d.getVar('SSTATE_PKG')
-    if os.path.exists(sstate_pkg + '.sig'):
-        os.unlink(sstate_pkg + '.sig')
-    signer.detach_sign(sstate_pkg, d.getVar('SSTATE_SIG_KEY', False), None,
-                       d.getVar('SSTATE_SIG_PASSPHRASE'), armor=False)
-}

 python sstate_report_unihash() {
     report_unihash = getattr(bb.parse.siggen, 'report_unihash', None)
--
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#192861): 
https://lists.openembedded.org/g/openembedded-core/message/192861
Mute This Topic: https://lists.openembedded.org/mt/103314293/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-