Re: [OE-core] [PATCH 5/5] dnf: expand dnf selftest to test signed package feeds
On Fri, 2017-08-11 at 13:51 +0300, Markus Lehtonen wrote: > [YOCTO #12099] seems that the bugzilla ID does not exit. > > Signed-off-by: Markus Lehtonen> --- > meta-selftest/files/signing/key.passphrase | 1 + > meta-selftest/lib/oeqa/runtime/cases/dnf_runtime.py | 12 > meta/lib/oeqa/selftest/cases/runtime_test.py| 13 - > 3 files changed, 25 insertions(+), 1 deletion(-) > create mode 100644 meta-selftest/files/signing/key.passphrase > > diff --git a/meta-selftest/files/signing/key.passphrase > b/meta-selftest/files/signing/key.passphrase > new file mode 100644 > index 00..5271a52680 > --- /dev/null > +++ b/meta-selftest/files/signing/key.passphrase > @@ -0,0 +1 @@ > +test123 > diff --git a/meta-selftest/lib/oeqa/runtime/cases/dnf_runtime.py > b/meta-selftest/lib/oeqa/runtime/cases/dnf_runtime.py > index 68e56f2c5e..3a299c75f6 100644 > --- a/meta-selftest/lib/oeqa/runtime/cases/dnf_runtime.py > +++ b/meta-selftest/lib/oeqa/runtime/cases/dnf_runtime.py > @@ -31,12 +31,24 @@ class DnfSelftest(DnfTest): > temp_file = os.path.join(self.temp_dir.name, 'tmp.repo') > self.tc.target.copyFrom("/etc/yum.repos.d/oe-remote-repo.repo", > temp_file) > fixed_config = open(temp_file, "r").read().replace("bogus_ip", > self.tc.target.server_ip).replace("bogus_port", str(self.repo_server.port)) > +fixed_config += 'repo_gpgcheck=1\n' > with open(temp_file, "w") as f: > f.write(fixed_config) > self.tc.target.copyTo(temp_file, > "/etc/yum.repos.d/oe-remote-repo.repo") > > +# First try should fail as the gpg pubkey is not available for dnf > import re > output_makecache = self.dnf('makecache') > +self.assertTrue(re.match(r".*Failed to synchronize cache", > output_makecache, re.DOTALL) is not None, msg = "dnf makecache should have > failed: %s" %(output_makecache)) > + > +# Add public key to dnf config -> now we should succeed > +fixed_config += > 'gpgkey=file:///etc/pki/packagefeed-gpg/PACKAGEFEED-GPG-KEY-%s\n' % > self.tc.td['DISTRO_VERSION'] > +with open(temp_file, "w") as f: > +f.write(fixed_config) > +self.tc.target.copyTo(temp_file, > "/etc/yum.repos.d/oe-remote-repo.repo") > + > +output_makecache = self.dnf('-y makecache') > +self.assertTrue(re.match(r".*Failed to synchronize cache", > output_makecache, re.DOTALL) is None, msg = "dnf makecache failed to > synchronize repo: %s" %(output_makecache)) > self.assertTrue(re.match(r".*Metadata cache created", > output_makecache, re.DOTALL) is not None, msg = "dnf makecache failed: %s" > %(output_makecache)) > > output_repoinfo = self.dnf('repoinfo') > diff --git a/meta/lib/oeqa/selftest/cases/runtime_test.py > b/meta/lib/oeqa/selftest/cases/runtime_test.py > index 07d05b5972..e603c71f90 100644 > --- a/meta/lib/oeqa/selftest/cases/runtime_test.py > +++ b/meta/lib/oeqa/selftest/cases/runtime_test.py > @@ -3,6 +3,7 @@ from oeqa.utils.commands import runCmd, bitbake, get_bb_var, > get_bb_vars, runqem > from oeqa.core.decorator.oeid import OETestID > import os > import re > +import tempfile > > class TestExport(OESelftestTestCase): > > @@ -143,7 +144,17 @@ class TestImage(OESelftestTestCase): > # in at the start of the on-image test > features += 'PACKAGE_FEED_URIS = "http://bogus_ip:bogus_port"\n' > features += 'EXTRA_IMAGE_FEATURES += "package-management"\n' > -features += 'PACKAGE_CLASSES = "package_rpm"' > +features += 'PACKAGE_CLASSES = "package_rpm"\n' > + > +# Enable package feed signing > +self.gpg_home = tempfile.TemporaryDirectory(prefix="oeqa-feed-sign-") > +signing_key_dir = os.path.join(self.testlayer_path, 'files', > 'signing') > +runCmd('gpg --batch --homedir %s --import %s' % (self.gpg_home.name, > os.path.join(signing_key_dir, 'key.secret'))) > +features += 'INHERIT += "sign_package_feed"\n' > +features += 'PACKAGE_FEED_GPG_NAME = "testuser"\n' > +features += 'PACKAGE_FEED_GPG_PASSPHRASE_FILE = "%s"\n' % > os.path.join(signing_key_dir, 'key.passphrase') > +features += 'GPG_PATH = "%s"\n' % self.gpg_home.name > +features += 'IMAGE_INSTALL_append = "signing-keys-packagefeed"\n' > self.write_config(features) > > # Build core-image-sato and testimage > -- > 2.12.3 > -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH 5/5] dnf: expand dnf selftest to test signed package feeds
On 08/11/2017 03:54 PM, Markus Lehtonen wrote: Wait a moment. If feed signing is enabled, then dnf's "repo_gpgcheck", and "gpgkey" settings should be configured and working by default. You shouldn't fix them after the fact in the test. Please add the necessary code to insert_feeds_uris() in package_manager.py. Do you think it's a safe assumption that all repos configured via PACKAGE_FEED_URIS are signed and with the same key? We had a discussion on IRC; the problem here is that some of those repos may be from a 3rd party, or created earlier with different signing settings. We don't provide configuration support for such a mix of repositories; if PACKAGE_FEED_SIGN is enabled, then it is assumed that all of the configured repositories are signed with the provided key. If someone needs a more intricate configuration, they can have it via a custom repository indexer recipe, and image creation hooks that configure dnf to match that. The alternative (not configuring dnf to check the signatures) is worse: the repos are signed, but then dnf does not actually verify anything. So the signing is quietly subverted. This default case should simply work, and not fail quietly. Alex -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH 5/5] dnf: expand dnf selftest to test signed package feeds
On 08/11/2017 03:54 PM, Markus Lehtonen wrote: Wait a moment. If feed signing is enabled, then dnf's "repo_gpgcheck", and "gpgkey" settings should be configured and working by default. You shouldn't fix them after the fact in the test. Please add the necessary code to insert_feeds_uris() in package_manager.py. Do you think it's a safe assumption that all repos configured via PACKAGE_FEED_URIS are signed and with the same key? No; you should insert those lines only if PACKAGE_FEED_SIGN is set to "1". Do you mean something else? Alex -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH 5/5] dnf: expand dnf selftest to test signed package feeds
On 11/08/2017, 14.11, "Alexander Kanavin"wrote: On 08/11/2017 01:51 PM, Markus Lehtonen wrote: > --- a/meta-selftest/lib/oeqa/runtime/cases/dnf_runtime.py > +++ b/meta-selftest/lib/oeqa/runtime/cases/dnf_runtime.py > @@ -31,12 +31,24 @@ class DnfSelftest(DnfTest): > temp_file = os.path.join(self.temp_dir.name, 'tmp.repo') > self.tc.target.copyFrom("/etc/yum.repos.d/oe-remote-repo.repo", temp_file) > fixed_config = open(temp_file, "r").read().replace("bogus_ip", self.tc.target.server_ip).replace("bogus_port", str(self.repo_server.port)) > +fixed_config += 'repo_gpgcheck=1\n' > with open(temp_file, "w") as f: > f.write(fixed_config) > self.tc.target.copyTo(temp_file, "/etc/yum.repos.d/oe-remote-repo.repo") > > +# First try should fail as the gpg pubkey is not available for dnf > import re > output_makecache = self.dnf('makecache') > +self.assertTrue(re.match(r".*Failed to synchronize cache", output_makecache, re.DOTALL) is not None, msg = "dnf makecache should have failed: %s" %(output_makecache)) > + > +# Add public key to dnf config -> now we should succeed > +fixed_config += 'gpgkey=file:///etc/pki/packagefeed-gpg/PACKAGEFEED-GPG-KEY-%s\n' % self.tc.td['DISTRO_VERSION'] > +with open(temp_file, "w") as f: > +f.write(fixed_config) > +self.tc.target.copyTo(temp_file, "/etc/yum.repos.d/oe-remote-repo.repo") > + > +output_makecache = self.dnf('-y makecache') > +self.assertTrue(re.match(r".*Failed to synchronize cache", output_makecache, re.DOTALL) is None, msg = "dnf makecache failed to synchronize repo: %s" %(output_makecache)) > self.assertTrue(re.match(r".*Metadata cache created", output_makecache, re.DOTALL) is not None, msg = "dnf makecache failed: %s" %(output_makecache)) > > output_repoinfo = self.dnf('repoinfo') Wait a moment. If feed signing is enabled, then dnf's "repo_gpgcheck", and "gpgkey" settings should be configured and working by default. You shouldn't fix them after the fact in the test. Please add the necessary code to insert_feeds_uris() in package_manager.py. Do you think it's a safe assumption that all repos configured via PACKAGE_FEED_URIS are signed and with the same key? Thanks, Markus -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH 5/5] dnf: expand dnf selftest to test signed package feeds
On 08/11/2017 01:51 PM, Markus Lehtonen wrote: --- a/meta-selftest/lib/oeqa/runtime/cases/dnf_runtime.py +++ b/meta-selftest/lib/oeqa/runtime/cases/dnf_runtime.py @@ -31,12 +31,24 @@ class DnfSelftest(DnfTest): temp_file = os.path.join(self.temp_dir.name, 'tmp.repo') self.tc.target.copyFrom("/etc/yum.repos.d/oe-remote-repo.repo", temp_file) fixed_config = open(temp_file, "r").read().replace("bogus_ip", self.tc.target.server_ip).replace("bogus_port", str(self.repo_server.port)) +fixed_config += 'repo_gpgcheck=1\n' with open(temp_file, "w") as f: f.write(fixed_config) self.tc.target.copyTo(temp_file, "/etc/yum.repos.d/oe-remote-repo.repo") +# First try should fail as the gpg pubkey is not available for dnf import re output_makecache = self.dnf('makecache') +self.assertTrue(re.match(r".*Failed to synchronize cache", output_makecache, re.DOTALL) is not None, msg = "dnf makecache should have failed: %s" %(output_makecache)) + +# Add public key to dnf config -> now we should succeed +fixed_config += 'gpgkey=file:///etc/pki/packagefeed-gpg/PACKAGEFEED-GPG-KEY-%s\n' % self.tc.td['DISTRO_VERSION'] +with open(temp_file, "w") as f: +f.write(fixed_config) +self.tc.target.copyTo(temp_file, "/etc/yum.repos.d/oe-remote-repo.repo") + +output_makecache = self.dnf('-y makecache') +self.assertTrue(re.match(r".*Failed to synchronize cache", output_makecache, re.DOTALL) is None, msg = "dnf makecache failed to synchronize repo: %s" %(output_makecache)) self.assertTrue(re.match(r".*Metadata cache created", output_makecache, re.DOTALL) is not None, msg = "dnf makecache failed: %s" %(output_makecache)) output_repoinfo = self.dnf('repoinfo') Wait a moment. If feed signing is enabled, then dnf's "repo_gpgcheck", and "gpgkey" settings should be configured and working by default. You shouldn't fix them after the fact in the test. Please add the necessary code to insert_feeds_uris() in package_manager.py. Then you can simply test that: a) repository access ('dnf makecache' and 'dnf repoinfo') works without error. b) the signatures are indeed present in the feed configuration ('repoinfo' would probably print that) Alex -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH 5/5] dnf: expand dnf selftest to test signed package feeds
[YOCTO #12099] Signed-off-by: Markus Lehtonen--- meta-selftest/files/signing/key.passphrase | 1 + meta-selftest/lib/oeqa/runtime/cases/dnf_runtime.py | 12 meta/lib/oeqa/selftest/cases/runtime_test.py| 13 - 3 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 meta-selftest/files/signing/key.passphrase diff --git a/meta-selftest/files/signing/key.passphrase b/meta-selftest/files/signing/key.passphrase new file mode 100644 index 00..5271a52680 --- /dev/null +++ b/meta-selftest/files/signing/key.passphrase @@ -0,0 +1 @@ +test123 diff --git a/meta-selftest/lib/oeqa/runtime/cases/dnf_runtime.py b/meta-selftest/lib/oeqa/runtime/cases/dnf_runtime.py index 68e56f2c5e..3a299c75f6 100644 --- a/meta-selftest/lib/oeqa/runtime/cases/dnf_runtime.py +++ b/meta-selftest/lib/oeqa/runtime/cases/dnf_runtime.py @@ -31,12 +31,24 @@ class DnfSelftest(DnfTest): temp_file = os.path.join(self.temp_dir.name, 'tmp.repo') self.tc.target.copyFrom("/etc/yum.repos.d/oe-remote-repo.repo", temp_file) fixed_config = open(temp_file, "r").read().replace("bogus_ip", self.tc.target.server_ip).replace("bogus_port", str(self.repo_server.port)) +fixed_config += 'repo_gpgcheck=1\n' with open(temp_file, "w") as f: f.write(fixed_config) self.tc.target.copyTo(temp_file, "/etc/yum.repos.d/oe-remote-repo.repo") +# First try should fail as the gpg pubkey is not available for dnf import re output_makecache = self.dnf('makecache') +self.assertTrue(re.match(r".*Failed to synchronize cache", output_makecache, re.DOTALL) is not None, msg = "dnf makecache should have failed: %s" %(output_makecache)) + +# Add public key to dnf config -> now we should succeed +fixed_config += 'gpgkey=file:///etc/pki/packagefeed-gpg/PACKAGEFEED-GPG-KEY-%s\n' % self.tc.td['DISTRO_VERSION'] +with open(temp_file, "w") as f: +f.write(fixed_config) +self.tc.target.copyTo(temp_file, "/etc/yum.repos.d/oe-remote-repo.repo") + +output_makecache = self.dnf('-y makecache') +self.assertTrue(re.match(r".*Failed to synchronize cache", output_makecache, re.DOTALL) is None, msg = "dnf makecache failed to synchronize repo: %s" %(output_makecache)) self.assertTrue(re.match(r".*Metadata cache created", output_makecache, re.DOTALL) is not None, msg = "dnf makecache failed: %s" %(output_makecache)) output_repoinfo = self.dnf('repoinfo') diff --git a/meta/lib/oeqa/selftest/cases/runtime_test.py b/meta/lib/oeqa/selftest/cases/runtime_test.py index 07d05b5972..e603c71f90 100644 --- a/meta/lib/oeqa/selftest/cases/runtime_test.py +++ b/meta/lib/oeqa/selftest/cases/runtime_test.py @@ -3,6 +3,7 @@ from oeqa.utils.commands import runCmd, bitbake, get_bb_var, get_bb_vars, runqem from oeqa.core.decorator.oeid import OETestID import os import re +import tempfile class TestExport(OESelftestTestCase): @@ -143,7 +144,17 @@ class TestImage(OESelftestTestCase): # in at the start of the on-image test features += 'PACKAGE_FEED_URIS = "http://bogus_ip:bogus_port"\n' features += 'EXTRA_IMAGE_FEATURES += "package-management"\n' -features += 'PACKAGE_CLASSES = "package_rpm"' +features += 'PACKAGE_CLASSES = "package_rpm"\n' + +# Enable package feed signing +self.gpg_home = tempfile.TemporaryDirectory(prefix="oeqa-feed-sign-") +signing_key_dir = os.path.join(self.testlayer_path, 'files', 'signing') +runCmd('gpg --batch --homedir %s --import %s' % (self.gpg_home.name, os.path.join(signing_key_dir, 'key.secret'))) +features += 'INHERIT += "sign_package_feed"\n' +features += 'PACKAGE_FEED_GPG_NAME = "testuser"\n' +features += 'PACKAGE_FEED_GPG_PASSPHRASE_FILE = "%s"\n' % os.path.join(signing_key_dir, 'key.passphrase') +features += 'GPG_PATH = "%s"\n' % self.gpg_home.name +features += 'IMAGE_INSTALL_append = "signing-keys-packagefeed"\n' self.write_config(features) # Build core-image-sato and testimage -- 2.12.3 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core