subject:"\[OE\-core\] \[PATCH 5\/5\] dnf\: expand dnf selftest to test signed package feeds"

Re: [OE-core] [PATCH 5/5] dnf: expand dnf selftest to test signed package feeds

2017-08-11 Thread Leonardo Sandoval

On Fri, 2017-08-11 at 13:51 +0300, Markus Lehtonen wrote:
> [YOCTO #12099]

seems that the bugzilla ID does not exit.

> 
> Signed-off-by: Markus Lehtonen 
> ---
>  meta-selftest/files/signing/key.passphrase  |  1 +
>  meta-selftest/lib/oeqa/runtime/cases/dnf_runtime.py | 12 
>  meta/lib/oeqa/selftest/cases/runtime_test.py| 13 -
>  3 files changed, 25 insertions(+), 1 deletion(-)
>  create mode 100644 meta-selftest/files/signing/key.passphrase
> 
> diff --git a/meta-selftest/files/signing/key.passphrase 
> b/meta-selftest/files/signing/key.passphrase
> new file mode 100644
> index 00..5271a52680
> --- /dev/null
> +++ b/meta-selftest/files/signing/key.passphrase
> @@ -0,0 +1 @@
> +test123
> diff --git a/meta-selftest/lib/oeqa/runtime/cases/dnf_runtime.py 
> b/meta-selftest/lib/oeqa/runtime/cases/dnf_runtime.py
> index 68e56f2c5e..3a299c75f6 100644
> --- a/meta-selftest/lib/oeqa/runtime/cases/dnf_runtime.py
> +++ b/meta-selftest/lib/oeqa/runtime/cases/dnf_runtime.py
> @@ -31,12 +31,24 @@ class DnfSelftest(DnfTest):
>  temp_file = os.path.join(self.temp_dir.name, 'tmp.repo')
>  self.tc.target.copyFrom("/etc/yum.repos.d/oe-remote-repo.repo", 
> temp_file)
>  fixed_config = open(temp_file, "r").read().replace("bogus_ip", 
> self.tc.target.server_ip).replace("bogus_port", str(self.repo_server.port))
> +fixed_config += 'repo_gpgcheck=1\n'
>  with open(temp_file, "w") as f:
>  f.write(fixed_config)
>  self.tc.target.copyTo(temp_file, 
> "/etc/yum.repos.d/oe-remote-repo.repo")
>  
> +# First try should fail as the gpg pubkey is not available for dnf
>  import re
>  output_makecache = self.dnf('makecache')
> +self.assertTrue(re.match(r".*Failed to synchronize cache", 
> output_makecache, re.DOTALL) is not None, msg = "dnf makecache should have 
> failed: %s" %(output_makecache))
> +
> +# Add public key to dnf config -> now we should succeed
> +fixed_config += 
> 'gpgkey=file:///etc/pki/packagefeed-gpg/PACKAGEFEED-GPG-KEY-%s\n' % 
> self.tc.td['DISTRO_VERSION']
> +with open(temp_file, "w") as f:
> +f.write(fixed_config)
> +self.tc.target.copyTo(temp_file, 
> "/etc/yum.repos.d/oe-remote-repo.repo")
> +
> +output_makecache = self.dnf('-y makecache')
> +self.assertTrue(re.match(r".*Failed to synchronize cache", 
> output_makecache, re.DOTALL) is None, msg = "dnf makecache failed to 
> synchronize repo: %s" %(output_makecache))
>  self.assertTrue(re.match(r".*Metadata cache created", 
> output_makecache, re.DOTALL) is not None, msg = "dnf makecache failed: %s" 
> %(output_makecache))
>  
>  output_repoinfo = self.dnf('repoinfo')
> diff --git a/meta/lib/oeqa/selftest/cases/runtime_test.py 
> b/meta/lib/oeqa/selftest/cases/runtime_test.py
> index 07d05b5972..e603c71f90 100644
> --- a/meta/lib/oeqa/selftest/cases/runtime_test.py
> +++ b/meta/lib/oeqa/selftest/cases/runtime_test.py
> @@ -3,6 +3,7 @@ from oeqa.utils.commands import runCmd, bitbake, get_bb_var, 
> get_bb_vars, runqem
>  from oeqa.core.decorator.oeid import OETestID
>  import os
>  import re
> +import tempfile
>  
>  class TestExport(OESelftestTestCase):
>  
> @@ -143,7 +144,17 @@ class TestImage(OESelftestTestCase):
>  # in at the start of the on-image test
>  features += 'PACKAGE_FEED_URIS = "http://bogus_ip:bogus_port"\n'
>  features += 'EXTRA_IMAGE_FEATURES += "package-management"\n'
> -features += 'PACKAGE_CLASSES = "package_rpm"'
> +features += 'PACKAGE_CLASSES = "package_rpm"\n'
> +
> +# Enable package feed signing
> +self.gpg_home = tempfile.TemporaryDirectory(prefix="oeqa-feed-sign-")
> +signing_key_dir = os.path.join(self.testlayer_path, 'files', 
> 'signing')
> +runCmd('gpg --batch --homedir %s --import %s' % (self.gpg_home.name, 
> os.path.join(signing_key_dir, 'key.secret')))
> +features += 'INHERIT += "sign_package_feed"\n'
> +features += 'PACKAGE_FEED_GPG_NAME = "testuser"\n'
> +features += 'PACKAGE_FEED_GPG_PASSPHRASE_FILE = "%s"\n' % 
> os.path.join(signing_key_dir, 'key.passphrase')
> +features += 'GPG_PATH = "%s"\n' % self.gpg_home.name
> +features += 'IMAGE_INSTALL_append  = "signing-keys-packagefeed"\n'
>  self.write_config(features)
>  
>  # Build core-image-sato and testimage
> -- 
> 2.12.3
> 


-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH 5/5] dnf: expand dnf selftest to test signed package feeds

2017-08-11 Thread Alexander Kanavin


On 08/11/2017 03:54 PM, Markus Lehtonen wrote:


 Wait a moment. If feed signing is enabled, then dnf's "repo_gpgcheck",
 and "gpgkey" settings should be configured and working by default. You
 shouldn't fix them after the fact in the test. Please add the necessary
 code to insert_feeds_uris() in package_manager.py.
 
Do you think it's a safe assumption that all repos configured via PACKAGE_FEED_URIS are signed and with the same key?


We had a discussion on IRC; the problem here is that some of those repos 
may be from a 3rd party, or created earlier with different signing 
settings. We don't provide configuration support for such a mix of 
repositories; if PACKAGE_FEED_SIGN is enabled, then it is assumed that 
all of the configured repositories are signed with the provided key. If 
someone needs a more intricate configuration, they can have it via a 
custom repository indexer recipe, and image creation hooks that 
configure dnf to match that.


The alternative (not configuring dnf to check the signatures) is worse: 
the repos are signed, but then dnf does not actually verify anything. So 
the signing is quietly subverted. This default case should simply work, 
and not fail quietly.


Alex
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH 5/5] dnf: expand dnf selftest to test signed package feeds

2017-08-11 Thread Alexander Kanavin


On 08/11/2017 03:54 PM, Markus Lehtonen wrote:


 Wait a moment. If feed signing is enabled, then dnf's "repo_gpgcheck",
 and "gpgkey" settings should be configured and working by default. You
 shouldn't fix them after the fact in the test. Please add the necessary
 code to insert_feeds_uris() in package_manager.py.
 
Do you think it's a safe assumption that all repos configured via PACKAGE_FEED_URIS are signed and with the same key?


No; you should insert those lines only if PACKAGE_FEED_SIGN is set to 
"1". Do you mean something else?


Alex
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH 5/5] dnf: expand dnf selftest to test signed package feeds

2017-08-11 Thread Markus Lehtonen

On 11/08/2017, 14.11, "Alexander Kanavin"  
wrote:

On 08/11/2017 01:51 PM, Markus Lehtonen wrote:
> --- a/meta-selftest/lib/oeqa/runtime/cases/dnf_runtime.py
> +++ b/meta-selftest/lib/oeqa/runtime/cases/dnf_runtime.py
> @@ -31,12 +31,24 @@ class DnfSelftest(DnfTest):
>   temp_file = os.path.join(self.temp_dir.name, 'tmp.repo')
>   self.tc.target.copyFrom("/etc/yum.repos.d/oe-remote-repo.repo", 
temp_file)
>   fixed_config = open(temp_file, "r").read().replace("bogus_ip", 
self.tc.target.server_ip).replace("bogus_port", str(self.repo_server.port))
> +fixed_config += 'repo_gpgcheck=1\n'
>   with open(temp_file, "w") as f:
>   f.write(fixed_config)
>   self.tc.target.copyTo(temp_file, 
"/etc/yum.repos.d/oe-remote-repo.repo")
>   
> +# First try should fail as the gpg pubkey is not available for 
dnf
>   import re
>   output_makecache = self.dnf('makecache')
> +self.assertTrue(re.match(r".*Failed to synchronize cache", 
output_makecache, re.DOTALL) is not None, msg = "dnf makecache should have 
failed: %s" %(output_makecache))
> +
> +# Add public key to dnf config -> now we should succeed
> +fixed_config += 
'gpgkey=file:///etc/pki/packagefeed-gpg/PACKAGEFEED-GPG-KEY-%s\n' % 
self.tc.td['DISTRO_VERSION']
> +with open(temp_file, "w") as f:
> +f.write(fixed_config)
> +self.tc.target.copyTo(temp_file, 
"/etc/yum.repos.d/oe-remote-repo.repo")
> +
> +output_makecache = self.dnf('-y makecache')
> +self.assertTrue(re.match(r".*Failed to synchronize cache", 
output_makecache, re.DOTALL) is None, msg = "dnf makecache failed to 
synchronize repo: %s" %(output_makecache))
>   self.assertTrue(re.match(r".*Metadata cache created", 
output_makecache, re.DOTALL) is not None, msg = "dnf makecache failed: %s" 
%(output_makecache))
>   
>   output_repoinfo = self.dnf('repoinfo')

Wait a moment. If feed signing is enabled, then dnf's "repo_gpgcheck", 
and "gpgkey" settings should be configured and working by default. You 
shouldn't fix them after the fact in the test. Please add the necessary 
code to insert_feeds_uris() in package_manager.py.

Do you think it's a safe assumption that all repos configured via 
PACKAGE_FEED_URIS are signed and with the same key?

Thanks,
   Markus
 


-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH 5/5] dnf: expand dnf selftest to test signed package feeds

2017-08-11 Thread Alexander Kanavin


On 08/11/2017 01:51 PM, Markus Lehtonen wrote:

--- a/meta-selftest/lib/oeqa/runtime/cases/dnf_runtime.py
+++ b/meta-selftest/lib/oeqa/runtime/cases/dnf_runtime.py
@@ -31,12 +31,24 @@ class DnfSelftest(DnfTest):
  temp_file = os.path.join(self.temp_dir.name, 'tmp.repo')
  self.tc.target.copyFrom("/etc/yum.repos.d/oe-remote-repo.repo", 
temp_file)
  fixed_config = open(temp_file, "r").read().replace("bogus_ip", 
self.tc.target.server_ip).replace("bogus_port", str(self.repo_server.port))
+fixed_config += 'repo_gpgcheck=1\n'
  with open(temp_file, "w") as f:
  f.write(fixed_config)
  self.tc.target.copyTo(temp_file, 
"/etc/yum.repos.d/oe-remote-repo.repo")
  
+# First try should fail as the gpg pubkey is not available for dnf

  import re
  output_makecache = self.dnf('makecache')
+self.assertTrue(re.match(r".*Failed to synchronize cache", output_makecache, 
re.DOTALL) is not None, msg = "dnf makecache should have failed: %s" %(output_makecache))
+
+# Add public key to dnf config -> now we should succeed
+fixed_config += 
'gpgkey=file:///etc/pki/packagefeed-gpg/PACKAGEFEED-GPG-KEY-%s\n' % 
self.tc.td['DISTRO_VERSION']
+with open(temp_file, "w") as f:
+f.write(fixed_config)
+self.tc.target.copyTo(temp_file, 
"/etc/yum.repos.d/oe-remote-repo.repo")
+
+output_makecache = self.dnf('-y makecache')
+self.assertTrue(re.match(r".*Failed to synchronize cache", output_makecache, 
re.DOTALL) is None, msg = "dnf makecache failed to synchronize repo: %s" 
%(output_makecache))
  self.assertTrue(re.match(r".*Metadata cache created", output_makecache, 
re.DOTALL) is not None, msg = "dnf makecache failed: %s" %(output_makecache))
  
  output_repoinfo = self.dnf('repoinfo')


Wait a moment. If feed signing is enabled, then dnf's "repo_gpgcheck", 
and "gpgkey" settings should be configured and working by default. You 
shouldn't fix them after the fact in the test. Please add the necessary 
code to insert_feeds_uris() in package_manager.py.


Then you can simply test that:
a) repository access ('dnf makecache' and 'dnf repoinfo') works without 
error.
b) the signatures are indeed present in the feed configuration 
('repoinfo' would probably print that)


Alex
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH 5/5] dnf: expand dnf selftest to test signed package feeds

2017-08-11 Thread Markus Lehtonen

[YOCTO #12099]

Signed-off-by: Markus Lehtonen 
---
 meta-selftest/files/signing/key.passphrase  |  1 +
 meta-selftest/lib/oeqa/runtime/cases/dnf_runtime.py | 12 
 meta/lib/oeqa/selftest/cases/runtime_test.py| 13 -
 3 files changed, 25 insertions(+), 1 deletion(-)
 create mode 100644 meta-selftest/files/signing/key.passphrase

diff --git a/meta-selftest/files/signing/key.passphrase 
b/meta-selftest/files/signing/key.passphrase
new file mode 100644
index 00..5271a52680
--- /dev/null
+++ b/meta-selftest/files/signing/key.passphrase
@@ -0,0 +1 @@
+test123
diff --git a/meta-selftest/lib/oeqa/runtime/cases/dnf_runtime.py 
b/meta-selftest/lib/oeqa/runtime/cases/dnf_runtime.py
index 68e56f2c5e..3a299c75f6 100644
--- a/meta-selftest/lib/oeqa/runtime/cases/dnf_runtime.py
+++ b/meta-selftest/lib/oeqa/runtime/cases/dnf_runtime.py
@@ -31,12 +31,24 @@ class DnfSelftest(DnfTest):
 temp_file = os.path.join(self.temp_dir.name, 'tmp.repo')
 self.tc.target.copyFrom("/etc/yum.repos.d/oe-remote-repo.repo", 
temp_file)
 fixed_config = open(temp_file, "r").read().replace("bogus_ip", 
self.tc.target.server_ip).replace("bogus_port", str(self.repo_server.port))
+fixed_config += 'repo_gpgcheck=1\n'
 with open(temp_file, "w") as f:
 f.write(fixed_config)
 self.tc.target.copyTo(temp_file, 
"/etc/yum.repos.d/oe-remote-repo.repo")
 
+# First try should fail as the gpg pubkey is not available for dnf
 import re
 output_makecache = self.dnf('makecache')
+self.assertTrue(re.match(r".*Failed to synchronize cache", 
output_makecache, re.DOTALL) is not None, msg = "dnf makecache should have 
failed: %s" %(output_makecache))
+
+# Add public key to dnf config -> now we should succeed
+fixed_config += 
'gpgkey=file:///etc/pki/packagefeed-gpg/PACKAGEFEED-GPG-KEY-%s\n' % 
self.tc.td['DISTRO_VERSION']
+with open(temp_file, "w") as f:
+f.write(fixed_config)
+self.tc.target.copyTo(temp_file, 
"/etc/yum.repos.d/oe-remote-repo.repo")
+
+output_makecache = self.dnf('-y makecache')
+self.assertTrue(re.match(r".*Failed to synchronize cache", 
output_makecache, re.DOTALL) is None, msg = "dnf makecache failed to 
synchronize repo: %s" %(output_makecache))
 self.assertTrue(re.match(r".*Metadata cache created", 
output_makecache, re.DOTALL) is not None, msg = "dnf makecache failed: %s" 
%(output_makecache))
 
 output_repoinfo = self.dnf('repoinfo')
diff --git a/meta/lib/oeqa/selftest/cases/runtime_test.py 
b/meta/lib/oeqa/selftest/cases/runtime_test.py
index 07d05b5972..e603c71f90 100644
--- a/meta/lib/oeqa/selftest/cases/runtime_test.py
+++ b/meta/lib/oeqa/selftest/cases/runtime_test.py
@@ -3,6 +3,7 @@ from oeqa.utils.commands import runCmd, bitbake, get_bb_var, 
get_bb_vars, runqem
 from oeqa.core.decorator.oeid import OETestID
 import os
 import re
+import tempfile
 
 class TestExport(OESelftestTestCase):
 
@@ -143,7 +144,17 @@ class TestImage(OESelftestTestCase):
 # in at the start of the on-image test
 features += 'PACKAGE_FEED_URIS = "http://bogus_ip:bogus_port"\n'
 features += 'EXTRA_IMAGE_FEATURES += "package-management"\n'
-features += 'PACKAGE_CLASSES = "package_rpm"'
+features += 'PACKAGE_CLASSES = "package_rpm"\n'
+
+# Enable package feed signing
+self.gpg_home = tempfile.TemporaryDirectory(prefix="oeqa-feed-sign-")
+signing_key_dir = os.path.join(self.testlayer_path, 'files', 'signing')
+runCmd('gpg --batch --homedir %s --import %s' % (self.gpg_home.name, 
os.path.join(signing_key_dir, 'key.secret')))
+features += 'INHERIT += "sign_package_feed"\n'
+features += 'PACKAGE_FEED_GPG_NAME = "testuser"\n'
+features += 'PACKAGE_FEED_GPG_PASSPHRASE_FILE = "%s"\n' % 
os.path.join(signing_key_dir, 'key.passphrase')
+features += 'GPG_PATH = "%s"\n' % self.gpg_home.name
+features += 'IMAGE_INSTALL_append  = "signing-keys-packagefeed"\n'
 self.write_config(features)
 
 # Build core-image-sato and testimage
-- 
2.12.3

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH 5/5] dnf: expand dnf selftest to test signed package feeds

Re: [OE-core] [PATCH 5/5] dnf: expand dnf selftest to test signed package feeds

Re: [OE-core] [PATCH 5/5] dnf: expand dnf selftest to test signed package feeds

Re: [OE-core] [PATCH 5/5] dnf: expand dnf selftest to test signed package feeds

Re: [OE-core] [PATCH 5/5] dnf: expand dnf selftest to test signed package feeds

[OE-core] [PATCH 5/5] dnf: expand dnf selftest to test signed package feeds

6 matches

Site Navigation

Mail list logo

Footer information