2025. 02. 02. 9:44 keltezéssel, Zoltan Boszormenyi via lists.openembedded.org
írta:
2025. 02. 01. 15:37 keltezéssel, Mathieu Dubois-Briand írta:
On Fri Jan 31, 2025 at 7:43 AM CET, Zoltán Böszörményi wrote:
Enable building rpm with rpm-seqouia for the test.
Signed-off-by: Zoltán Böszörményi <zbos...@gmail.com>
---
Sorry, I still get some errors while building:
2025-02-01 14:28:32,979 - oe-selftest - INFO - 9: 40/54 602/618 (56.20s) (0 failed)
(signing.Signing.test_signing_packages)
2025-02-01 14:28:32,979 - oe-selftest - INFO -
testtools.testresult.real._StringException: Traceback (most recent call last):
File
"/srv/pokybuild/yocto-worker/oe-selftest-debian/build/meta/lib/oeqa/selftest/cases/signing.py",
line 113, in test_signing_packages
runCmd('%s/rpmkeys --define "_dbpath %s" --import %s' %
File
"/srv/pokybuild/yocto-worker/oe-selftest-debian/build/meta/lib/oeqa/utils/commands.py",
line 214, in runCmd
raise AssertionError("Command '%s' returned non-zero exit status %d:\n%s" %
(command, result.status, exc_output))
AssertionError: Command
'/srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/tmp/work/core2-64-poky-linux/ed/1.20.2/recipe-sysroot-native/usr/bin/rpmkeys
--define "_dbpath /tmp/oeqa-rpmdbsj05eco3" --import
/srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/meta-selftest/files/signing/key.pub'
returned non-zero exit status 1:
error: Certificate 7B31316B5D64AD52:
Policy rejects 7B31316B5D64AD52: No binding signature at time
2025-02-01T14:28:26Z
error:
/srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/meta-selftest/files/signing/key.pub:
key 1 import failed.
https://autobuilder.yoctoproject.org/valkyrie/#/builders/35/builds/893/steps/14/logs/stdio
Do you mind having a look at this ?
I have run the self test on a Fedora 41 host and it succeeded there.
Probably you need to fix the crypto policy to allow such a cert with a
"no binding signature" or replace the cert.
This github issue may have some useful pointers:
https://github.com/rpm-software-management/rpm-sequoia/issues/46
Can you please try this below?
Setting the envvar SEQUOIA_CRYPTO_POLICY to an empty string
will use the built-in default policy. See
https://github.com/rpm-software-management/rpm-sequoia/blob/main/src/lib.rs#L54
===============================================
diff --git a/meta/lib/oeqa/selftest/cases/signing.py
b/meta/lib/oeqa/selftest/cases/signing.py
index 51d1c3fa64..9a820ebc72 100644
--- a/meta/lib/oeqa/selftest/cases/signing.py
+++ b/meta/lib/oeqa/selftest/cases/signing.py
@@ -71,7 +71,6 @@ class Signing(OESelftestTestCase):
"""
import oe.packagedata
- self.skipTest('This test requires rpm-sequoia support in rpm')
self.setup_gpg()
package_classes = get_bb_var('PACKAGE_CLASSES')
@@ -84,9 +83,14 @@ class Signing(OESelftestTestCase):
feature += 'RPM_GPG_PASSPHRASE = "test123"\n'
feature += 'RPM_GPG_NAME = "testuser"\n'
feature += 'GPG_PATH = "%s"\n' % self.gpg_dir
+ feature += 'PACKAGECONFIG:append:pn-rpm-native = " sequoia"\n'
+ feature += 'PACKAGECONFIG:append:pn-rpm = " sequoia"\n'
self.write_config(feature)
+ # Test rpm-sequoia's default built-in policy
+ os.environ['SEQUOIA_CRYPTO_POLICY'] = ''
+
bitbake('-c clean %s' % test_recipe)
bitbake('-f -c package_write_rpm %s' % test_recipe)
@@ -152,6 +156,9 @@ class Signing(OESelftestTestCase):
self.write_config(feature)
+ # Test rpm-sequoia's default built-in policy
+ os.environ['SEQUOIA_CRYPTO_POLICY'] = ''
+
with self.create_new_builddir(os.environ['BUILDDIR'], builddir):
os.environ["PATH"] = nsysroot + ":" + os.environ["PATH"]
@@ -198,6 +205,9 @@ class LockedSignatures(OESelftestTestCase):
feature += 'SIGGEN_LOCKEDSIGS_TASKSIG_CHECK = "warn"\n'
self.write_config(feature)
+ # Test rpm-sequoia's default built-in policy
+ os.environ['SEQUOIA_CRYPTO_POLICY'] = ''
+
# Build a locked recipe
bitbake(test_recipe)
===============================================
It succeeded for me:
$ oe-selftest -r signing
...
2025-02-03 10:53:11,900 - oe-selftest - INFO - oe-selftest () - Ran 3 tests in
2801.617s
2025-02-03 10:53:11,900 - oe-selftest - INFO - oe-selftest - OK - All required tests
passed (successes=3, skipped=0, failures=0, errors=0)
As for an actual crypto policy for rpm-sequoia, I am not sure
how appropriate it would be to create a recipe for Fedora's
crypto-policies package in Yocto.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#210637):
https://lists.openembedded.org/g/openembedded-core/message/210637
Mute This Topic: https://lists.openembedded.org/mt/110911940/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-