2025. 02. 02. 9:44 keltezéssel, Zoltan Boszormenyi via lists.openembedded.org 
írta:
2025. 02. 01. 15:37 keltezéssel, Mathieu Dubois-Briand írta:
On Fri Jan 31, 2025 at 7:43 AM CET, Zoltán Böszörményi wrote:
Enable building rpm with rpm-seqouia for the test.

Signed-off-by: Zoltán Böszörményi <zbos...@gmail.com>
---
Sorry, I still get some errors while building:

2025-02-01 14:28:32,979 - oe-selftest - INFO - 9: 40/54 602/618 (56.20s) (0 failed) (signing.Signing.test_signing_packages) 2025-02-01 14:28:32,979 - oe-selftest - INFO - testtools.testresult.real._StringException: Traceback (most recent call last):    File "/srv/pokybuild/yocto-worker/oe-selftest-debian/build/meta/lib/oeqa/selftest/cases/signing.py", line 113, in test_signing_packages
     runCmd('%s/rpmkeys --define "_dbpath %s" --import %s' %
   File "/srv/pokybuild/yocto-worker/oe-selftest-debian/build/meta/lib/oeqa/utils/commands.py", line 214, in runCmd      raise AssertionError("Command '%s' returned non-zero exit status %d:\n%s" % (command, result.status, exc_output)) AssertionError: Command '/srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/tmp/work/core2-64-poky-linux/ed/1.20.2/recipe-sysroot-native/usr/bin/rpmkeys --define "_dbpath /tmp/oeqa-rpmdbsj05eco3" --import /srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/meta-selftest/files/signing/key.pub' returned non-zero exit status 1:
error: Certificate 7B31316B5D64AD52:
   Policy rejects 7B31316B5D64AD52: No binding signature at time 
2025-02-01T14:28:26Z
error: /srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/meta-selftest/files/signing/key.pub: key 1 import failed.

https://autobuilder.yoctoproject.org/valkyrie/#/builders/35/builds/893/steps/14/logs/stdio

Do you mind having a look at this ?

I have run the self test on a Fedora 41 host and it succeeded there.

Probably you need to fix the crypto policy to allow such a cert with a
"no binding signature" or replace the cert.

This github issue may have some useful pointers:
https://github.com/rpm-software-management/rpm-sequoia/issues/46

Can you please try this below?

Setting the envvar SEQUOIA_CRYPTO_POLICY to an empty string
will use the built-in default policy. See
https://github.com/rpm-software-management/rpm-sequoia/blob/main/src/lib.rs#L54

===============================================
diff --git a/meta/lib/oeqa/selftest/cases/signing.py 
b/meta/lib/oeqa/selftest/cases/signing.py
index 51d1c3fa64..9a820ebc72 100644
--- a/meta/lib/oeqa/selftest/cases/signing.py
+++ b/meta/lib/oeqa/selftest/cases/signing.py
@@ -71,7 +71,6 @@ class Signing(OESelftestTestCase):
         """
         import oe.packagedata

-        self.skipTest('This test requires rpm-sequoia support in rpm')
         self.setup_gpg()

         package_classes = get_bb_var('PACKAGE_CLASSES')
@@ -84,9 +83,14 @@ class Signing(OESelftestTestCase):
         feature += 'RPM_GPG_PASSPHRASE = "test123"\n'
         feature += 'RPM_GPG_NAME = "testuser"\n'
         feature += 'GPG_PATH = "%s"\n' % self.gpg_dir
+        feature += 'PACKAGECONFIG:append:pn-rpm-native = " sequoia"\n'
+        feature += 'PACKAGECONFIG:append:pn-rpm = " sequoia"\n'

         self.write_config(feature)

+        # Test rpm-sequoia's default built-in policy
+        os.environ['SEQUOIA_CRYPTO_POLICY'] = ''
+
         bitbake('-c clean %s' % test_recipe)
         bitbake('-f -c package_write_rpm %s' % test_recipe)

@@ -152,6 +156,9 @@ class Signing(OESelftestTestCase):

         self.write_config(feature)

+        # Test rpm-sequoia's default built-in policy
+        os.environ['SEQUOIA_CRYPTO_POLICY'] = ''
+
         with self.create_new_builddir(os.environ['BUILDDIR'], builddir):

             os.environ["PATH"] = nsysroot + ":" + os.environ["PATH"]
@@ -198,6 +205,9 @@ class LockedSignatures(OESelftestTestCase):
         feature += 'SIGGEN_LOCKEDSIGS_TASKSIG_CHECK = "warn"\n'
         self.write_config(feature)

+        # Test rpm-sequoia's default built-in policy
+        os.environ['SEQUOIA_CRYPTO_POLICY'] = ''
+
         # Build a locked recipe
         bitbake(test_recipe)

===============================================

It succeeded for me:

$ oe-selftest -r signing
...
2025-02-03 10:53:11,900 - oe-selftest - INFO - oe-selftest () - Ran 3 tests in 
2801.617s
2025-02-03 10:53:11,900 - oe-selftest - INFO - oe-selftest - OK - All required tests passed (successes=3, skipped=0, failures=0, errors=0)

As for an actual crypto policy for rpm-sequoia, I am not sure
how appropriate it would be to create a recipe for Fedora's
crypto-policies package in Yocto.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#210637): 
https://lists.openembedded.org/g/openembedded-core/message/210637
Mute This Topic: https://lists.openembedded.org/mt/110911940/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

  • [OE-core][PATCH v3 1/2] r... Zoltan Boszormenyi via lists.openembedded.org
    • [OE-core][PATCH v3 2... Zoltan Boszormenyi via lists.openembedded.org
    • Re: [OE-core][PATCH ... Mathieu Dubois-Briand via lists.openembedded.org
      • [OE-core][PATCH ... Zoltan Boszormenyi via lists.openembedded.org
        • [OE-core][PA... Zoltan Boszormenyi via lists.openembedded.org
          • Re: [OE-... Mathieu Dubois-Briand via lists.openembedded.org
            • Re:... Zoltan Boszormenyi via lists.openembedded.org
            • Re:... Zoltan Boszormenyi via lists.openembedded.org
              • ... Alexander Kanavin via lists.openembedded.org
                • ... Zoltan Boszormenyi via lists.openembedded.org
              • ... Richard Purdie via lists.openembedded.org
                • ... Alexander Kanavin via lists.openembedded.org
            • [OE... Zoltan Boszormenyi via lists.openembedded.org
              • ... Zoltan Boszormenyi via lists.openembedded.org
                • ... Alexander Kanavin via lists.openembedded.org
                • ... Zoltan Boszormenyi via lists.openembedded.org
                • ... Zoltan Boszormenyi via lists.openembedded.org
      • Re: [OE-core][PA... Alexander Kanavin via lists.openembedded.org

Reply via email to