signing.py: Re-enable self-test

Alexander Kanavin via lists.openembedded.org Mon, 03 Feb 2025 03:19:14 -0800

I would recommend you send this change as a proper patch. You should
not be asking integrators to produce patches out of ad hoc mailing
list tweaks.


Alex

On Mon, 3 Feb 2025 at 11:11, Böszörményi Zoltán <zbos...@gmail.com> wrote:
>
> 2025. 02. 02. 9:44 keltezéssel, Zoltan Boszormenyi via lists.openembedded.org 
> írta:
> > 2025. 02. 01. 15:37 keltezéssel, Mathieu Dubois-Briand írta:
> >> On Fri Jan 31, 2025 at 7:43 AM CET, Zoltán Böszörményi wrote:
> >>> Enable building rpm with rpm-seqouia for the test.
> >>>
> >>> Signed-off-by: Zoltán Böszörményi <zbos...@gmail.com>
> >>> ---
> >> Sorry, I still get some errors while building:
> >>
> >> 2025-02-01 14:28:32,979 - oe-selftest - INFO - 9: 40/54 602/618 (56.20s) 
> >> (0 failed)
> >> (signing.Signing.test_signing_packages)
> >> 2025-02-01 14:28:32,979 - oe-selftest - INFO -
> >> testtools.testresult.real._StringException: Traceback (most recent call 
> >> last):
> >>    File
> >> "/srv/pokybuild/yocto-worker/oe-selftest-debian/build/meta/lib/oeqa/selftest/cases/signing.py",
> >> line 113, in test_signing_packages
> >>      runCmd('%s/rpmkeys --define "_dbpath %s" --import %s' %
> >>    File
> >> "/srv/pokybuild/yocto-worker/oe-selftest-debian/build/meta/lib/oeqa/utils/commands.py",
> >> line 214, in runCmd
> >>      raise AssertionError("Command '%s' returned non-zero exit status 
> >> %d:\n%s" %
> >> (command, result.status, exc_output))
> >> AssertionError: Command
> >> '/srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/tmp/work/core2-64-poky-linux/ed/1.20.2/recipe-sysroot-native/usr/bin/rpmkeys
> >> --define "_dbpath /tmp/oeqa-rpmdbsj05eco3" --import
> >> /srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/meta-selftest/files/signing/key.pub'
> >> returned non-zero exit status 1:
> >> error: Certificate 7B31316B5D64AD52:
> >>    Policy rejects 7B31316B5D64AD52: No binding signature at time 
> >> 2025-02-01T14:28:26Z
> >> error:
> >> /srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/meta-selftest/files/signing/key.pub:
> >> key 1 import failed.
> >>
> >> https://autobuilder.yoctoproject.org/valkyrie/#/builders/35/builds/893/steps/14/logs/stdio
> >>
> >> Do you mind having a look at this ?
> >
> > I have run the self test on a Fedora 41 host and it succeeded there.
> >
> > Probably you need to fix the crypto policy to allow such a cert with a
> > "no binding signature" or replace the cert.
> >
> > This github issue may have some useful pointers:
> > https://github.com/rpm-software-management/rpm-sequoia/issues/46
>
> Can you please try this below?
>
> Setting the envvar SEQUOIA_CRYPTO_POLICY to an empty string
> will use the built-in default policy. See
> https://github.com/rpm-software-management/rpm-sequoia/blob/main/src/lib.rs#L54
>
> ===============================================
> diff --git a/meta/lib/oeqa/selftest/cases/signing.py 
> b/meta/lib/oeqa/selftest/cases/signing.py
> index 51d1c3fa64..9a820ebc72 100644
> --- a/meta/lib/oeqa/selftest/cases/signing.py
> +++ b/meta/lib/oeqa/selftest/cases/signing.py
> @@ -71,7 +71,6 @@ class Signing(OESelftestTestCase):
>           """
>           import oe.packagedata
>
> -        self.skipTest('This test requires rpm-sequoia support in rpm')
>           self.setup_gpg()
>
>           package_classes = get_bb_var('PACKAGE_CLASSES')
> @@ -84,9 +83,14 @@ class Signing(OESelftestTestCase):
>           feature += 'RPM_GPG_PASSPHRASE = "test123"\n'
>           feature += 'RPM_GPG_NAME = "testuser"\n'
>           feature += 'GPG_PATH = "%s"\n' % self.gpg_dir
> +        feature += 'PACKAGECONFIG:append:pn-rpm-native = " sequoia"\n'
> +        feature += 'PACKAGECONFIG:append:pn-rpm = " sequoia"\n'
>
>           self.write_config(feature)
>
> +        # Test rpm-sequoia's default built-in policy
> +        os.environ['SEQUOIA_CRYPTO_POLICY'] = ''
> +
>           bitbake('-c clean %s' % test_recipe)
>           bitbake('-f -c package_write_rpm %s' % test_recipe)
>
> @@ -152,6 +156,9 @@ class Signing(OESelftestTestCase):
>
>           self.write_config(feature)
>
> +        # Test rpm-sequoia's default built-in policy
> +        os.environ['SEQUOIA_CRYPTO_POLICY'] = ''
> +
>           with self.create_new_builddir(os.environ['BUILDDIR'], builddir):
>
>               os.environ["PATH"] = nsysroot + ":" + os.environ["PATH"]
> @@ -198,6 +205,9 @@ class LockedSignatures(OESelftestTestCase):
>           feature += 'SIGGEN_LOCKEDSIGS_TASKSIG_CHECK = "warn"\n'
>           self.write_config(feature)
>
> +        # Test rpm-sequoia's default built-in policy
> +        os.environ['SEQUOIA_CRYPTO_POLICY'] = ''
> +
>           # Build a locked recipe
>           bitbake(test_recipe)
>
> ===============================================
>
> It succeeded for me:
>
> $ oe-selftest -r signing
> ...
> 2025-02-03 10:53:11,900 - oe-selftest - INFO - oe-selftest () - Ran 3 tests 
> in 2801.617s
> 2025-02-03 10:53:11,900 - oe-selftest - INFO - oe-selftest - OK - All 
> required tests
> passed (successes=3, skipped=0, failures=0, errors=0)
>
> As for an actual crypto policy for rpm-sequoia, I am not sure
> how appropriate it would be to create a recipe for Fedora's
> crypto-policies package in Yocto.
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#210643): 
https://lists.openembedded.org/g/openembedded-core/message/210643
Mute This Topic: https://lists.openembedded.org/mt/110911940/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][PATCH v4 2/2] oeqa/selftest/cases/signing.py: Re-enable self-test

Reply via email to