On Tue, 2016-08-23 at 10:35 +0300, Dmitry Rozhkov wrote:
> SWUPD server may move to a new location where a different pubkey
> needs to be used and the hardcoded one won't work.
>
> This makes pinned pubkey configurable.
This change sounds good but fails to build here.
swupd-client do_install fails with the attached log.
Thanks,
Joshua
> Signed-off-by: Dmitry Rozhkov <dmitry.rozh...@linux.intel.com>
> ---
> .../Make-pinned-pubkey-configurable.patch | 118
> +++++++++++++++++++++
> recipes-core/swupd-client/swupd-client_git.bb | 3 +
> 2 files changed, 121 insertions(+)
> create mode 100644 recipes-core/swupd-client/swupd-client/Make-
> pinned-pubkey-configurable.patch
>
> diff --git a/recipes-core/swupd-client/swupd-client/Make-pinned-
> pubkey-configurable.patch b/recipes-core/swupd-client/swupd-
> client/Make-pinned-pubkey-configurable.patch
> new file mode 100644
> index 0000000..4326a58
> --- /dev/null
> +++ b/recipes-core/swupd-client/swupd-client/Make-pinned-pubkey-
> configurable.patch
> @@ -0,0 +1,118 @@
> +From 6792cfef0ebfbe83e41bc81df6bc675604d7c943 Mon Sep 17 00:00:00
> 2001
> +From: Dmitry Rozhkov <dmitry.rozh...@linux.intel.com>
> +Date: Tue, 16 Aug 2016 10:55:15 +0300
> +Subject: [PATCH] Make pinned pubkey configurable
> +
> +The server may move to a new location where a different pubkey
> +needs to be used and the hardcoded one won't work.
> +
> +This patch makes pinned pubkey configurable.
> +
> +Upstream-Status: Submitted [https://github.com/clearlinux/swupd-clie
> nt/pull/110]
> +
> +Signed-off-by: Dmitry Rozhkov <dmitry.rozh...@linux.intel.com>
> +---
> + configure.ac | 2 ++
> + include/swupd.h | 1 +
> + src/curl.c | 2 +-
> + src/globals.c | 14 ++++++++++++++
> + 4 files changed, 18 insertions(+), 1 deletion(-)
> +
> +diff --git a/configure.ac b/configure.ac
> +index 83007aa..883553a 100644
> +--- a/configure.ac
> ++++ b/configure.ac
> +@@ -114,6 +114,7 @@ AH_TEMPLATE([LOCK_DIR],[Directory for lock
> file])
> + AH_TEMPLATE([BUNDLES_DIR],[Directory to use for bundles])
> + AH_TEMPLATE([UPDATE_CA_CERTS_PATH],[Location of CA certificates])
> + AH_TEMPLATE([MOTD_FILE],[motd file path])
> ++AH_TEMPLATE([PINNED_PUBKEY_PATH],[Path to pinned public key])
> +
> + if test "$enable_linux_rootfs_build" = "yes"; then
> + AC_DEFINE([SWUPD_LINUX_ROOTFS],1)
> +@@ -124,6 +125,7 @@ if test "$enable_linux_rootfs_build" = "yes";
> then
> + AC_DEFINE([BUNDLES_DIR],["/usr/share/clear/bundles"])
> + AC_DEFINE_UNQUOTED([UPDATE_CA_CERTS_PATH],["$certs_path"])
> + AC_DEFINE([MOTD_FILE],["/usr/lib/motd.d/001-new-release"])
> ++ AC_DEFINE_UNQUOTED([PINNED_PUBKEY_PATH],["${certs_path}/425
> b0f6b.key"])
> + else
> + AC_MSG_ERROR([Unknown build variant])
> + fi
> +diff --git a/include/swupd.h b/include/swupd.h
> +index 5c722d3..3658dc8 100644
> +--- a/include/swupd.h
> ++++ b/include/swupd.h
> +@@ -132,6 +132,7 @@ extern void *tm_dlhandle;
> + extern char *bundle_to_add;
> + extern struct timeval start_time;
> + extern char *state_dir;
> ++extern char *pinned_pubkey_path;
> +
> + extern char *version_url;
> + extern char *content_url;
> +diff --git a/src/curl.c b/src/curl.c
> +index 6b6099f..b14193b 100644
> +--- a/src/curl.c
> ++++ b/src/curl.c
> +@@ -447,7 +447,7 @@ static CURLcode
> swupd_curl_set_security_opts(CURL *curl)
> + goto exit;
> + }
> +
> +- curl_ret = curl_easy_setopt(curl, CURLOPT_PINNEDPUBLICKEY,
> "/usr/share/clear/update-ca/425b0f6b.key");
> ++ curl_ret = curl_easy_setopt(curl, CURLOPT_PINNEDPUBLICKEY,
> pinned_pubkey_path);
> + if (curl_ret != CURLE_OK) {
> + goto exit;
> + }
> +diff --git a/src/globals.c b/src/globals.c
> +index f2f1200..d0858df 100644
> +--- a/src/globals.c
> ++++ b/src/globals.c
> +@@ -51,6 +51,7 @@ char *mounted_dirs = NULL;
> + char *bundle_to_add = NULL;
> + struct timeval start_time;
> + char *state_dir = NULL;
> ++char *pinned_pubkey_path = NULL;
> +
> + /* NOTE: Today the content and version server urls are the same in
> + * all cases. It is highly likely these will eventually differ,
> eg:
> +@@ -68,6 +69,7 @@ long update_server_port = -1;
> + static const char *default_version_url_path =
> "/usr/share/defaults/swupd/versionurl";
> + static const char *default_content_url_path =
> "/usr/share/defaults/swupd/contenturl";
> + static const char *default_format_path =
> "/usr/share/defaults/swupd/format";
> ++static const char *default_pinnedpubkey_path =
> "/usr/share/defaults/swupd/pinnedpubkey";
> +
> + static int set_default_value(char **global, const char *path)
> + {
> +@@ -194,6 +196,16 @@ bool set_state_dir(char *path)
> + return true;
> + }
> +
> ++void set_pinned_pubkey_path()
> ++{
> ++ int ret;
> ++
> ++ ret = set_default_value(&pinned_pubkey_path,
> default_pinnedpubkey_path);
> ++ if (ret < 0) {
> ++ string_or_die(&pinned_pubkey_path, "%s",
> PINNED_PUBKEY_PATH);
> ++ }
> ++}
> ++
> + bool set_format_string(char *userinput)
> + {
> + int ret;
> +@@ -322,6 +334,7 @@ bool init_globals(void)
> + (void)set_format_string(NULL);
> + set_version_url(NULL);
> + set_content_url(NULL);
> ++ set_pinned_pubkey_path();
> +
> + /* must set this global after version_url and content_url
> */
> + set_local_download();
> +@@ -337,6 +350,7 @@ void free_globals(void)
> + free(format_string);
> + free(mounted_dirs);
> + free(state_dir);
> ++ free(pinned_pubkey_path);
> + if (bundle_to_add != NULL) {
> + free(bundle_to_add);
> + }
> diff --git a/recipes-core/swupd-client/swupd-client_git.bb b/recipes-
> core/swupd-client/swupd-client_git.bb
> index 1815db0..0d16171 100644
> --- a/recipes-core/swupd-client/swupd-client_git.bb
> +++ b/recipes-core/swupd-client/swupd-client_git.bb
> @@ -10,6 +10,7 @@ SRC_URI = "\
> git://github.com/clearlinux/swupd-client.git;protocol=https \
> file://Change-systemctl-path-to-OE-systemctl-path.patch \
> file://0001-Add-configure-option-to-re-enable-updating-of-
> config.patch \
> + file://Make-pinned-pubkey-configurable.patch \
> "
> SRCREV = "f4000c5b22be47ec1af2f8748fd71a36148b5dc4"
>
> @@ -35,6 +36,7 @@ PACKAGECONFIG[stateless] = ",--disable-stateless"
> SWUPD_VERSION_URL ??= "example.com"
> SWUPD_CONTENT_URL ??= "example.com"
> SWUPD_FORMAT ??= "3"
> +SWUPD_PINNED_PUBKEY ??= ""
> do_install_append () {
> # TODO: This should be a less os-specific directory and not
> hard-code datadir
> install -d ${D}$/usr/share/clear/bundles
> @@ -44,6 +46,7 @@ do_install_append () {
> echo "${SWUPD_VERSION_URL}" >>
> ${D}/usr/share/defaults/swupd/versionurl
> echo "${SWUPD_CONTENT_URL}" >>
> ${D}/usr/share/defaults/swupd/contenturl
> echo "${SWUPD_FORMAT}" >> ${D}/usr/share/defaults/swupd/format
> + test -n "${SWUPD_PINNED_PUBKEY}" && echo
> "${SWUPD_PINNED_PUBKEY}" > ${D}/usr/share/defaults/swupd/pinnedpubkey
> }
>
> FILES_${PN} += "\
> --
> 2.5.5
> DEBUG: SITE files ['endian-little', 'bit-32', 'ix86-common', 'common-linux',
'common-glibc', 'i586-linux', 'common']
DEBUG: Executing shell function do_install
NOTE: make -j 72
DESTDIR=/srv/builds/oecore/tmp-glibc/work/i586-oe-linux/swupd-client/3.6.0+gitAUTOINC+f4000c5b22-r0/image
install
make[1]: Entering directory
'/srv/builds/oecore/tmp-glibc/work/i586-oe-linux/swupd-client/3.6.0+gitAUTOINC+f4000c5b22-r0/git'
mkdir -p
/srv/builds/oecore/tmp-glibc/work/i586-oe-linux/swupd-client/3.6.0+gitAUTOINC+f4000c5b22-r0/image/lib/systemd/system/multi-user.target.wants/
/usr/bin/mkdir -p
'/srv/builds/oecore/tmp-glibc/work/i586-oe-linux/swupd-client/3.6.0+gitAUTOINC+f4000c5b22-r0/image/usr/lib'
ln -sf ../check-update.timer
/srv/builds/oecore/tmp-glibc/work/i586-oe-linux/swupd-client/3.6.0+gitAUTOINC+f4000c5b22-r0/image/lib/systemd/system/multi-user.target.wants/check-update.timer
/usr/bin/mkdir -p
'/srv/builds/oecore/tmp-glibc/work/i586-oe-linux/swupd-client/3.6.0+gitAUTOINC+f4000c5b22-r0/image/usr/share/clear/update-ca'
/usr/bin/mkdir -p
'/srv/builds/oecore/tmp-glibc/work/i586-oe-linux/swupd-client/3.6.0+gitAUTOINC+f4000c5b22-r0/image/lib/systemd/system'
./i586-oe-linux-libtool --mode=install /usr/bin/install -c libswupd.la
'/srv/builds/oecore/tmp-glibc/work/i586-oe-linux/swupd-client/3.6.0+gitAUTOINC+f4000c5b22-r0/image/usr/lib'
/usr/bin/install -c -m 644 certs/157753a5.0 certs/425b0f6b.0
certs/425b0f6b.key certs/8d28ae65.0 certs/d6325660.0 certs/d6325660.1
'/srv/builds/oecore/tmp-glibc/work/i586-oe-linux/swupd-client/3.6.0+gitAUTOINC+f4000c5b22-r0/image/usr/share/clear/update-ca'
/usr/bin/install -c -m 644 data/check-update.service data/check-update.timer
'/srv/builds/oecore/tmp-glibc/work/i586-oe-linux/swupd-client/3.6.0+gitAUTOINC+f4000c5b22-r0/image/lib/systemd/system'
i586-oe-linux-libtool: install: /usr/bin/install -c .libs/libswupd.so.2.0.0
/srv/builds/oecore/tmp-glibc/work/i586-oe-linux/swupd-client/3.6.0+gitAUTOINC+f4000c5b22-r0/image/usr/lib/libswupd.so.2.0.0
i586-oe-linux-libtool: install: (cd
/srv/builds/oecore/tmp-glibc/work/i586-oe-linux/swupd-client/3.6.0+gitAUTOINC+f4000c5b22-r0/image/usr/lib
&& { ln -s -f libswupd.so.2.0.0 libswupd.so.2 || { rm -f libswupd.so.2 && ln
-s libswupd.so.2.0.0 libswupd.so.2; }; })
i586-oe-linux-libtool: install: (cd
/srv/builds/oecore/tmp-glibc/work/i586-oe-linux/swupd-client/3.6.0+gitAUTOINC+f4000c5b22-r0/image/usr/lib
&& { ln -s -f libswupd.so.2.0.0 libswupd.so || { rm -f libswupd.so && ln -s
libswupd.so.2.0.0 libswupd.so; }; })
i586-oe-linux-libtool: install: /usr/bin/install -c .libs/libswupd.lai
/srv/builds/oecore/tmp-glibc/work/i586-oe-linux/swupd-client/3.6.0+gitAUTOINC+f4000c5b22-r0/image/usr/lib/libswupd.la
i586-oe-linux-libtool: install: /usr/bin/install -c .libs/libswupd.a
/srv/builds/oecore/tmp-glibc/work/i586-oe-linux/swupd-client/3.6.0+gitAUTOINC+f4000c5b22-r0/image/usr/lib/libswupd.a
i586-oe-linux-libtool: install: chmod 644
/srv/builds/oecore/tmp-glibc/work/i586-oe-linux/swupd-client/3.6.0+gitAUTOINC+f4000c5b22-r0/image/usr/lib/libswupd.a
i586-oe-linux-libtool: install: i586-oe-linux-ranlib
/srv/builds/oecore/tmp-glibc/work/i586-oe-linux/swupd-client/3.6.0+gitAUTOINC+f4000c5b22-r0/image/usr/lib/libswupd.a
i586-oe-linux-libtool: warning: remember to run 'i586-oe-linux-libtool --finish
/usr/lib'
/usr/bin/mkdir -p
'/srv/builds/oecore/tmp-glibc/work/i586-oe-linux/swupd-client/3.6.0+gitAUTOINC+f4000c5b22-r0/image/usr/bin'
./i586-oe-linux-libtool --mode=install /usr/bin/install -c swupd
'/srv/builds/oecore/tmp-glibc/work/i586-oe-linux/swupd-client/3.6.0+gitAUTOINC+f4000c5b22-r0/image/usr/bin'
i586-oe-linux-libtool: warning: 'libswupd.la' has not been installed in
'/usr/lib'
i586-oe-linux-libtool: install: /usr/bin/install -c .libs/swupd
/srv/builds/oecore/tmp-glibc/work/i586-oe-linux/swupd-client/3.6.0+gitAUTOINC+f4000c5b22-r0/image/usr/bin/swupd
make install-exec-hook
make[2]: Entering directory
'/srv/builds/oecore/tmp-glibc/work/i586-oe-linux/swupd-client/3.6.0+gitAUTOINC+f4000c5b22-r0/git'
perl scripts/findstatic.pl */*.o | grep -v Checking ||:
'list_append_data' is unique to src/list.o, should be static? (function)
'__x86.get_pc_thunk.bx' is unique to src/list.o, should be static? (function)
'__x86.get_pc_thunk.bx' is unique to src/delta.o, should be static?
(function)
'__x86.get_pc_thunk.bx' is unique to src/update.o, should be static?
(function)
'__x86.get_pc_thunk.bx' is unique to src/clr_bundle_rm.o, should be static?
(function)
'__x86.get_pc_thunk.bx' is unique to src/clr_bundle_add.o, should be static?
(function)
'__x86.get_pc_thunk.bx' is unique to src/verify.o, should be static?
(function)
'create_required_dirs' is unique to src/helpers.o, should be static?
(function)
'fopen_exclusive' is unique to src/helpers.o, should be static? (function)
'free_path_data' is unique to src/helpers.o, should be static? (function)
'get_mounted_directories' is unique to src/helpers.o, should be static?
(function)
'__x86.get_pc_thunk.bx' is unique to src/helpers.o, should be static?
(function)
'is_config' is unique to src/heuristics.o, should be static? (function)
'is_state' is unique to src/heuristics.o, should be static? (function)
'__x86.get_pc_thunk.ax' is unique to src/heuristics.o, should be static?
(function)
'__x86.get_pc_thunk.bp' is unique to src/heuristics.o, should be static?
(function)
'__x86.get_pc_thunk.bx' is unique to src/heuristics.o, should be static?
(function)
'account_delta_hit' is unique to src/stats.o, should be static? (function)
'account_delta_miss' is unique to src/stats.o, should be static? (function)
'__x86.get_pc_thunk.ax' is unique to src/stats.o, should be static?
(function)
'__x86.get_pc_thunk.bx' is unique to src/stats.o, should be static?
(function)
'__x86.get_pc_thunk.bx' is unique to src/curl.o, should be static? (function)
'__x86.get_pc_thunk.bx' is unique to src/check_update.o, should be static?
(function)
'bin_paths' is unique to src/search.o, should be static? (initialised
variable)
'do_search' is unique to src/search.o, should be static? (function)
'download_manifests' is unique to src/search.o, should be static? (function)
'file_search' is unique to src/search.o, should be static? (function)
'lib_paths' is unique to src/search.o, should be static? (initialised
variable)
'report_find' is unique to src/search.o, should be static? (function)
'scope' is unique to src/search.o, should be static? (initialised variable)
'search_type' is unique to src/search.o, should be static? (initialised
variable)
'__x86.get_pc_thunk.bx' is unique to src/search.o, should be static?
(function)
'__x86.get_pc_thunk.bx' is unique to src/version.o, should be static?
(function)
'__x86.get_pc_thunk.di' is unique to src/version.o, should be static?
(function)
'set_pinned_pubkey_path' is unique to src/globals.o, should be static?
(function)
'__x86.get_pc_thunk.bx' is unique to src/globals.o, should be static?
(function)
'__x86.get_pc_thunk.bx' is unique to src/main.o, should be static? (function)
'__x86.get_pc_thunk.bx' is unique to src/download.o, should be static?
(function)
'__x86.get_pc_thunk.bx' is unique to src/swupd.o, should be static?
(function)
'__x86.get_pc_thunk.bx' is unique to src/scripts.o, should be static?
(function)
'__x86.get_pc_thunk.bx' is unique to src/xattrs.o, should be static?
(function)
'__x86.get_pc_thunk.bx' is unique to src/hashdump.o, should be static?
(function)
'__x86.get_pc_thunk.bx' is unique to src/manifest.o, should be static?
(function)
'__x86.get_pc_thunk.bx' is unique to src/lock.o, should be static? (function)
'__x86.get_pc_thunk.bx' is unique to src/staging.o, should be static?
(function)
'__x86.get_pc_thunk.bx' is unique to src/packs.o, should be static?
(function)
'__x86.get_pc_thunk.bx' is unique to src/subscriptions.o, should be static?
(function)
'__x86.get_pc_thunk.bx' is unique to src/hash.o, should be static? (function)
'install_bundles' is unique to src/bundle.o, should be static? (function)
'is_included' is unique to src/bundle.o, should be static? (function)
'__x86.get_pc_thunk.bx' is unique to src/bundle.o, should be static?
(function)
'__x86.get_pc_thunk.bx' is unique to src/filedesc.o, should be static?
(function)
make[2]: Leaving directory
'/srv/builds/oecore/tmp-glibc/work/i586-oe-linux/swupd-client/3.6.0+gitAUTOINC+f4000c5b22-r0/git'
make[1]: Leaving directory
'/srv/builds/oecore/tmp-glibc/work/i586-oe-linux/swupd-client/3.6.0+gitAUTOINC+f4000c5b22-r0/git'
WARNING:
/srv/builds/oecore/tmp-glibc/work/i586-oe-linux/swupd-client/3.6.0+gitAUTOINC+f4000c5b22-r0/temp/run.do_install.16631:1
exit 1 from 'test -n ""'
ERROR: Function failed: do_install (log file is located at
/srv/builds/oecore/tmp-glibc/work/i586-oe-linux/swupd-client/3.6.0+gitAUTOINC+f4000c5b22-r0/temp/log.do_install.16631)
--
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
