From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by yocto-www.yoctoproject.org (Postfix, from userid 118) id 04DECE00CDE; Tue, 30 Aug 2016 08:34:18 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on yocto-www.yoctoproject.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 X-Spam-HAM-Report: * -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at http://www.dnswl.org/, high * trust * [134.134.136.24 listed in list.dnswl.org] * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by yocto-www.yoctoproject.org (Postfix) with ESMTP id 39FC9E00CD4 for ; Tue, 30 Aug 2016 08:34:14 -0700 (PDT) Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by orsmga102.jf.intel.com with ESMTP; 30 Aug 2016 08:34:13 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.30,257,1470726000"; d="scan'208";a="755105479" Received: from jlock-mobl1.ld.intel.com ([10.103.239.28]) by FMSMGA003.fm.intel.com with ESMTP; 30 Aug 2016 08:34:12 -0700 Message-ID: <1472571251.3054.8.camel@linux.intel.com> From: Joshua Lock To: Dmitry Rozhkov , yocto@yoctoproject.org Date: Tue, 30 Aug 2016 16:34:11 +0100 In-Reply-To: <1472458177-19265-1-git-send-email-dmitry.rozhkov@linux.intel.com> References: <1472458177-19265-1-git-send-email-dmitry.rozhkov@linux.intel.com> X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Subject: Re: [meta-swupd][PATCH v2] swupd-client_git.bb: Make pinned pubkey configurable X-BeenThere: yocto@yoctoproject.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Discussion of all things Yocto Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Aug 2016 15:34:18 -0000 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit On Mon, 2016-08-29 at 11:09 +0300, Dmitry Rozhkov wrote: > SWUPD server may move to a new location where a different pubkey > needs to be used and the hardcoded one won't work. > > This makes pinned pubkey configurable. Thanks Dmitry, patch pushed. Regards, Joshua > > Changes in v2: add explicit 'else' clause to the last statement >                of do_install_append() to avoid returning exit code 1. > > Signed-off-by: Dmitry Rozhkov > --- >  .../Make-pinned-pubkey-configurable.patch          | 118 > +++++++++++++++++++++ >  recipes-core/swupd-client/swupd-client_git.bb      |   3 + >  2 files changed, 121 insertions(+) >  create mode 100644 recipes-core/swupd-client/swupd-client/Make- > pinned-pubkey-configurable.patch > > diff --git a/recipes-core/swupd-client/swupd-client/Make-pinned- > pubkey-configurable.patch b/recipes-core/swupd-client/swupd- > client/Make-pinned-pubkey-configurable.patch > new file mode 100644 > index 0000000..4326a58 > --- /dev/null > +++ b/recipes-core/swupd-client/swupd-client/Make-pinned-pubkey- > configurable.patch > @@ -0,0 +1,118 @@ > +From 6792cfef0ebfbe83e41bc81df6bc675604d7c943 Mon Sep 17 00:00:00 > 2001 > +From: Dmitry Rozhkov > +Date: Tue, 16 Aug 2016 10:55:15 +0300 > +Subject: [PATCH] Make pinned pubkey configurable > + > +The server may move to a new location where a different pubkey > +needs to be used and the hardcoded one won't work. > + > +This patch makes pinned pubkey configurable. > + > +Upstream-Status: Submitted [https://github.com/clearlinux/swupd-clie > nt/pull/110] > + > +Signed-off-by: Dmitry Rozhkov > +--- > + configure.ac    |  2 ++ > + include/swupd.h |  1 + > + src/curl.c      |  2 +- > + src/globals.c   | 14 ++++++++++++++ > + 4 files changed, 18 insertions(+), 1 deletion(-) > + > +diff --git a/configure.ac b/configure.ac > +index 83007aa..883553a 100644 > +--- a/configure.ac > ++++ b/configure.ac > +@@ -114,6 +114,7 @@ AH_TEMPLATE([LOCK_DIR],[Directory for lock > file]) > + AH_TEMPLATE([BUNDLES_DIR],[Directory to use for bundles]) > + AH_TEMPLATE([UPDATE_CA_CERTS_PATH],[Location of CA certificates]) > + AH_TEMPLATE([MOTD_FILE],[motd file path]) > ++AH_TEMPLATE([PINNED_PUBKEY_PATH],[Path to pinned public key]) > +  > + if test "$enable_linux_rootfs_build" = "yes"; then > +  AC_DEFINE([SWUPD_LINUX_ROOTFS],1) > +@@ -124,6 +125,7 @@ if test "$enable_linux_rootfs_build" = "yes"; > then > +  AC_DEFINE([BUNDLES_DIR],["/usr/share/clear/bundles"]) > +  AC_DEFINE_UNQUOTED([UPDATE_CA_CERTS_PATH],["$certs_path"]) > +  AC_DEFINE([MOTD_FILE],["/usr/lib/motd.d/001-new-release"]) > ++ AC_DEFINE_UNQUOTED([PINNED_PUBKEY_PATH],["${certs_path}/425 > b0f6b.key"]) > + else > +  AC_MSG_ERROR([Unknown build variant]) > + fi > +diff --git a/include/swupd.h b/include/swupd.h > +index 5c722d3..3658dc8 100644 > +--- a/include/swupd.h > ++++ b/include/swupd.h > +@@ -132,6 +132,7 @@ extern void *tm_dlhandle; > + extern char *bundle_to_add; > + extern struct timeval start_time; > + extern char *state_dir; > ++extern char *pinned_pubkey_path; > +  > + extern char *version_url; > + extern char *content_url; > +diff --git a/src/curl.c b/src/curl.c > +index 6b6099f..b14193b 100644 > +--- a/src/curl.c > ++++ b/src/curl.c > +@@ -447,7 +447,7 @@ static CURLcode > swupd_curl_set_security_opts(CURL *curl) > +  goto exit; > +  } > +  > +- curl_ret = curl_easy_setopt(curl, CURLOPT_PINNEDPUBLICKEY, > "/usr/share/clear/update-ca/425b0f6b.key"); > ++ curl_ret = curl_easy_setopt(curl, CURLOPT_PINNEDPUBLICKEY, > pinned_pubkey_path); > +  if (curl_ret != CURLE_OK) { > +  goto exit; > +  } > +diff --git a/src/globals.c b/src/globals.c > +index f2f1200..d0858df 100644 > +--- a/src/globals.c > ++++ b/src/globals.c > +@@ -51,6 +51,7 @@ char *mounted_dirs = NULL; > + char *bundle_to_add = NULL; > + struct timeval start_time; > + char *state_dir = NULL; > ++char *pinned_pubkey_path = NULL; > +  > + /* NOTE: Today the content and version server urls are the same in > +  * all cases.  It is highly likely these will eventually differ, > eg: > +@@ -68,6 +69,7 @@ long update_server_port = -1; > + static const char *default_version_url_path = > "/usr/share/defaults/swupd/versionurl"; > + static const char *default_content_url_path = > "/usr/share/defaults/swupd/contenturl"; > + static const char *default_format_path = > "/usr/share/defaults/swupd/format"; > ++static const char *default_pinnedpubkey_path = > "/usr/share/defaults/swupd/pinnedpubkey"; > +  > + static int set_default_value(char **global, const char *path) > + { > +@@ -194,6 +196,16 @@ bool set_state_dir(char *path) > +  return true; > + } > +  > ++void set_pinned_pubkey_path() > ++{ > ++ int ret; > ++ > ++ ret = set_default_value(&pinned_pubkey_path, > default_pinnedpubkey_path); > ++ if (ret < 0) { > ++ string_or_die(&pinned_pubkey_path, "%s", > PINNED_PUBKEY_PATH); > ++ } > ++} > ++ > + bool set_format_string(char *userinput) > + { > +  int ret; > +@@ -322,6 +334,7 @@ bool init_globals(void) > +  (void)set_format_string(NULL); > +  set_version_url(NULL); > +  set_content_url(NULL); > ++ set_pinned_pubkey_path(); > +  > +  /* must set this global after version_url and content_url > */ > +  set_local_download(); > +@@ -337,6 +350,7 @@ void free_globals(void) > +  free(format_string); > +  free(mounted_dirs); > +  free(state_dir); > ++ free(pinned_pubkey_path); > +  if (bundle_to_add != NULL) { > +  free(bundle_to_add); > +  } > diff --git a/recipes-core/swupd-client/swupd-client_git.bb b/recipes- > core/swupd-client/swupd-client_git.bb > index 1815db0..8df89a1 100644 > --- a/recipes-core/swupd-client/swupd-client_git.bb > +++ b/recipes-core/swupd-client/swupd-client_git.bb > @@ -10,6 +10,7 @@ SRC_URI = "\ >      git://github.com/clearlinux/swupd-client.git;protocol=https \ >      file://Change-systemctl-path-to-OE-systemctl-path.patch \ >      file://0001-Add-configure-option-to-re-enable-updating-of- > config.patch \ > +    file://Make-pinned-pubkey-configurable.patch \ >  " >  SRCREV = "f4000c5b22be47ec1af2f8748fd71a36148b5dc4" >   > @@ -35,6 +36,7 @@ PACKAGECONFIG[stateless] = ",--disable-stateless" >  SWUPD_VERSION_URL ??= "example.com" >  SWUPD_CONTENT_URL ??= "example.com" >  SWUPD_FORMAT ??= "3" > +SWUPD_PINNED_PUBKEY ??= "" >  do_install_append () { >      # TODO: This should be a less os-specific directory and not > hard-code datadir >      install -d ${D}$/usr/share/clear/bundles > @@ -44,6 +46,7 @@ do_install_append () { >      echo "${SWUPD_VERSION_URL}" >> > ${D}/usr/share/defaults/swupd/versionurl >      echo "${SWUPD_CONTENT_URL}" >> > ${D}/usr/share/defaults/swupd/contenturl >      echo "${SWUPD_FORMAT}" >> ${D}/usr/share/defaults/swupd/format > +    test -n "${SWUPD_PINNED_PUBKEY}" && echo > "${SWUPD_PINNED_PUBKEY}" > ${D}/usr/share/defaults/swupd/pinnedpubkey > || true >  } >   >  FILES_${PN} += "\ > --  > 2.5.5 >