From: "Ulrich Ölmann" <u.oelmann@pengutronix.de>
To: "Antonin Godard via lists.yoctoproject.org"
<antonin.godard=bootlin.com@lists.yoctoproject.org>
Cc: docs@lists.yoctoproject.org, antonin.godard@bootlin.com,
Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Subject: Re: [docs] [PATCH] Document shared state signing
Date: Sat, 18 Apr 2026 16:48:21 +0200 [thread overview]
Message-ID: <6reckcnx3e.fsf@pengutronix.de> (raw)
In-Reply-To: <20260417-sstate-signing-v1-1-5df11613249e@bootlin.com> (Antonin Godard via lists yoctoproject org's message of "Fri, 17 Apr 2026 15:30:23 +0200")
Hi Antonin,
didn't know that we can sign the sstate - thanks for writing things down!
Just a few typos.
On Fri, Apr 17 2026 at 15:30 +0200, "Antonin Godard via lists.yoctoproject.org" <antonin.godard=bootlin.com@lists.yoctoproject.org> wrote:
> Document the shared state signing feature. Add a new document in the
> Security manual, and definitions for the variables involved in this
> process in the variable glossary.
>
> [YOCTO #15217]
>
> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
> ---
> documentation/overview-manual/concepts.rst | 6 +
> documentation/ref-manual/variables.rst | 50 +++++
> documentation/security-manual/index.rst | 1 +
> documentation/security-manual/sstate-signing.rst | 272 +++++++++++++++++++++++
> 4 files changed, 329 insertions(+)
>
> diff --git a/documentation/overview-manual/concepts.rst b/documentation/overview-manual/concepts.rst
> index ab723d7c3..f0b336226 100644
> --- a/documentation/overview-manual/concepts.rst
> +++ b/documentation/overview-manual/concepts.rst
> @@ -1240,6 +1240,12 @@ variable is the function that determines whether a given dependency
> needs to be followed, and whether for any given relationship the
> function needs to be passed. The function returns a True or False value.
>
> +.. note::
> +
> + Is is possible to sign these artifacts with :wikipedia:`GPG
> + <GNU_Privacy_Guard>`. See :doc:`/security-manual/sstate-signing` in the Yocto
> + Project Security Manual for more information.
> +
> Images
> ------
>
> diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst
> index 317b75913..7387a5d25 100644
> --- a/documentation/ref-manual/variables.rst
> +++ b/documentation/ref-manual/variables.rst
> @@ -10097,6 +10097,25 @@ system and gives an overview of their function and contents.
>
> For details on the process, see the :ref:`ref-classes-staging` class.
[...]
> + :term:`SSTATE_VERIFY_SIG`
> + The :term:`SSTATE_VERIFY_SIG` variable controls whether to enable of
> + disable the :ref:`shared state <overview-manual/concepts:setscene tasks
s/whether to enable of disable/whether to enable or disable/
> + and shared state>` artifacts signing feature.
[...]
> diff --git a/documentation/security-manual/sstate-signing.rst b/documentation/security-manual/sstate-signing.rst
> new file mode 100644
> index 000000000..1845b890f
> --- /dev/null
> +++ b/documentation/security-manual/sstate-signing.rst
> @@ -0,0 +1,272 @@
> +.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
> +
> +Shared State Signing
> +********************
> +
> +The :term:`OpenEmbedded Build System` build system has a built-in mechanism
> +allowing to save execution time by re-using pre-built artifacts: the
> +:ref:`shared state cache (sstate cache) <overview-manual/concepts:shared state
> +cache>`. These artifacts are stored in a directory (:term:`SSTATE_DIR`) are not
> +signed by default.
The last sentence probably misses a conjunction, what about
s/are not signed by default/and are not signed by default/ ?
> +
> +This document goes through the steps to enable shared state signing.
> +This feature is fully dependent on :wikipedia:`GPG <GNU_Privacy_Guard>`, meaning
> +examples shown in this document will use the ``gpg`` command-line tool.
[...]
> +Shared State Location
> +---------------------
> +
> +Our build system needs to be configured to sign new sstate artifacts when they
> +are generated. The generation of new artifacts is done once a task has finished
> +being executed.
> +
> +For the following sections let's assume that our build system has the shared
> +state directory location (:term:`SSTATE_DIR`) defined as follows::
> +
> + SSTATE_DIR = "${TOPDIR}/sstate-cache"
> +
> +Assuming this directory and our temporary directory (:term:`TMPDIR`) is empty,
s/is empty/are empty/
> +as an example throughout this document, let's run the ``create_recipe_spdx``
> +task of the ``gettext-minimal-native`` recipe:
> +
> +.. code-block:: console
> +
> + $ bitbake gettext-minimal-native -c create_recipe_spdx
> +
> +After execution, our shared state directory should be populated with new files:
> +
> +.. code-block:: console
> +
> + $ find $BUILDDIR/sstate-cache/ -name "*gettext-minimal-native*create_recipe_spdx*"
> + sstate-cache/universal/a3/6e/sstate:gettext-minimal-native:x86_64-linux:1.0:r0:x86_64:14:a36ef66df6b8c0cb5a849bc70a99dcfd61e4bacd11cefe6bbaf4978b2b3b617a_create_recipe_spdx.tar.zst
> + sstate-cache/universal/a3/6e/sstate:gettext-minimal-native:x86_64-linux:1.0:r0:x86_64:14:a36ef66df6b8c0cb5a849bc70a99dcfd61e4bacd11cefe6bbaf4978b2b3b617a_create_recipe_spdx.tar.zst.siginfo
[...]
> +Verifying Signed Shared State Artifacts
> +=======================================
> +
> +Now that we have setup our build to sign shared state artifacts,
> let's see how
s/we have setup our build/we have set up our build/
> +we can verify them with the public key counterpart of the private key.
> +
> +.. note::
> +
> + Signature of shared state and its verification can happen on two different
> + hosts, meaning one host can be in charge of the signature while another only
> + verifies the artifacts. This is preferred as the private key should not be
> + shared spread on multiple hosts.
[...]
> + As you can see, this does not prevent :term:`BitBake` from continuing, but
> + the the real task is executed instead of re-using the shared state.
s/but the the real task/but the real task/
Best regards,
Ulrich
>
> ---
> base-commit: 2c12ec7bf29aedeacf82970a9d2eb262fde4670e
> change-id: 20260417-sstate-signing-f96c75ce1917
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9276): https://lists.yoctoproject.org/g/docs/message/9276
> Mute This Topic: https://lists.yoctoproject.org/mt/118875161/3618626
> Group Owner: docs+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/docs/unsub [u.oelmann@pengutronix.de]
> -=-=-=-=-=-=-=-=-=-=-=-
--
Pengutronix e.K. | Ulrich Ölmann |
Industrial Linux Solutions | http://www.pengutronix.de/ |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
next prev parent reply other threads:[~2026-04-18 14:48 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-17 13:30 [PATCH] Document shared state signing Antonin Godard
2026-04-18 14:48 ` Ulrich Ölmann [this message]
2026-04-20 12:18 ` [docs] " Antonin Godard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6reckcnx3e.fsf@pengutronix.de \
--to=u.oelmann@pengutronix.de \
--cc=antonin.godard=bootlin.com@lists.yoctoproject.org \
--cc=antonin.godard@bootlin.com \
--cc=docs@lists.yoctoproject.org \
--cc=thomas.petazzoni@bootlin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.