From: Joshua Lock <jlock@vmware.com>
To: "openembedded-core@lists.openembedded.org"
<openembedded-core@lists.openembedded.org>
Subject: [RFC PATCH 0/3] Enforce Shared State Signing when options set
Date: Fri, 26 Jul 2019 11:26:47 +0000 [thread overview]
Message-ID: <cover.1564139487.git.jlock@vmware.com> (raw)
There are 2 surprising behaviours in the current shared state signing
implementation which this pull request addresses:
1) when signature verification is enabled a failure to verify doesn't prevent
the shared state object from being used. A warning is printed and the
unsigned shared state object is used to accelerate the task.
2) when signing is enabled the taskhash doesn't change and any existing,
unsigned, shared state objects will not be signed. This is particularly
problematic when combined with 1.
Please review the following changes for suitability for inclusion. If you have
any objections or suggestions for improvement, please respond to the patches. If
you agree with the changes, please provide your Acked-by.
The following changes since commit 835f7eac0610325e906591cd81890bebe8627580:
meta/lib/oeqa: Test for bootimg-biosplusefi Source (2019-07-23 22:26:28 +0100)
are available in the Git repository at:
https://github.com/joshuagl/poky joshuagl/signed-sstate
https://github.com/joshuagl/poky/tree/joshuagl/signed-sstate
Joshua Lock (3):
sstate: fix log message
classes/sstate: don't use unsigned sstate when verification enabled
classes/sstate: regenerate sstate when signing enabled
meta/classes/sstate.bbclass | 15 +++++++++++----
meta/lib/oe/gpg_sign.py | 10 ++++++++++
2 files changed, 21 insertions(+), 4 deletions(-)
--
2.21.0
next reply other threads:[~2019-07-26 11:26 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-26 11:26 Joshua Lock [this message]
2019-07-26 11:26 ` [RFC PATCH 1/3] sstate: fix log message Joshua Lock
2019-07-26 11:26 ` [RFC PATCH 2/3] classes/sstate: don't use unsigned sstate when verification enabled Joshua Lock
2019-07-26 11:26 ` [RFC PATCH 3/3] classes/sstate: regenerate sstate when signing enabled Joshua Lock
2019-07-27 10:12 ` Richard Purdie
2019-07-30 9:58 ` Joshua Lock
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1564139487.git.jlock@vmware.com \
--to=jlock@vmware.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.