Re: [PATCH v1 1/2] gpg-sign: Add parameters to gpg signature function

["Richard Purdie" <richard.purdie@linuxfoundation.org>]

[-- Attachment #1: Type: text/plain, Size: 4942 bytes --]

On Thu, 2022-03-24 at 23:11 +0100, Ferry Toth wrote:
> Op 24-03-2022 om 16:36 schreef Ferry Toth:
> > Op 24-03-2022 om 13:03 schreef Richard Purdie:
> > > On Thu, 2022-03-24 at 12:23 +0100, Ferry Toth wrote:
> > > > > On Wed, 2022-03-23 at 19:34 +0100, Ferry Toth wrote:
> > > > > > I forgot to add a cover letter, sorry for that. The 2 patches  together
> > > > > > implement DEB repository signing.
> > > > > > 
> > > > > > This is necessary since Gatesgarth |apt| (1.8.2) has become more strict
> > > > > > and doesn’t allow unsigned repositories by default.
> > > > > > 
> > > > > > It is possible to override this behavior |but||| is more work then to
> > > > > > enable signed DEB repositories. These patches makes DEB a first class
> > > > > > citizen as IPK and RPM.
> > > > > > 
> > > > > > Patches have been in use in meta-intel-edison since Gatesgarth, see
> > > > > > https://edison-fw.github.io/meta-intel-edison/5.0-Creating-a-deb-
> > > > > > repository.html\
> > > > > What puzzles me is that we can build root filesystems using apt, we test
> > > > > this on
> > > > > the autobuilder. Saying repositories are broken since gatesgarth therefore
> > > > > seems
> > > > > confusing in the commit message.
> 
> The Development Task manual in 3.22.4.3.3 names it a repository, as I 
> believe is common for a distributions server holding pre-built packages. 
> But I could change the name to package feed if that would be better.
> 
> What I meant to say is that apt requires signed package feeds since 
> 1.8.2 and disabling that is a workaround.

I mean to distinguish between the use of repositories at rootfs creation time
compared to repositories used later to update an image. Since I know
repositories are used to build the rootfs, the commit message did confuse me at
first since rootfs construction works.



> 
> > > > Good question. When I (meta-intel-edison) build the rootfs using DEB's it just
> > > > works.
> > > > Could it be that during rootfs build dpkg is used and not apt? I think I have
> > > > seen that in the logs.
> > > It definitely uses apt.
> Checking logs I see you are correct.
> > > > Of course apt uses dpkg to install a package as well, but it refuses to
> > > > download the package from a repo when it's not signed.
> > > Perhaps the difference is the packages are local and not remote?
> 
> No, for generating the rootfs it appears the sources list file has:
> 
> deb [trusted=yes] file:/path.../oe-rootfs-repo/edison/ ./
> 
> So apparently has been taken care by disabling the signing requirement. 
> [trusted=yes] is part of that workaround.

That does give another way to work around this then...


> 
> > > > > I guess we must configure apt to override that during the rootfs process and
> > > > > likely an end user with a remote feed could do the same, possibly with a
> > > > > warning
> > > > > from apt?
> Yes. But it is a pain to google to find how to do that.
> > > >   I believe there is no issue during rootfs generation.
> > > >   
> > > > > I'm also worried that there isn't any automated testing of this change. The
> > > > > reason I worry is that since we don't show any testing failures right now,
> > > > > there
> > > > > is clearly a hole in our automated testing coverage and there is no
> > > > > guarantee
> > > > > that this feature will keep working. It is these smaller corner case issues
> > > > > which tend to make or break the project's experience as if a feature is
> > > > > present,
> > > > > people expect it to work. Can we improve the testing situation?
> > > > It doesn't seem to be a particularly volatile area in the code. I refreshed
> > > > Xavier's patches for Gatesgarth, and am actively using unchanged patch on
> > > > Honisiter.
> > > > I don't know how the automated testing is working but I guess for RPM a repo
> > > > is generated using a small layer? And then tested on a qemu running the
> > > > rootfs?
> > > > Should be almost same for deb/apt, maybe could be modified from rpm test?
> > > I think the rpm test is test_testimage_dnf in
> > > meta/lib/oeqa/selftest/cases/runtime_test.py. You'd run it with:
> > > 
> > > oe-selftest -r runtime_test.TestImage.test_testimage_dnf
> > I'll have a look.
> 
> Pfff. These tests are O(1) more then the signing code they test. I'm 
> trying this original test (on rpm) now to see if I can get that to run 
> and understand how it works.

What you're asking to work is a complex scenario so the test isn't going to be
simple.

FWIW there is also oeqa/runtime/cases/apt.py. That test checks if a package can
be installed from a remote package feed (no signing). It is doing:

echo deb [ allow-insecure=yes ] %s ./ > sources.list

to work around the signing issue.

> Am I right that meta/lib/oeqa/selftest/cases/signing.py tests the actual 
> package feed signing?

No. That tests that signed packages in rpm works rather than a signed remote
repository which is different.

Cheers,

Richard

[-- Attachment #2: Type: text/html, Size: 8228 bytes --]