[OE-core][PATCH v12 1/5] rpm-sequoia-crypto-policy: New recipe

[OE-core][PATCH v12 1/5] rpm-sequoia-crypto-policy: New recipe

[Zoltán Böszörményi]

This ships a crypto policy file for rpm-sequoia.

Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
---
 meta/conf/distro/include/maintainers.inc      |  1 +
 .../rpm-sequoia-crypto-policy_git.bb          | 34 +++++++++++++++++++
 2 files changed, 35 insertions(+)
 create mode 100644 meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb

diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
index bec55a7c1c..648c8fceb8 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -744,6 +744,7 @@ RECIPE_MAINTAINER:pn-rpcbind = "Hongxu Jia <hongxu.jia@windriver.com>"
 RECIPE_MAINTAINER:pn-rng-tools = "Anuj Mittal <anuj.mittal@intel.com>"
 RECIPE_MAINTAINER:pn-rpcsvc-proto = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-rpm = "Robert Yang <liezhi.yang@windriver.com>"
+RECIPE_MAINTAINER:pn-rpm-sequoia-crypto-policy = "Zoltán Böszörményi <zboszor@gmail.com>"
 RECIPE_MAINTAINER:pn-rsync = "Yi Zhao <yi.zhao@windriver.com>"
 RECIPE_MAINTAINER:pn-rt-tests = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-ruby = "Ross Burton <ross.burton@arm.com>"
diff --git a/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb
new file mode 100644
index 0000000000..37ace2c78c
--- /dev/null
+++ b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb
@@ -0,0 +1,34 @@
+SUMMARY = "Crypto policy for rpm-sequoia"
+HOMEPAGE = "https://gitlab.com/redhat-crypto/fedora-crypto-policies/"
+
+LICENSE = "LGPL-2.1-or-later"
+
+LIC_FILES_CHKSUM = "file://COPYING.LESSER;md5=a6f89e2100d9b6cdffcea4f398e37343"
+
+DEPENDS = "coreutils-native openssl-native make-native"
+
+inherit allarch python3native
+
+SRC_URI = "git://gitlab.com/redhat-crypto/fedora-crypto-policies.git;protocol=https;branch=master"
+
+SRCREV = "032b418a6db842f0eab330eb5909e4604e888728"
+UPSTREAM_CHECK_COMMITS = "1"
+
+S = "${UNPACKDIR}/git"
+
+do_compile () {
+	# Remove most policy variants, leave DEFAULT.pol
+	# It speeds up the build and we only need DEFAULT/rpm-sequoia.
+	rm -f $(ls -1 policies/*.pol | grep -v DEFAULT.pol) || echo nothing to delete
+
+	make ASCIIDOC=echo XSLTPROC=echo
+}
+
+do_install () {
+	install -d -m755 ${D}${datadir}/crypto-policies/back-ends
+	install -m644 ${S}/output/DEFAULT/rpm-sequoia.txt ${D}${datadir}/crypto-policies/back-ends/rpm-sequoia.config
+}
+
+FILES:${PN} = "${datadir}/crypto-policies/back-ends/*"
+
+BBCLASSEXTEND = "native"
-- 
2.48.1

[OE-core][PATCH v12 2/5] rpm-sequoia: New recipe for version 1.7.0

[Zoltán Böszörményi]

rpm 4.20 removed the built-in code to handle signed packages
and uses rpm-sequoia as a more feature complete library.

Runtime-depend on rpm-sequoia-crypto-policy.

Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
---
 meta/conf/distro/include/maintainers.inc      |   1 +
 .../rpm-sequoia/rpm-sequoia-crates.inc        | 486 ++++++++++++++++++
 .../rpm-sequoia/rpm-sequoia_1.7.0.bb          |  60 +++
 3 files changed, 547 insertions(+)
 create mode 100644 meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crates.inc
 create mode 100644 meta/recipes-devtools/rpm-sequoia/rpm-sequoia_1.7.0.bb

diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
index 648c8fceb8..24c8a850ec 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -744,6 +744,7 @@ RECIPE_MAINTAINER:pn-rpcbind = "Hongxu Jia <hongxu.jia@windriver.com>"
 RECIPE_MAINTAINER:pn-rng-tools = "Anuj Mittal <anuj.mittal@intel.com>"
 RECIPE_MAINTAINER:pn-rpcsvc-proto = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-rpm = "Robert Yang <liezhi.yang@windriver.com>"
+RECIPE_MAINTAINER:pn-rpm-sequoia = "Zoltán Böszörményi <zboszor@gmail.com>"
 RECIPE_MAINTAINER:pn-rpm-sequoia-crypto-policy = "Zoltán Böszörményi <zboszor@gmail.com>"
 RECIPE_MAINTAINER:pn-rsync = "Yi Zhao <yi.zhao@windriver.com>"
 RECIPE_MAINTAINER:pn-rt-tests = "Unassigned <unassigned@yoctoproject.org>"
diff --git a/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crates.inc b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crates.inc
new file mode 100644
index 0000000000..2764030ec7
--- /dev/null
+++ b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crates.inc
@@ -0,0 +1,486 @@
+# Autogenerated with 'bitbake -c update_crates rpm-sequoia'
+
+# from Cargo.lock
+SRC_URI += " \
+    crate://crates.io/aead/0.5.2 \
+    crate://crates.io/aes/0.8.4 \
+    crate://crates.io/aes-gcm/0.10.3 \
+    crate://crates.io/aho-corasick/1.1.3 \
+    crate://crates.io/android-tzdata/0.1.1 \
+    crate://crates.io/android_system_properties/0.1.5 \
+    crate://crates.io/anstyle/1.0.7 \
+    crate://crates.io/anyhow/1.0.86 \
+    crate://crates.io/ascii-canvas/3.0.0 \
+    crate://crates.io/assert_cmd/2.0.14 \
+    crate://crates.io/autocfg/1.3.0 \
+    crate://crates.io/base16ct/0.2.0 \
+    crate://crates.io/base64/0.22.1 \
+    crate://crates.io/base64ct/1.6.0 \
+    crate://crates.io/bindgen/0.68.1 \
+    crate://crates.io/bit-set/0.5.3 \
+    crate://crates.io/bit-vec/0.6.3 \
+    crate://crates.io/bitflags/2.6.0 \
+    crate://crates.io/block-buffer/0.10.4 \
+    crate://crates.io/block-padding/0.3.3 \
+    crate://crates.io/blowfish/0.9.1 \
+    crate://crates.io/botan/0.10.7 \
+    crate://crates.io/botan-sys/0.10.5 \
+    crate://crates.io/bstr/1.9.1 \
+    crate://crates.io/buffered-reader/1.3.1 \
+    crate://crates.io/bumpalo/3.16.0 \
+    crate://crates.io/byteorder/1.5.0 \
+    crate://crates.io/camellia/0.1.0 \
+    crate://crates.io/cast5/0.11.1 \
+    crate://crates.io/cc/1.0.106 \
+    crate://crates.io/cdylib-link-lines/0.1.5 \
+    crate://crates.io/cexpr/0.6.0 \
+    crate://crates.io/cfb-mode/0.8.2 \
+    crate://crates.io/cfg-if/1.0.0 \
+    crate://crates.io/chrono/0.4.38 \
+    crate://crates.io/cipher/0.4.4 \
+    crate://crates.io/clang-sys/1.8.1 \
+    crate://crates.io/cmac/0.7.2 \
+    crate://crates.io/const-oid/0.9.6 \
+    crate://crates.io/core-foundation-sys/0.8.6 \
+    crate://crates.io/cpufeatures/0.2.12 \
+    crate://crates.io/crunchy/0.2.2 \
+    crate://crates.io/crypto-bigint/0.5.5 \
+    crate://crates.io/crypto-common/0.1.6 \
+    crate://crates.io/ctr/0.9.2 \
+    crate://crates.io/curve25519-dalek/4.1.3 \
+    crate://crates.io/curve25519-dalek-derive/0.1.1 \
+    crate://crates.io/dbl/0.3.2 \
+    crate://crates.io/der/0.7.9 \
+    crate://crates.io/des/0.8.1 \
+    crate://crates.io/difflib/0.4.0 \
+    crate://crates.io/digest/0.10.7 \
+    crate://crates.io/dirs-next/2.0.0 \
+    crate://crates.io/dirs-sys-next/0.1.2 \
+    crate://crates.io/displaydoc/0.2.5 \
+    crate://crates.io/doc-comment/0.3.3 \
+    crate://crates.io/dsa/0.6.3 \
+    crate://crates.io/dyn-clone/1.0.17 \
+    crate://crates.io/eax/0.5.0 \
+    crate://crates.io/ecb/0.1.2 \
+    crate://crates.io/ecdsa/0.16.9 \
+    crate://crates.io/ed25519/2.2.3 \
+    crate://crates.io/ed25519-dalek/2.1.1 \
+    crate://crates.io/either/1.13.0 \
+    crate://crates.io/elliptic-curve/0.13.8 \
+    crate://crates.io/ena/0.14.3 \
+    crate://crates.io/equivalent/1.0.1 \
+    crate://crates.io/errno/0.3.9 \
+    crate://crates.io/fastrand/2.1.0 \
+    crate://crates.io/ff/0.13.0 \
+    crate://crates.io/fiat-crypto/0.2.9 \
+    crate://crates.io/fixedbitset/0.4.2 \
+    crate://crates.io/foreign-types/0.3.2 \
+    crate://crates.io/foreign-types-shared/0.1.1 \
+    crate://crates.io/generic-array/0.14.7 \
+    crate://crates.io/generic-array/1.1.0 \
+    crate://crates.io/getrandom/0.2.15 \
+    crate://crates.io/ghash/0.5.1 \
+    crate://crates.io/glob/0.3.1 \
+    crate://crates.io/group/0.13.0 \
+    crate://crates.io/hashbrown/0.14.5 \
+    crate://crates.io/hkdf/0.12.4 \
+    crate://crates.io/hmac/0.12.1 \
+    crate://crates.io/iana-time-zone/0.1.60 \
+    crate://crates.io/iana-time-zone-haiku/0.1.2 \
+    crate://crates.io/icu_collections/1.5.0 \
+    crate://crates.io/icu_locid/1.5.0 \
+    crate://crates.io/icu_locid_transform/1.5.0 \
+    crate://crates.io/icu_locid_transform_data/1.5.0 \
+    crate://crates.io/icu_normalizer/1.5.0 \
+    crate://crates.io/icu_normalizer_data/1.5.0 \
+    crate://crates.io/icu_properties/1.5.1 \
+    crate://crates.io/icu_properties_data/1.5.0 \
+    crate://crates.io/icu_provider/1.5.0 \
+    crate://crates.io/icu_provider_macros/1.5.0 \
+    crate://crates.io/idea/0.5.1 \
+    crate://crates.io/idna/1.0.2 \
+    crate://crates.io/indexmap/2.2.6 \
+    crate://crates.io/inout/0.1.3 \
+    crate://crates.io/itertools/0.11.0 \
+    crate://crates.io/js-sys/0.3.69 \
+    crate://crates.io/lalrpop/0.20.2 \
+    crate://crates.io/lalrpop-util/0.20.2 \
+    crate://crates.io/lazy_static/1.5.0 \
+    crate://crates.io/lazycell/1.3.0 \
+    crate://crates.io/libc/0.2.155 \
+    crate://crates.io/libloading/0.8.4 \
+    crate://crates.io/libm/0.2.8 \
+    crate://crates.io/libredox/0.1.3 \
+    crate://crates.io/linux-raw-sys/0.4.14 \
+    crate://crates.io/litemap/0.7.3 \
+    crate://crates.io/lock_api/0.4.12 \
+    crate://crates.io/log/0.4.22 \
+    crate://crates.io/md-5/0.10.6 \
+    crate://crates.io/memchr/2.7.4 \
+    crate://crates.io/memsec/0.7.0 \
+    crate://crates.io/minimal-lexical/0.2.1 \
+    crate://crates.io/nettle/7.4.0 \
+    crate://crates.io/nettle-sys/2.3.0 \
+    crate://crates.io/new_debug_unreachable/1.0.6 \
+    crate://crates.io/nom/7.1.3 \
+    crate://crates.io/num-bigint-dig/0.8.4 \
+    crate://crates.io/num-integer/0.1.46 \
+    crate://crates.io/num-iter/0.1.45 \
+    crate://crates.io/num-traits/0.2.19 \
+    crate://crates.io/once_cell/1.19.0 \
+    crate://crates.io/opaque-debug/0.3.1 \
+    crate://crates.io/openssl/0.10.64 \
+    crate://crates.io/openssl-macros/0.1.1 \
+    crate://crates.io/openssl-sys/0.9.102 \
+    crate://crates.io/p256/0.13.2 \
+    crate://crates.io/p384/0.13.0 \
+    crate://crates.io/p521/0.13.3 \
+    crate://crates.io/parking_lot/0.12.3 \
+    crate://crates.io/parking_lot_core/0.9.10 \
+    crate://crates.io/peeking_take_while/0.1.2 \
+    crate://crates.io/pem-rfc7468/0.7.0 \
+    crate://crates.io/petgraph/0.6.5 \
+    crate://crates.io/phf_shared/0.10.0 \
+    crate://crates.io/pkcs1/0.7.5 \
+    crate://crates.io/pkcs8/0.10.2 \
+    crate://crates.io/pkg-config/0.3.30 \
+    crate://crates.io/polyval/0.6.2 \
+    crate://crates.io/ppv-lite86/0.2.17 \
+    crate://crates.io/precomputed-hash/0.1.1 \
+    crate://crates.io/predicates/3.1.0 \
+    crate://crates.io/predicates-core/1.0.6 \
+    crate://crates.io/predicates-tree/1.0.9 \
+    crate://crates.io/primeorder/0.13.6 \
+    crate://crates.io/proc-macro2/1.0.86 \
+    crate://crates.io/quote/1.0.36 \
+    crate://crates.io/rand/0.8.5 \
+    crate://crates.io/rand_chacha/0.3.1 \
+    crate://crates.io/rand_core/0.6.4 \
+    crate://crates.io/redox_syscall/0.5.2 \
+    crate://crates.io/redox_users/0.4.5 \
+    crate://crates.io/regex/1.10.5 \
+    crate://crates.io/regex-automata/0.4.7 \
+    crate://crates.io/regex-syntax/0.8.4 \
+    crate://crates.io/rfc6979/0.4.0 \
+    crate://crates.io/ripemd/0.1.3 \
+    crate://crates.io/rsa/0.9.6 \
+    crate://crates.io/rustc-hash/1.1.0 \
+    crate://crates.io/rustc_version/0.4.0 \
+    crate://crates.io/rustix/0.38.34 \
+    crate://crates.io/rustversion/1.0.17 \
+    crate://crates.io/same-file/1.0.6 \
+    crate://crates.io/scopeguard/1.2.0 \
+    crate://crates.io/sec1/0.7.3 \
+    crate://crates.io/semver/1.0.23 \
+    crate://crates.io/sequoia-openpgp/1.21.1 \
+    crate://crates.io/sequoia-policy-config/0.6.0 \
+    crate://crates.io/serde/1.0.204 \
+    crate://crates.io/serde_derive/1.0.204 \
+    crate://crates.io/sha1collisiondetection/0.3.4 \
+    crate://crates.io/sha2/0.10.8 \
+    crate://crates.io/shlex/1.3.0 \
+    crate://crates.io/signature/2.2.0 \
+    crate://crates.io/siphasher/0.3.11 \
+    crate://crates.io/smallvec/1.13.2 \
+    crate://crates.io/spin/0.9.8 \
+    crate://crates.io/spki/0.7.3 \
+    crate://crates.io/stable_deref_trait/1.2.0 \
+    crate://crates.io/string_cache/0.8.7 \
+    crate://crates.io/subtle/2.6.1 \
+    crate://crates.io/syn/2.0.70 \
+    crate://crates.io/synstructure/0.13.1 \
+    crate://crates.io/tempfile/3.10.1 \
+    crate://crates.io/term/0.7.0 \
+    crate://crates.io/termtree/0.4.1 \
+    crate://crates.io/thiserror/1.0.61 \
+    crate://crates.io/thiserror-impl/1.0.61 \
+    crate://crates.io/tiny-keccak/2.0.2 \
+    crate://crates.io/tinystr/0.7.6 \
+    crate://crates.io/toml/0.5.11 \
+    crate://crates.io/twofish/0.7.1 \
+    crate://crates.io/typenum/1.17.0 \
+    crate://crates.io/unicode-ident/1.0.12 \
+    crate://crates.io/unicode-xid/0.2.4 \
+    crate://crates.io/universal-hash/0.5.1 \
+    crate://crates.io/utf16_iter/1.0.5 \
+    crate://crates.io/utf8_iter/1.0.4 \
+    crate://crates.io/vcpkg/0.2.15 \
+    crate://crates.io/version_check/0.9.4 \
+    crate://crates.io/wait-timeout/0.2.0 \
+    crate://crates.io/walkdir/2.5.0 \
+    crate://crates.io/wasi/0.11.0+wasi-snapshot-preview1 \
+    crate://crates.io/wasm-bindgen/0.2.92 \
+    crate://crates.io/wasm-bindgen-backend/0.2.92 \
+    crate://crates.io/wasm-bindgen-macro/0.2.92 \
+    crate://crates.io/wasm-bindgen-macro-support/0.2.92 \
+    crate://crates.io/wasm-bindgen-shared/0.2.92 \
+    crate://crates.io/win-crypto-ng/0.5.1 \
+    crate://crates.io/winapi/0.3.9 \
+    crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \
+    crate://crates.io/winapi-util/0.1.8 \
+    crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \
+    crate://crates.io/windows-core/0.52.0 \
+    crate://crates.io/windows-sys/0.52.0 \
+    crate://crates.io/windows-targets/0.52.6 \
+    crate://crates.io/windows_aarch64_gnullvm/0.52.6 \
+    crate://crates.io/windows_aarch64_msvc/0.52.6 \
+    crate://crates.io/windows_i686_gnu/0.52.6 \
+    crate://crates.io/windows_i686_gnullvm/0.52.6 \
+    crate://crates.io/windows_i686_msvc/0.52.6 \
+    crate://crates.io/windows_x86_64_gnu/0.52.6 \
+    crate://crates.io/windows_x86_64_gnullvm/0.52.6 \
+    crate://crates.io/windows_x86_64_msvc/0.52.6 \
+    crate://crates.io/write16/1.0.0 \
+    crate://crates.io/writeable/0.5.5 \
+    crate://crates.io/x25519-dalek/2.0.1 \
+    crate://crates.io/xxhash-rust/0.8.11 \
+    crate://crates.io/yoke/0.7.4 \
+    crate://crates.io/yoke-derive/0.7.4 \
+    crate://crates.io/zerofrom/0.1.4 \
+    crate://crates.io/zerofrom-derive/0.1.4 \
+    crate://crates.io/zeroize/1.8.1 \
+    crate://crates.io/zeroize_derive/1.4.2 \
+    crate://crates.io/zerovec/0.10.4 \
+    crate://crates.io/zerovec-derive/0.10.3 \
+"
+
+SRC_URI[aead-0.5.2.sha256sum] = "d122413f284cf2d62fb1b7db97e02edb8cda96d769b16e443a4f6195e35662b0"
+SRC_URI[aes-0.8.4.sha256sum] = "b169f7a6d4742236a0a00c541b845991d0ac43e546831af1249753ab4c3aa3a0"
+SRC_URI[aes-gcm-0.10.3.sha256sum] = "831010a0f742e1209b3bcea8fab6a8e149051ba6099432c8cb2cc117dec3ead1"
+SRC_URI[aho-corasick-1.1.3.sha256sum] = "8e60d3430d3a69478ad0993f19238d2df97c507009a52b3c10addcd7f6bcb916"
+SRC_URI[android-tzdata-0.1.1.sha256sum] = "e999941b234f3131b00bc13c22d06e8c5ff726d1b6318ac7eb276997bbb4fef0"
+SRC_URI[android_system_properties-0.1.5.sha256sum] = "819e7219dbd41043ac279b19830f2efc897156490d7fd6ea916720117ee66311"
+SRC_URI[anstyle-1.0.7.sha256sum] = "038dfcf04a5feb68e9c60b21c9625a54c2c0616e79b72b0fd87075a056ae1d1b"
+SRC_URI[anyhow-1.0.86.sha256sum] = "b3d1d046238990b9cf5bcde22a3fb3584ee5cf65fb2765f454ed428c7a0063da"
+SRC_URI[ascii-canvas-3.0.0.sha256sum] = "8824ecca2e851cec16968d54a01dd372ef8f95b244fb84b84e70128be347c3c6"
+SRC_URI[assert_cmd-2.0.14.sha256sum] = "ed72493ac66d5804837f480ab3766c72bdfab91a65e565fc54fa9e42db0073a8"
+SRC_URI[autocfg-1.3.0.sha256sum] = "0c4b4d0bd25bd0b74681c0ad21497610ce1b7c91b1022cd21c80c6fbdd9476b0"
+SRC_URI[base16ct-0.2.0.sha256sum] = "4c7f02d4ea65f2c1853089ffd8d2787bdbc63de2f0d29dedbcf8ccdfa0ccd4cf"
+SRC_URI[base64-0.22.1.sha256sum] = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
+SRC_URI[base64ct-1.6.0.sha256sum] = "8c3c1a368f70d6cf7302d78f8f7093da241fb8e8807c05cc9e51a125895a6d5b"
+SRC_URI[bindgen-0.68.1.sha256sum] = "726e4313eb6ec35d2730258ad4e15b547ee75d6afaa1361a922e78e59b7d8078"
+SRC_URI[bit-set-0.5.3.sha256sum] = "0700ddab506f33b20a03b13996eccd309a48e5ff77d0d95926aa0210fb4e95f1"
+SRC_URI[bit-vec-0.6.3.sha256sum] = "349f9b6a179ed607305526ca489b34ad0a41aed5f7980fa90eb03160b69598fb"
+SRC_URI[bitflags-2.6.0.sha256sum] = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de"
+SRC_URI[block-buffer-0.10.4.sha256sum] = "3078c7629b62d3f0439517fa394996acacc5cbc91c5a20d8c658e77abd503a71"
+SRC_URI[block-padding-0.3.3.sha256sum] = "a8894febbff9f758034a5b8e12d87918f56dfc64a8e1fe757d65e29041538d93"
+SRC_URI[blowfish-0.9.1.sha256sum] = "e412e2cd0f2b2d93e02543ceae7917b3c70331573df19ee046bcbc35e45e87d7"
+SRC_URI[botan-0.10.7.sha256sum] = "350081af1a3c6883f8a1f863ac553bfe6922589aad60008a70947765ed57c53e"
+SRC_URI[botan-sys-0.10.5.sha256sum] = "9f49dde1b8ebd2996cc41c55c39f6ef8b54e38148d8973aeba0792b87b1621ca"
+SRC_URI[bstr-1.9.1.sha256sum] = "05efc5cfd9110c8416e471df0e96702d58690178e206e61b7173706673c93706"
+SRC_URI[buffered-reader-1.3.1.sha256sum] = "cd098763fdb64579407a8c83cf0d751e6d4a7e161d0114c89cc181a2ca760ec8"
+SRC_URI[bumpalo-3.16.0.sha256sum] = "79296716171880943b8470b5f8d03aa55eb2e645a4874bdbb28adb49162e012c"
+SRC_URI[byteorder-1.5.0.sha256sum] = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b"
+SRC_URI[camellia-0.1.0.sha256sum] = "3264e2574e9ef2b53ce6f536dea83a69ac0bc600b762d1523ff83fe07230ce30"
+SRC_URI[cast5-0.11.1.sha256sum] = "26b07d673db1ccf000e90f54b819db9e75a8348d6eb056e9b8ab53231b7a9911"
+SRC_URI[cc-1.0.106.sha256sum] = "066fce287b1d4eafef758e89e09d724a24808a9196fe9756b8ca90e86d0719a2"
+SRC_URI[cdylib-link-lines-0.1.5.sha256sum] = "d98eabef08bbdf5afd0b9c0cabb1ac335f7c70447ef095eed85dffd9628b20bc"
+SRC_URI[cexpr-0.6.0.sha256sum] = "6fac387a98bb7c37292057cffc56d62ecb629900026402633ae9160df93a8766"
+SRC_URI[cfb-mode-0.8.2.sha256sum] = "738b8d467867f80a71351933f70461f5b56f24d5c93e0cf216e59229c968d330"
+SRC_URI[cfg-if-1.0.0.sha256sum] = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
+SRC_URI[chrono-0.4.38.sha256sum] = "a21f936df1771bf62b77f047b726c4625ff2e8aa607c01ec06e5a05bd8463401"
+SRC_URI[cipher-0.4.4.sha256sum] = "773f3b9af64447d2ce9850330c473515014aa235e6a783b02db81ff39e4a3dad"
+SRC_URI[clang-sys-1.8.1.sha256sum] = "0b023947811758c97c59bf9d1c188fd619ad4718dcaa767947df1cadb14f39f4"
+SRC_URI[cmac-0.7.2.sha256sum] = "8543454e3c3f5126effff9cd44d562af4e31fb8ce1cc0d3dcd8f084515dbc1aa"
+SRC_URI[const-oid-0.9.6.sha256sum] = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8"
+SRC_URI[core-foundation-sys-0.8.6.sha256sum] = "06ea2b9bc92be3c2baa9334a323ebca2d6f074ff852cd1d7b11064035cd3868f"
+SRC_URI[cpufeatures-0.2.12.sha256sum] = "53fe5e26ff1b7aef8bca9c6080520cfb8d9333c7568e1829cef191a9723e5504"
+SRC_URI[crunchy-0.2.2.sha256sum] = "7a81dae078cea95a014a339291cec439d2f232ebe854a9d672b796c6afafa9b7"
+SRC_URI[crypto-bigint-0.5.5.sha256sum] = "0dc92fb57ca44df6db8059111ab3af99a63d5d0f8375d9972e319a379c6bab76"
+SRC_URI[crypto-common-0.1.6.sha256sum] = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3"
+SRC_URI[ctr-0.9.2.sha256sum] = "0369ee1ad671834580515889b80f2ea915f23b8be8d0daa4bbaf2ac5c7590835"
+SRC_URI[curve25519-dalek-4.1.3.sha256sum] = "97fb8b7c4503de7d6ae7b42ab72a5a59857b4c937ec27a3d4539dba95b5ab2be"
+SRC_URI[curve25519-dalek-derive-0.1.1.sha256sum] = "f46882e17999c6cc590af592290432be3bce0428cb0d5f8b6715e4dc7b383eb3"
+SRC_URI[dbl-0.3.2.sha256sum] = "bd2735a791158376708f9347fe8faba9667589d82427ef3aed6794a8981de3d9"
+SRC_URI[der-0.7.9.sha256sum] = "f55bf8e7b65898637379c1b74eb1551107c8294ed26d855ceb9fd1a09cfc9bc0"
+SRC_URI[des-0.8.1.sha256sum] = "ffdd80ce8ce993de27e9f063a444a4d53ce8e8db4c1f00cc03af5ad5a9867a1e"
+SRC_URI[difflib-0.4.0.sha256sum] = "6184e33543162437515c2e2b48714794e37845ec9851711914eec9d308f6ebe8"
+SRC_URI[digest-0.10.7.sha256sum] = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
+SRC_URI[dirs-next-2.0.0.sha256sum] = "b98cf8ebf19c3d1b223e151f99a4f9f0690dca41414773390fc824184ac833e1"
+SRC_URI[dirs-sys-next-0.1.2.sha256sum] = "4ebda144c4fe02d1f7ea1a7d9641b6fc6b580adcfa024ae48797ecdeb6825b4d"
+SRC_URI[displaydoc-0.2.5.sha256sum] = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0"
+SRC_URI[doc-comment-0.3.3.sha256sum] = "fea41bba32d969b513997752735605054bc0dfa92b4c56bf1189f2e174be7a10"
+SRC_URI[dsa-0.6.3.sha256sum] = "48bc224a9084ad760195584ce5abb3c2c34a225fa312a128ad245a6b412b7689"
+SRC_URI[dyn-clone-1.0.17.sha256sum] = "0d6ef0072f8a535281e4876be788938b528e9a1d43900b82c2569af7da799125"
+SRC_URI[eax-0.5.0.sha256sum] = "9954fabd903b82b9d7a68f65f97dc96dd9ad368e40ccc907a7c19d53e6bfac28"
+SRC_URI[ecb-0.1.2.sha256sum] = "1a8bfa975b1aec2145850fcaa1c6fe269a16578c44705a532ae3edc92b8881c7"
+SRC_URI[ecdsa-0.16.9.sha256sum] = "ee27f32b5c5292967d2d4a9d7f1e0b0aed2c15daded5a60300e4abb9d8020bca"
+SRC_URI[ed25519-2.2.3.sha256sum] = "115531babc129696a58c64a4fef0a8bf9e9698629fb97e9e40767d235cfbcd53"
+SRC_URI[ed25519-dalek-2.1.1.sha256sum] = "4a3daa8e81a3963a60642bcc1f90a670680bd4a77535faa384e9d1c79d620871"
+SRC_URI[either-1.13.0.sha256sum] = "60b1af1c220855b6ceac025d3f6ecdd2b7c4894bfe9cd9bda4fbb4bc7c0d4cf0"
+SRC_URI[elliptic-curve-0.13.8.sha256sum] = "b5e6043086bf7973472e0c7dff2142ea0b680d30e18d9cc40f267efbf222bd47"
+SRC_URI[ena-0.14.3.sha256sum] = "3d248bdd43ce613d87415282f69b9bb99d947d290b10962dd6c56233312c2ad5"
+SRC_URI[equivalent-1.0.1.sha256sum] = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5"
+SRC_URI[errno-0.3.9.sha256sum] = "534c5cf6194dfab3db3242765c03bbe257cf92f22b38f6bc0c58d59108a820ba"
+SRC_URI[fastrand-2.1.0.sha256sum] = "9fc0510504f03c51ada170672ac806f1f105a88aa97a5281117e1ddc3368e51a"
+SRC_URI[ff-0.13.0.sha256sum] = "ded41244b729663b1e574f1b4fb731469f69f79c17667b5d776b16cda0479449"
+SRC_URI[fiat-crypto-0.2.9.sha256sum] = "28dea519a9695b9977216879a3ebfddf92f1c08c05d984f8996aecd6ecdc811d"
+SRC_URI[fixedbitset-0.4.2.sha256sum] = "0ce7134b9999ecaf8bcd65542e436736ef32ddca1b3e06094cb6ec5755203b80"
+SRC_URI[foreign-types-0.3.2.sha256sum] = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
+SRC_URI[foreign-types-shared-0.1.1.sha256sum] = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
+SRC_URI[generic-array-0.14.7.sha256sum] = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
+SRC_URI[generic-array-1.1.0.sha256sum] = "96512db27971c2c3eece70a1e106fbe6c87760234e31e8f7e5634912fe52794a"
+SRC_URI[getrandom-0.2.15.sha256sum] = "c4567c8db10ae91089c99af84c68c38da3ec2f087c3f82960bcdbf3656b6f4d7"
+SRC_URI[ghash-0.5.1.sha256sum] = "f0d8a4362ccb29cb0b265253fb0a2728f592895ee6854fd9bc13f2ffda266ff1"
+SRC_URI[glob-0.3.1.sha256sum] = "d2fabcfbdc87f4758337ca535fb41a6d701b65693ce38287d856d1674551ec9b"
+SRC_URI[group-0.13.0.sha256sum] = "f0f9ef7462f7c099f518d754361858f86d8a07af53ba9af0fe635bbccb151a63"
+SRC_URI[hashbrown-0.14.5.sha256sum] = "e5274423e17b7c9fc20b6e7e208532f9b19825d82dfd615708b70edd83df41f1"
+SRC_URI[hkdf-0.12.4.sha256sum] = "7b5f8eb2ad728638ea2c7d47a21db23b7b58a72ed6a38256b8a1849f15fbbdf7"
+SRC_URI[hmac-0.12.1.sha256sum] = "6c49c37c09c17a53d937dfbb742eb3a961d65a994e6bcdcf37e7399d0cc8ab5e"
+SRC_URI[iana-time-zone-0.1.60.sha256sum] = "e7ffbb5a1b541ea2561f8c41c087286cc091e21e556a4f09a8f6cbf17b69b141"
+SRC_URI[iana-time-zone-haiku-0.1.2.sha256sum] = "f31827a206f56af32e590ba56d5d2d085f558508192593743f16b2306495269f"
+SRC_URI[icu_collections-1.5.0.sha256sum] = "db2fa452206ebee18c4b5c2274dbf1de17008e874b4dc4f0aea9d01ca79e4526"
+SRC_URI[icu_locid-1.5.0.sha256sum] = "13acbb8371917fc971be86fc8057c41a64b521c184808a698c02acc242dbf637"
+SRC_URI[icu_locid_transform-1.5.0.sha256sum] = "01d11ac35de8e40fdeda00d9e1e9d92525f3f9d887cdd7aa81d727596788b54e"
+SRC_URI[icu_locid_transform_data-1.5.0.sha256sum] = "fdc8ff3388f852bede6b579ad4e978ab004f139284d7b28715f773507b946f6e"
+SRC_URI[icu_normalizer-1.5.0.sha256sum] = "19ce3e0da2ec68599d193c93d088142efd7f9c5d6fc9b803774855747dc6a84f"
+SRC_URI[icu_normalizer_data-1.5.0.sha256sum] = "f8cafbf7aa791e9b22bec55a167906f9e1215fd475cd22adfcf660e03e989516"
+SRC_URI[icu_properties-1.5.1.sha256sum] = "93d6020766cfc6302c15dbbc9c8778c37e62c14427cb7f6e601d849e092aeef5"
+SRC_URI[icu_properties_data-1.5.0.sha256sum] = "67a8effbc3dd3e4ba1afa8ad918d5684b8868b3b26500753effea8d2eed19569"
+SRC_URI[icu_provider-1.5.0.sha256sum] = "6ed421c8a8ef78d3e2dbc98a973be2f3770cb42b606e3ab18d6237c4dfde68d9"
+SRC_URI[icu_provider_macros-1.5.0.sha256sum] = "1ec89e9337638ecdc08744df490b221a7399bf8d164eb52a665454e60e075ad6"
+SRC_URI[idea-0.5.1.sha256sum] = "075557004419d7f2031b8bb7f44bb43e55a83ca7b63076a8fb8fe75753836477"
+SRC_URI[idna-1.0.2.sha256sum] = "bd69211b9b519e98303c015e21a007e293db403b6c85b9b124e133d25e242cdd"
+SRC_URI[indexmap-2.2.6.sha256sum] = "168fb715dda47215e360912c096649d23d58bf392ac62f73919e831745e40f26"
+SRC_URI[inout-0.1.3.sha256sum] = "a0c10553d664a4d0bcff9f4215d0aac67a639cc68ef660840afe309b807bc9f5"
+SRC_URI[itertools-0.11.0.sha256sum] = "b1c173a5686ce8bfa551b3563d0c2170bf24ca44da99c7ca4bfdab5418c3fe57"
+SRC_URI[js-sys-0.3.69.sha256sum] = "29c15563dc2726973df627357ce0c9ddddbea194836909d655df6a75d2cf296d"
+SRC_URI[lalrpop-0.20.2.sha256sum] = "55cb077ad656299f160924eb2912aa147d7339ea7d69e1b5517326fdcec3c1ca"
+SRC_URI[lalrpop-util-0.20.2.sha256sum] = "507460a910eb7b32ee961886ff48539633b788a36b65692b95f225b844c82553"
+SRC_URI[lazy_static-1.5.0.sha256sum] = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe"
+SRC_URI[lazycell-1.3.0.sha256sum] = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55"
+SRC_URI[libc-0.2.155.sha256sum] = "97b3888a4aecf77e811145cadf6eef5901f4782c53886191b2f693f24761847c"
+SRC_URI[libloading-0.8.4.sha256sum] = "e310b3a6b5907f99202fcdb4960ff45b93735d7c7d96b760fcff8db2dc0e103d"
+SRC_URI[libm-0.2.8.sha256sum] = "4ec2a862134d2a7d32d7983ddcdd1c4923530833c9f2ea1a44fc5fa473989058"
+SRC_URI[libredox-0.1.3.sha256sum] = "c0ff37bd590ca25063e35af745c343cb7a0271906fb7b37e4813e8f79f00268d"
+SRC_URI[linux-raw-sys-0.4.14.sha256sum] = "78b3ae25bc7c8c38cec158d1f2757ee79e9b3740fbc7ccf0e59e4b08d793fa89"
+SRC_URI[litemap-0.7.3.sha256sum] = "643cb0b8d4fcc284004d5fd0d67ccf61dfffadb7f75e1e71bc420f4688a3a704"
+SRC_URI[lock_api-0.4.12.sha256sum] = "07af8b9cdd281b7915f413fa73f29ebd5d55d0d3f0155584dade1ff18cea1b17"
+SRC_URI[log-0.4.22.sha256sum] = "a7a70ba024b9dc04c27ea2f0c0548feb474ec5c54bba33a7f72f873a39d07b24"
+SRC_URI[md-5-0.10.6.sha256sum] = "d89e7ee0cfbedfc4da3340218492196241d89eefb6dab27de5df917a6d2e78cf"
+SRC_URI[memchr-2.7.4.sha256sum] = "78ca9ab1a0babb1e7d5695e3530886289c18cf2f87ec19a575a0abdce112e3a3"
+SRC_URI[memsec-0.7.0.sha256sum] = "c797b9d6bb23aab2fc369c65f871be49214f5c759af65bde26ffaaa2b646b492"
+SRC_URI[minimal-lexical-0.2.1.sha256sum] = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
+SRC_URI[nettle-7.4.0.sha256sum] = "44e6ff4a94e5d34a1fd5abbd39418074646e2fa51b257198701330f22fcd6936"
+SRC_URI[nettle-sys-2.3.0.sha256sum] = "b495053a10a19a80e3a26bf1212e92e29350797b5f5bdc58268c3f3f818e66ec"
+SRC_URI[new_debug_unreachable-1.0.6.sha256sum] = "650eef8c711430f1a879fdd01d4745a7deea475becfb90269c06775983bbf086"
+SRC_URI[nom-7.1.3.sha256sum] = "d273983c5a657a70a3e8f2a01329822f3b8c8172b73826411a55751e404a0a4a"
+SRC_URI[num-bigint-dig-0.8.4.sha256sum] = "dc84195820f291c7697304f3cbdadd1cb7199c0efc917ff5eafd71225c136151"
+SRC_URI[num-integer-0.1.46.sha256sum] = "7969661fd2958a5cb096e56c8e1ad0444ac2bbcd0061bd28660485a44879858f"
+SRC_URI[num-iter-0.1.45.sha256sum] = "1429034a0490724d0075ebb2bc9e875d6503c3cf69e235a8941aa757d83ef5bf"
+SRC_URI[num-traits-0.2.19.sha256sum] = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841"
+SRC_URI[once_cell-1.19.0.sha256sum] = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92"
+SRC_URI[opaque-debug-0.3.1.sha256sum] = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381"
+SRC_URI[openssl-0.10.64.sha256sum] = "95a0481286a310808298130d22dd1fef0fa571e05a8f44ec801801e84b216b1f"
+SRC_URI[openssl-macros-0.1.1.sha256sum] = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
+SRC_URI[openssl-sys-0.9.102.sha256sum] = "c597637d56fbc83893a35eb0dd04b2b8e7a50c91e64e9493e398b5df4fb45fa2"
+SRC_URI[p256-0.13.2.sha256sum] = "c9863ad85fa8f4460f9c48cb909d38a0d689dba1f6f6988a5e3e0d31071bcd4b"
+SRC_URI[p384-0.13.0.sha256sum] = "70786f51bcc69f6a4c0360e063a4cac5419ef7c5cd5b3c99ad70f3be5ba79209"
+SRC_URI[p521-0.13.3.sha256sum] = "0fc9e2161f1f215afdfce23677034ae137bbd45016a880c2eb3ba8eb95f085b2"
+SRC_URI[parking_lot-0.12.3.sha256sum] = "f1bf18183cf54e8d6059647fc3063646a1801cf30896933ec2311622cc4b9a27"
+SRC_URI[parking_lot_core-0.9.10.sha256sum] = "1e401f977ab385c9e4e3ab30627d6f26d00e2c73eef317493c4ec6d468726cf8"
+SRC_URI[peeking_take_while-0.1.2.sha256sum] = "19b17cddbe7ec3f8bc800887bab5e717348c95ea2ca0b1bf0837fb964dc67099"
+SRC_URI[pem-rfc7468-0.7.0.sha256sum] = "88b39c9bfcfc231068454382784bb460aae594343fb030d46e9f50a645418412"
+SRC_URI[petgraph-0.6.5.sha256sum] = "b4c5cc86750666a3ed20bdaf5ca2a0344f9c67674cae0515bec2da16fbaa47db"
+SRC_URI[phf_shared-0.10.0.sha256sum] = "b6796ad771acdc0123d2a88dc428b5e38ef24456743ddb1744ed628f9815c096"
+SRC_URI[pkcs1-0.7.5.sha256sum] = "c8ffb9f10fa047879315e6625af03c164b16962a5368d724ed16323b68ace47f"
+SRC_URI[pkcs8-0.10.2.sha256sum] = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7"
+SRC_URI[pkg-config-0.3.30.sha256sum] = "d231b230927b5e4ad203db57bbcbee2802f6bce620b1e4a9024a07d94e2907ec"
+SRC_URI[polyval-0.6.2.sha256sum] = "9d1fe60d06143b2430aa532c94cfe9e29783047f06c0d7fd359a9a51b729fa25"
+SRC_URI[ppv-lite86-0.2.17.sha256sum] = "5b40af805b3121feab8a3c29f04d8ad262fa8e0561883e7653e024ae4479e6de"
+SRC_URI[precomputed-hash-0.1.1.sha256sum] = "925383efa346730478fb4838dbe9137d2a47675ad789c546d150a6e1dd4ab31c"
+SRC_URI[predicates-3.1.0.sha256sum] = "68b87bfd4605926cdfefc1c3b5f8fe560e3feca9d5552cf68c466d3d8236c7e8"
+SRC_URI[predicates-core-1.0.6.sha256sum] = "b794032607612e7abeb4db69adb4e33590fa6cf1149e95fd7cb00e634b92f174"
+SRC_URI[predicates-tree-1.0.9.sha256sum] = "368ba315fb8c5052ab692e68a0eefec6ec57b23a36959c14496f0b0df2c0cecf"
+SRC_URI[primeorder-0.13.6.sha256sum] = "353e1ca18966c16d9deb1c69278edbc5f194139612772bd9537af60ac231e1e6"
+SRC_URI[proc-macro2-1.0.86.sha256sum] = "5e719e8df665df0d1c8fbfd238015744736151d4445ec0836b8e628aae103b77"
+SRC_URI[quote-1.0.36.sha256sum] = "0fa76aaf39101c457836aec0ce2316dbdc3ab723cdda1c6bd4e6ad4208acaca7"
+SRC_URI[rand-0.8.5.sha256sum] = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
+SRC_URI[rand_chacha-0.3.1.sha256sum] = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
+SRC_URI[rand_core-0.6.4.sha256sum] = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
+SRC_URI[redox_syscall-0.5.2.sha256sum] = "c82cf8cff14456045f55ec4241383baeff27af886adb72ffb2162f99911de0fd"
+SRC_URI[redox_users-0.4.5.sha256sum] = "bd283d9651eeda4b2a83a43c1c91b266c40fd76ecd39a50a8c630ae69dc72891"
+SRC_URI[regex-1.10.5.sha256sum] = "b91213439dad192326a0d7c6ee3955910425f441d7038e0d6933b0aec5c4517f"
+SRC_URI[regex-automata-0.4.7.sha256sum] = "38caf58cc5ef2fed281f89292ef23f6365465ed9a41b7a7754eb4e26496c92df"
+SRC_URI[regex-syntax-0.8.4.sha256sum] = "7a66a03ae7c801facd77a29370b4faec201768915ac14a721ba36f20bc9c209b"
+SRC_URI[rfc6979-0.4.0.sha256sum] = "f8dd2a808d456c4a54e300a23e9f5a67e122c3024119acbfd73e3bf664491cb2"
+SRC_URI[ripemd-0.1.3.sha256sum] = "bd124222d17ad93a644ed9d011a40f4fb64aa54275c08cc216524a9ea82fb09f"
+SRC_URI[rsa-0.9.6.sha256sum] = "5d0e5124fcb30e76a7e79bfee683a2746db83784b86289f6251b54b7950a0dfc"
+SRC_URI[rustc-hash-1.1.0.sha256sum] = "08d43f7aa6b08d49f382cde6a7982047c3426db949b1424bc4b7ec9ae12c6ce2"
+SRC_URI[rustc_version-0.4.0.sha256sum] = "bfa0f585226d2e68097d4f95d113b15b83a82e819ab25717ec0590d9584ef366"
+SRC_URI[rustix-0.38.34.sha256sum] = "70dc5ec042f7a43c4a73241207cecc9873a06d45debb38b329f8541d85c2730f"
+SRC_URI[rustversion-1.0.17.sha256sum] = "955d28af4278de8121b7ebeb796b6a45735dc01436d898801014aced2773a3d6"
+SRC_URI[same-file-1.0.6.sha256sum] = "93fc1dc3aaa9bfed95e02e6eadabb4baf7e3078b0bd1b4d7b6b0b68378900502"
+SRC_URI[scopeguard-1.2.0.sha256sum] = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
+SRC_URI[sec1-0.7.3.sha256sum] = "d3e97a565f76233a6003f9f5c54be1d9c5bdfa3eccfb189469f11ec4901c47dc"
+SRC_URI[semver-1.0.23.sha256sum] = "61697e0a1c7e512e84a621326239844a24d8207b4669b41bc18b32ea5cbf988b"
+SRC_URI[sequoia-openpgp-1.21.1.sha256sum] = "b870b0275eeae174058fcf0ce5affccaaafeb7eceeabce8d6c7f51fbe6a41e2a"
+SRC_URI[sequoia-policy-config-0.6.0.sha256sum] = "757d45d308f2bd9c0d6fdd640f320998ad24856bdf2890ddd28d3c3b85808274"
+SRC_URI[serde-1.0.204.sha256sum] = "bc76f558e0cbb2a839d37354c575f1dc3fdc6546b5be373ba43d95f231bf7c12"
+SRC_URI[serde_derive-1.0.204.sha256sum] = "e0cd7e117be63d3c3678776753929474f3b04a43a080c744d6b0ae2a8c28e222"
+SRC_URI[sha1collisiondetection-0.3.4.sha256sum] = "1f606421e4a6012877e893c399822a4ed4b089164c5969424e1b9d1e66e6964b"
+SRC_URI[sha2-0.10.8.sha256sum] = "793db75ad2bcafc3ffa7c68b215fee268f537982cd901d132f89c6343f3a3dc8"
+SRC_URI[shlex-1.3.0.sha256sum] = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
+SRC_URI[signature-2.2.0.sha256sum] = "77549399552de45a898a580c1b41d445bf730df867cc44e6c0233bbc4b8329de"
+SRC_URI[siphasher-0.3.11.sha256sum] = "38b58827f4464d87d377d175e90bf58eb00fd8716ff0a62f80356b5e61555d0d"
+SRC_URI[smallvec-1.13.2.sha256sum] = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67"
+SRC_URI[spin-0.9.8.sha256sum] = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67"
+SRC_URI[spki-0.7.3.sha256sum] = "d91ed6c858b01f942cd56b37a94b3e0a1798290327d1236e4d9cf4eaca44d29d"
+SRC_URI[stable_deref_trait-1.2.0.sha256sum] = "a8f112729512f8e442d81f95a8a7ddf2b7c6b8a1a6f509a95864142b30cab2d3"
+SRC_URI[string_cache-0.8.7.sha256sum] = "f91138e76242f575eb1d3b38b4f1362f10d3a43f47d182a5b359af488a02293b"
+SRC_URI[subtle-2.6.1.sha256sum] = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
+SRC_URI[syn-2.0.70.sha256sum] = "2f0209b68b3613b093e0ec905354eccaedcfe83b8cb37cbdeae64026c3064c16"
+SRC_URI[synstructure-0.13.1.sha256sum] = "c8af7666ab7b6390ab78131fb5b0fce11d6b7a6951602017c35fa82800708971"
+SRC_URI[tempfile-3.10.1.sha256sum] = "85b77fafb263dd9d05cbeac119526425676db3784113aa9295c88498cbf8bff1"
+SRC_URI[term-0.7.0.sha256sum] = "c59df8ac95d96ff9bede18eb7300b0fda5e5d8d90960e76f8e14ae765eedbf1f"
+SRC_URI[termtree-0.4.1.sha256sum] = "3369f5ac52d5eb6ab48c6b4ffdc8efbcad6b89c765749064ba298f2c68a16a76"
+SRC_URI[thiserror-1.0.61.sha256sum] = "c546c80d6be4bc6a00c0f01730c08df82eaa7a7a61f11d656526506112cc1709"
+SRC_URI[thiserror-impl-1.0.61.sha256sum] = "46c3384250002a6d5af4d114f2845d37b57521033f30d5c3f46c4d70e1197533"
+SRC_URI[tiny-keccak-2.0.2.sha256sum] = "2c9d3793400a45f954c52e73d068316d76b6f4e36977e3fcebb13a2721e80237"
+SRC_URI[tinystr-0.7.6.sha256sum] = "9117f5d4db391c1cf6927e7bea3db74b9a1c1add8f7eda9ffd5364f40f57b82f"
+SRC_URI[toml-0.5.11.sha256sum] = "f4f7f0dd8d50a853a531c426359045b1998f04219d88799810762cd4ad314234"
+SRC_URI[twofish-0.7.1.sha256sum] = "a78e83a30223c757c3947cd144a31014ff04298d8719ae10d03c31c0448c8013"
+SRC_URI[typenum-1.17.0.sha256sum] = "42ff0bf0c66b8238c6f3b578df37d0b7848e55df8577b3f74f92a69acceeb825"
+SRC_URI[unicode-ident-1.0.12.sha256sum] = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b"
+SRC_URI[unicode-xid-0.2.4.sha256sum] = "f962df74c8c05a667b5ee8bcf162993134c104e96440b663c8daa176dc772d8c"
+SRC_URI[universal-hash-0.5.1.sha256sum] = "fc1de2c688dc15305988b563c3854064043356019f97a4b46276fe734c4f07ea"
+SRC_URI[utf16_iter-1.0.5.sha256sum] = "c8232dd3cdaed5356e0f716d285e4b40b932ac434100fe9b7e0e8e935b9e6246"
+SRC_URI[utf8_iter-1.0.4.sha256sum] = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be"
+SRC_URI[vcpkg-0.2.15.sha256sum] = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426"
+SRC_URI[version_check-0.9.4.sha256sum] = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f"
+SRC_URI[wait-timeout-0.2.0.sha256sum] = "9f200f5b12eb75f8c1ed65abd4b2db8a6e1b138a20de009dacee265a2498f3f6"
+SRC_URI[walkdir-2.5.0.sha256sum] = "29790946404f91d9c5d06f9874efddea1dc06c5efe94541a7d6863108e3a5e4b"
+SRC_URI[wasi-0.11.0+wasi-snapshot-preview1.sha256sum] = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
+SRC_URI[wasm-bindgen-0.2.92.sha256sum] = "4be2531df63900aeb2bca0daaaddec08491ee64ceecbee5076636a3b026795a8"
+SRC_URI[wasm-bindgen-backend-0.2.92.sha256sum] = "614d787b966d3989fa7bb98a654e369c762374fd3213d212cfc0251257e747da"
+SRC_URI[wasm-bindgen-macro-0.2.92.sha256sum] = "a1f8823de937b71b9460c0c34e25f3da88250760bec0ebac694b49997550d726"
+SRC_URI[wasm-bindgen-macro-support-0.2.92.sha256sum] = "e94f17b526d0a461a191c78ea52bbce64071ed5c04c9ffe424dcb38f74171bb7"
+SRC_URI[wasm-bindgen-shared-0.2.92.sha256sum] = "af190c94f2773fdb3729c55b007a722abb5384da03bc0986df4c289bf5567e96"
+SRC_URI[win-crypto-ng-0.5.1.sha256sum] = "99abfb435a71e54ab2971d8d8c32f1a7e006cdbf527f71743b1d45b93517bb92"
+SRC_URI[winapi-0.3.9.sha256sum] = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
+SRC_URI[winapi-i686-pc-windows-gnu-0.4.0.sha256sum] = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
+SRC_URI[winapi-util-0.1.8.sha256sum] = "4d4cc384e1e73b93bafa6fb4f1df8c41695c8a91cf9c4c64358067d15a7b6c6b"
+SRC_URI[winapi-x86_64-pc-windows-gnu-0.4.0.sha256sum] = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
+SRC_URI[windows-core-0.52.0.sha256sum] = "33ab640c8d7e35bf8ba19b884ba838ceb4fba93a4e8c65a9059d08afcfc683d9"
+SRC_URI[windows-sys-0.52.0.sha256sum] = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d"
+SRC_URI[windows-targets-0.52.6.sha256sum] = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973"
+SRC_URI[windows_aarch64_gnullvm-0.52.6.sha256sum] = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3"
+SRC_URI[windows_aarch64_msvc-0.52.6.sha256sum] = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469"
+SRC_URI[windows_i686_gnu-0.52.6.sha256sum] = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b"
+SRC_URI[windows_i686_gnullvm-0.52.6.sha256sum] = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66"
+SRC_URI[windows_i686_msvc-0.52.6.sha256sum] = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66"
+SRC_URI[windows_x86_64_gnu-0.52.6.sha256sum] = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78"
+SRC_URI[windows_x86_64_gnullvm-0.52.6.sha256sum] = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d"
+SRC_URI[windows_x86_64_msvc-0.52.6.sha256sum] = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec"
+SRC_URI[write16-1.0.0.sha256sum] = "d1890f4022759daae28ed4fe62859b1236caebfc61ede2f63ed4e695f3f6d936"
+SRC_URI[writeable-0.5.5.sha256sum] = "1e9df38ee2d2c3c5948ea468a8406ff0db0b29ae1ffde1bcf20ef305bcc95c51"
+SRC_URI[x25519-dalek-2.0.1.sha256sum] = "c7e468321c81fb07fa7f4c636c3972b9100f0346e5b6a9f2bd0603a52f7ed277"
+SRC_URI[xxhash-rust-0.8.11.sha256sum] = "63658493314859b4dfdf3fb8c1defd61587839def09582db50b8a4e93afca6bb"
+SRC_URI[yoke-0.7.4.sha256sum] = "6c5b1314b079b0930c31e3af543d8ee1757b1951ae1e1565ec704403a7240ca5"
+SRC_URI[yoke-derive-0.7.4.sha256sum] = "28cc31741b18cb6f1d5ff12f5b7523e3d6eb0852bbbad19d73905511d9849b95"
+SRC_URI[zerofrom-0.1.4.sha256sum] = "91ec111ce797d0e0784a1116d0ddcdbea84322cd79e5d5ad173daeba4f93ab55"
+SRC_URI[zerofrom-derive-0.1.4.sha256sum] = "0ea7b4a3637ea8669cedf0f1fd5c286a17f3de97b8dd5a70a6c167a1730e63a5"
+SRC_URI[zeroize-1.8.1.sha256sum] = "ced3678a2879b30306d323f4542626697a464a97c0a07c9aebf7ebca65cd4dde"
+SRC_URI[zeroize_derive-1.4.2.sha256sum] = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69"
+SRC_URI[zerovec-0.10.4.sha256sum] = "aa2b893d79df23bfb12d5461018d408ea19dfafe76c2c7ef6d4eba614f8ff079"
+SRC_URI[zerovec-derive-0.10.3.sha256sum] = "6eafa6dfb17584ea3e2bd6e76e0cc15ad7af12b09abdd1ca55961bed9b1063c6"
diff --git a/meta/recipes-devtools/rpm-sequoia/rpm-sequoia_1.7.0.bb b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia_1.7.0.bb
new file mode 100644
index 0000000000..57062b100a
--- /dev/null
+++ b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia_1.7.0.bb
@@ -0,0 +1,60 @@
+SUMMARY = "An OpenPGP backend for rpm using Sequoia PGP"
+HOMEPAGE = "https://sequoia-pgp.org/"
+
+# The license line is taken verbatim from Fedora's specfile
+# with formatting differences for Yocto. (AND -> &, OR -> |)
+# https://src.fedoraproject.org/rpms/rust-rpm-sequoia/blob/rawhide/f/rust-rpm-sequoia.spec
+LICENSE = "LGPL-2.0-or-later & Apache-2.0 & BSL-1.0 & MIT & Unicode-DFS-2016 & (Apache-2.0 | MIT) & (MIT | Apache-2.0 | Zlib) & (Unlicense | MIT)"
+
+LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=f0ff5ff7747cf7d394079c6ae87f5f0c"
+
+DEPENDS = "openssl"
+
+inherit pkgconfig rust cargo cargo-update-recipe-crates
+
+SRC_URI = "git://github.com/rpm-software-management/rpm-sequoia.git;protocol=https;branch=main"
+
+SRCREV = "0667e04ae7fb8cf0490919978d69883d16400e41"
+
+S = "${UNPACKDIR}/git"
+
+require ${BPN}-crates.inc
+
+CARGO_BUILD_FLAGS += "--no-default-features --features crypto-openssl"
+CARGO_INSTALL_LIBRARIES = "1"
+
+do_compile:prepend () {
+	# rpm-sequoia.pc is generated in the source directory
+	# but the target directory does not exist there.
+	mkdir -p ${S}/target/release
+
+	# From rpm-sequoia's README.md:
+	#
+	# We also set two environment variables when calling `cargo build`:
+	# * `PREFIX` is the prefix that will be used in the generated
+	#   `rpm-sequoia.pc` file. It defaults to `/usr/local`.
+	# * `LIBDIR` is the installed library path listed in the generated
+	#   metadata. It can be an absolute path or one based on `${prefix}`,
+	#   and defaults to `${prefix}/lib`.
+
+	export PREFIX="${prefix}"
+	export LIBDIR="${libdir}"
+}
+
+do_install:append () {
+	# Move the library to the correct location expected by rpm-sequoia.pc
+	mkdir -p ${D}${libdir}
+	mv ${D}${rustlibdir}/librpm_sequoia.so ${D}${libdir}/librpm_sequoia.so.1
+	ln -s librpm_sequoia.so.1 ${D}${libdir}/librpm_sequoia.so
+
+	rmdir -p --ignore-fail-on-non-empty ${D}${rustlibdir}
+
+	# rpm-sequoia does not install its pkgconfig file. Do it manually.
+	mkdir -p ${D}${libdir}/pkgconfig
+	install -m644 ${S}/target/release/rpm-sequoia.pc ${D}${libdir}/pkgconfig
+}
+
+RDEPENDS:${PN} = "rpm-sequoia-crypto-policy"
+PACKAGE_WRITE_DEPS += "rpm-sequoia-crypto-policy-native"
+
+BBCLASSEXTEND = "native"
-- 
2.48.1

[OE-core][PATCH v12 3/5] rpm: Set SEQUOIA_CRYPTO_POLICY in wrapped tools

[Zoltán Böszörményi]

Point to the crypto policy file so RPM signing may work.

Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
---
 meta/recipes-devtools/rpm/rpm_4.20.0.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-devtools/rpm/rpm_4.20.0.bb b/meta/recipes-devtools/rpm/rpm_4.20.0.bb
index 45487ad32c..281fde1c82 100644
--- a/meta/recipes-devtools/rpm/rpm_4.20.0.bb
+++ b/meta/recipes-devtools/rpm/rpm_4.20.0.bb
@@ -100,6 +100,7 @@ WRAPPER_TOOLS = " \
 do_install:append:class-native() {
         for tool in ${WRAPPER_TOOLS}; do
                 test -x ${D}$tool && create_wrapper ${D}$tool \
+                        SEQUOIA_CRYPTO_POLICY=${STAGING_DATADIR_NATIVE}/crypto-policies/back-ends/rpm-sequoia.config \
                         RPM_CONFIGDIR=${STAGING_LIBDIR_NATIVE}/rpm \
                         RPM_ETCCONFIGDIR=${STAGING_DIR_NATIVE} \
                         MAGIC=${STAGING_DIR_NATIVE}${datadir_native}/misc/magic.mgc \
-- 
2.48.1

[OE-core][PATCH v12 4/5] dnf: Set SEQUOIA_CRYPTO_POLICY in wrapped tools

[Zoltán Böszörményi]

Point to the crypto policy file	so dnf can work with signed packages.

Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
---
 meta/recipes-devtools/dnf/dnf_4.22.0.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-devtools/dnf/dnf_4.22.0.bb b/meta/recipes-devtools/dnf/dnf_4.22.0.bb
index f9d6ea1fa6..e5ac3c9824 100644
--- a/meta/recipes-devtools/dnf/dnf_4.22.0.bb
+++ b/meta/recipes-devtools/dnf/dnf_4.22.0.bb
@@ -69,6 +69,7 @@ do_install:append() {
 # Direct dnf-native to read rpm configuration from our sysroot, not the one it was compiled in
 do_install:append:class-native() {
         create_wrapper ${D}/${bindir}/dnf \
+                SEQUOIA_CRYPTO_POLICY=${STAGING_DATADIR_NATIVE}/crypto-policies/back-ends/rpm-sequoia.config \
                 RPM_CONFIGDIR=${STAGING_LIBDIR_NATIVE}/rpm \
                 RPM_NO_CHROOT_FOR_SCRIPTS=1
 }
-- 
2.48.1

[OE-core][PATCH v12 5/5] oeqa/selftest/cases/signing.py: Re-enable self-test

[Zoltán Böszörményi]

With all the pieces in place, the self test can be re-enabled.

Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
---
 meta/lib/oeqa/selftest/cases/signing.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta/lib/oeqa/selftest/cases/signing.py b/meta/lib/oeqa/selftest/cases/signing.py
index 51d1c3fa64..4df45ba032 100644
--- a/meta/lib/oeqa/selftest/cases/signing.py
+++ b/meta/lib/oeqa/selftest/cases/signing.py
@@ -71,7 +71,6 @@ class Signing(OESelftestTestCase):
         """
         import oe.packagedata
 
-        self.skipTest('This test requires rpm-sequoia support in rpm')
         self.setup_gpg()
 
         package_classes = get_bb_var('PACKAGE_CLASSES')
@@ -84,6 +83,8 @@ class Signing(OESelftestTestCase):
         feature += 'RPM_GPG_PASSPHRASE = "test123"\n'
         feature += 'RPM_GPG_NAME = "testuser"\n'
         feature += 'GPG_PATH = "%s"\n' % self.gpg_dir
+        feature += 'PACKAGECONFIG:append:pn-rpm-native = " sequoia"\n'
+        feature += 'PACKAGECONFIG:append:pn-rpm = " sequoia"\n'
 
         self.write_config(feature)
 
-- 
2.48.1

Re: [OE-core][PATCH v12 1/5] rpm-sequoia-crypto-policy: New recipe

[Mathieu Dubois-Briand]

On Wed Feb 12, 2025 at 5:35 AM CET, Zoltán Böszörményi wrote:
> This ships a crypto policy file for rpm-sequoia.
>
> Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
> ---

Hi Zoltán,

I believe we have a new issue with this version:

| python/build-crypto-policies.py --reloadcmds policies output
| /tmp/tmpqvyryz80: line 5: Bad configuration option: pubkeyacceptedalgorithms
| /tmp/tmpqvyryz80: line 6: Bad configuration option: hostbasedacceptedalgorithms
| /tmp/tmpqvyryz80: line 8: Bad configuration option: requiredrsasize
| /tmp/tmpqvyryz80: terminating, 3 bad configuration options
| There is an error in OpenSSH server generated policy

https://autobuilder.yoctoproject.org/valkyrie/?#/builders/3/builds/1027/steps/11/logs/stdio

Can you have a look at this error please?

-- 
Mathieu Dubois-Briand, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Re: [OE-core][PATCH v12 1/5] rpm-sequoia-crypto-policy: New recipe

[Böszörményi Zoltán]

2025. 02. 13. 14:36 keltezéssel, Mathieu Dubois-Briand írta:
> On Wed Feb 12, 2025 at 5:35 AM CET, Zoltán Böszörményi wrote:
>> This ships a crypto policy file for rpm-sequoia.
>>
>> Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
>> ---
> Hi Zoltán,
>
> I believe we have a new issue with this version:
>
> | python/build-crypto-policies.py --reloadcmds policies output
> | /tmp/tmpqvyryz80: line 5: Bad configuration option: pubkeyacceptedalgorithms
> | /tmp/tmpqvyryz80: line 6: Bad configuration option: hostbasedacceptedalgorithms
> | /tmp/tmpqvyryz80: line 8: Bad configuration option: requiredrsasize
> | /tmp/tmpqvyryz80: terminating, 3 bad configuration options
> | There is an error in OpenSSH server generated policy
>
> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/3/builds/1027/steps/11/logs/stdio
>
> Can you have a look at this error please?

I tested the recipe on Fedora 41 with:
* nss 3.107.0 installed with /usr/bin/nss-policy-check present, and
* faking uninstalling it by renaming /usr/bin/nss-policy-check

Both worked.

Some of your build hosts where nss was not installed complained
about executing nss-policy-check unconditionally, which is now fixed.

I think this is on a build host with a very old nss version installed.
Can you uninstall it?

Re: [OE-core][PATCH v12 1/5] rpm-sequoia-crypto-policy: New recipe

[Richard Purdie]

On Thu, 2025-02-13 at 15:20 +0100, Böszörményi Zoltán wrote:
> 2025. 02. 13. 14:36 keltezéssel, Mathieu Dubois-Briand írta:
> > On Wed Feb 12, 2025 at 5:35 AM CET, Zoltán Böszörményi wrote:
> > > This ships a crypto policy file for rpm-sequoia.
> > > 
> > > Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
> > > ---
> > Hi Zoltán,
> > 
> > I believe we have a new issue with this version:
> > 
> > > python/build-crypto-policies.py --reloadcmds policies output
> > > /tmp/tmpqvyryz80: line 5: Bad configuration option:
> > > pubkeyacceptedalgorithms
> > > /tmp/tmpqvyryz80: line 6: Bad configuration option:
> > > hostbasedacceptedalgorithms
> > > /tmp/tmpqvyryz80: line 8: Bad configuration option:
> > > requiredrsasize
> > > /tmp/tmpqvyryz80: terminating, 3 bad configuration options
> > > There is an error in OpenSSH server generated policy
> > 
> > https://autobuilder.yoctoproject.org/valkyrie/?#/builders/3/builds/1027/steps/11/logs/stdio
> > 
> > Can you have a look at this error please?
> 
> I tested the recipe on Fedora 41 with:
> * nss 3.107.0 installed with /usr/bin/nss-policy-check present, and
> * faking uninstalling it by renaming /usr/bin/nss-policy-check
> 
> Both worked.
> 
> Some of your build hosts where nss was not installed complained
> about executing nss-policy-check unconditionally, which is now fixed.
> 
> I think this is on a build host with a very old nss version
> installed.
> Can you uninstall it?

We aim to filter the environment and work the same way in all cases so
this sounds like host contamination.

I think we may have to just stop it using it from the host
unconditionally.

Cheers,

Richard

Re: [OE-core][PATCH v12 1/5] rpm-sequoia-crypto-policy: New recipe

[Böszörményi Zoltán]

2025. 02. 13. 15:32 keltezéssel, Richard Purdie írta:
> On Thu, 2025-02-13 at 15:20 +0100, Böszörményi Zoltán wrote:
>> 2025. 02. 13. 14:36 keltezéssel, Mathieu Dubois-Briand írta:
>>> On Wed Feb 12, 2025 at 5:35 AM CET, Zoltán Böszörményi wrote:
>>>> This ships a crypto policy file for rpm-sequoia.
>>>>
>>>> Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
>>>> ---
>>> Hi Zoltán,
>>>
>>> I believe we have a new issue with this version:
>>>
>>>> python/build-crypto-policies.py --reloadcmds policies output
>>>> /tmp/tmpqvyryz80: line 5: Bad configuration option:
>>>> pubkeyacceptedalgorithms
>>>> /tmp/tmpqvyryz80: line 6: Bad configuration option:
>>>> hostbasedacceptedalgorithms
>>>> /tmp/tmpqvyryz80: line 8: Bad configuration option:
>>>> requiredrsasize
>>>> /tmp/tmpqvyryz80: terminating, 3 bad configuration options
>>>> There is an error in OpenSSH server generated policy
>>> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/3/builds/1027/steps/11/logs/stdio
>>>
>>> Can you have a look at this error please?
>> I tested the recipe on Fedora 41 with:
>> * nss 3.107.0 installed with /usr/bin/nss-policy-check present, and
>> * faking uninstalling it by renaming /usr/bin/nss-policy-check
>>
>> Both worked.
>>
>> Some of your build hosts where nss was not installed complained
>> about executing nss-policy-check unconditionally, which is now fixed.
>>
>> I think this is on a build host with a very old nss version
>> installed.
>> Can you uninstall it?
> We aim to filter the environment and work the same way in all cases so
> this sounds like host contamination.
>
> I think we may have to just stop it using it from the host
> unconditionally.

It's not used unconditionally from the host anymore.
It's detected via shutil.which() so if it's in PATH, it is used. See:
https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/032b418a6db842f0eab330eb5909e4604e888728

Re: [OE-core][PATCH v12 1/5] rpm-sequoia-crypto-policy: New recipe

[Böszörményi Zoltán]

2025. 02. 13. 15:20 keltezéssel, Zoltan Boszormenyi via lists.openembedded.org írta:
> 2025. 02. 13. 14:36 keltezéssel, Mathieu Dubois-Briand írta:
>> On Wed Feb 12, 2025 at 5:35 AM CET, Zoltán Böszörményi wrote:
>>> This ships a crypto policy file for rpm-sequoia.
>>>
>>> Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
>>> ---
>> Hi Zoltán,
>>
>> I believe we have a new issue with this version:
>>
>> | python/build-crypto-policies.py --reloadcmds policies output
>> | /tmp/tmpqvyryz80: line 5: Bad configuration option: pubkeyacceptedalgorithms
>> | /tmp/tmpqvyryz80: line 6: Bad configuration option: hostbasedacceptedalgorithms
>> | /tmp/tmpqvyryz80: line 8: Bad configuration option: requiredrsasize
>> | /tmp/tmpqvyryz80: terminating, 3 bad configuration options
>> | There is an error in OpenSSH server generated policy
>>
>> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/3/builds/1027/steps/11/logs/stdio 
>>
>>
>> Can you have a look at this error please?
>
> I tested the recipe on Fedora 41 with:
> * nss 3.107.0 installed with /usr/bin/nss-policy-check present, and
> * faking uninstalling it by renaming /usr/bin/nss-policy-check
>
> Both worked.
>
> Some of your build hosts where nss was not installed complained
> about executing nss-policy-check unconditionally, which is now fixed.
>
> I think this is on a build host with a very old nss version installed.
> Can you uninstall it?

I found an alternative solution but it involves patching out
most of the policy generators:

================================================
$ git diff python/policygenerators/__init__.py
diff --git a/python/policygenerators/__init__.py b/python/policygenerators/__init__.py
index 0e3013e..180fb2a 100644
--- a/python/policygenerators/__init__.py
+++ b/python/policygenerators/__init__.py
@@ -3,34 +3,8 @@
  # Copyright (c) 2019 Red Hat, Inc.
  # Copyright (c) 2019 Tomáš Mráz <tmraz@fedoraproject.org>

-from .bind import BindGenerator
-from .gnutls import GnuTLSGenerator
-from .java import JavaGenerator
-from .krb5 import KRB5Generator
-from .libreswan import LibreswanGenerator
-from .libssh import LibsshGenerator
-from .nss import NSSGenerator
-from .openssh import OpenSSHClientGenerator, OpenSSHServerGenerator
-from .openssl import (
-    OpenSSLConfigGenerator,
-    OpenSSLFIPSGenerator,
-    OpenSSLGenerator,
-)
-from .sequoia import RPMSequoiaGenerator, SequoiaGenerator
+from .sequoia import RPMSequoiaGenerator

  __all__ = [
-    'BindGenerator',
-    'GnuTLSGenerator',
-    'JavaGenerator',
-    'KRB5Generator',
-    'LibreswanGenerator',
-    'LibsshGenerator',
-    'NSSGenerator',
-    'OpenSSHClientGenerator',
-    'OpenSSHServerGenerator',
-    'OpenSSLConfigGenerator',
-    'OpenSSLFIPSGenerator',
-    'OpenSSLGenerator',
      'RPMSequoiaGenerator',
-    'SequoiaGenerator',
  ]
================================================

That should work with this old nss version according to
the log.do_compile output.

I can't see an easy way to make these imports and list conditional,
so the patch would be "Upstream-Status: Inappropriate".

Since it should only happen for the native build, the patch can be

SRC_URI:append:class-native = "..."

As far as I know, /usr/bin is filtered from target builds but not from
native builds.

Re: [OE-core][PATCH v12 1/5] rpm-sequoia-crypto-policy: New recipe

[Richard Purdie]

On Thu, 2025-02-13 at 15:43 +0100, Böszörményi Zoltán wrote:
> 2025. 02. 13. 15:20 keltezéssel, Zoltan Boszormenyi via
> lists.openembedded.org írta:
> > 2025. 02. 13. 14:36 keltezéssel, Mathieu Dubois-Briand írta:
> > > On Wed Feb 12, 2025 at 5:35 AM CET, Zoltán Böszörményi wrote:
> > > > This ships a crypto policy file for rpm-sequoia.
> > > > 
> > > > Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
> > > > ---
> > > Hi Zoltán,
> > > 
> > > I believe we have a new issue with this version:
> > > 
> > > > python/build-crypto-policies.py --reloadcmds policies output
> > > > /tmp/tmpqvyryz80: line 5: Bad configuration option:
> > > > pubkeyacceptedalgorithms
> > > > /tmp/tmpqvyryz80: line 6: Bad configuration option:
> > > > hostbasedacceptedalgorithms
> > > > /tmp/tmpqvyryz80: line 8: Bad configuration option:
> > > > requiredrsasize
> > > > /tmp/tmpqvyryz80: terminating, 3 bad configuration options
> > > > There is an error in OpenSSH server generated policy
> > > 
> > > https://autobuilder.yoctoproject.org/valkyrie/?#/builders/3/builds/1027/steps/11/logs/stdio
> > >  
> > > 
> > > 
> > > Can you have a look at this error please?
> > 
> > I tested the recipe on Fedora 41 with:
> > * nss 3.107.0 installed with /usr/bin/nss-policy-check present, and
> > * faking uninstalling it by renaming /usr/bin/nss-policy-check
> > 
> > Both worked.
> > 
> > Some of your build hosts where nss was not installed complained
> > about executing nss-policy-check unconditionally, which is now
> > fixed.
> > 
> > I think this is on a build host with a very old nss version
> > installed.
> > Can you uninstall it?
> 
> I found an alternative solution but it involves patching out
> most of the policy generators:
> 
> ================================================
> $ git diff python/policygenerators/__init__.py
> diff --git a/python/policygenerators/__init__.py
> b/python/policygenerators/__init__.py
> index 0e3013e..180fb2a 100644
> --- a/python/policygenerators/__init__.py
> +++ b/python/policygenerators/__init__.py
> @@ -3,34 +3,8 @@
>   # Copyright (c) 2019 Red Hat, Inc.
>   # Copyright (c) 2019 Tomáš Mráz <tmraz@fedoraproject.org>
> 
> -from .bind import BindGenerator
> -from .gnutls import GnuTLSGenerator
> -from .java import JavaGenerator
> -from .krb5 import KRB5Generator
> -from .libreswan import LibreswanGenerator
> -from .libssh import LibsshGenerator
> -from .nss import NSSGenerator
> -from .openssh import OpenSSHClientGenerator, OpenSSHServerGenerator
> -from .openssl import (
> -    OpenSSLConfigGenerator,
> -    OpenSSLFIPSGenerator,
> -    OpenSSLGenerator,
> -)
> -from .sequoia import RPMSequoiaGenerator, SequoiaGenerator
> +from .sequoia import RPMSequoiaGenerator
> 
>   __all__ = [
> -    'BindGenerator',
> -    'GnuTLSGenerator',
> -    'JavaGenerator',
> -    'KRB5Generator',
> -    'LibreswanGenerator',
> -    'LibsshGenerator',
> -    'NSSGenerator',
> -    'OpenSSHClientGenerator',
> -    'OpenSSHServerGenerator',
> -    'OpenSSLConfigGenerator',
> -    'OpenSSLFIPSGenerator',
> -    'OpenSSLGenerator',
>       'RPMSequoiaGenerator',
> -    'SequoiaGenerator',
>   ]
> ================================================
> 
> That should work with this old nss version according to
> the log.do_compile output.
> 
> I can't see an easy way to make these imports and list conditional,
> so the patch would be "Upstream-Status: Inappropriate".
> 
> Since it should only happen for the native build, the patch can be
> 
> SRC_URI:append:class-native = "..."
> 
> As far as I know, /usr/bin is filtered from target builds but not
> from native builds.

We only allow access to things from HOSTTOOLS, nothing else is meant to
be used, even for native builds.

Cheers,

Richard

Re: [OE-core][PATCH v12 1/5] rpm-sequoia-crypto-policy: New recipe

[Böszörményi Zoltán]

2025. 02. 13. 15:43 keltezéssel, Zoltan Boszormenyi via lists.openembedded.org írta:
> 2025. 02. 13. 15:20 keltezéssel, Zoltan Boszormenyi via lists.openembedded.org írta:
>> 2025. 02. 13. 14:36 keltezéssel, Mathieu Dubois-Briand írta:
>>> On Wed Feb 12, 2025 at 5:35 AM CET, Zoltán Böszörményi wrote:
>>>> This ships a crypto policy file for rpm-sequoia.
>>>>
>>>> Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
>>>> ---
>>> Hi Zoltán,
>>>
>>> I believe we have a new issue with this version:
>>>
>>> | python/build-crypto-policies.py --reloadcmds policies output
>>> | /tmp/tmpqvyryz80: line 5: Bad configuration option: pubkeyacceptedalgorithms
>>> | /tmp/tmpqvyryz80: line 6: Bad configuration option: hostbasedacceptedalgorithms
>>> | /tmp/tmpqvyryz80: line 8: Bad configuration option: requiredrsasize
>>> | /tmp/tmpqvyryz80: terminating, 3 bad configuration options
>>> | There is an error in OpenSSH server generated policy
>>>
>>> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/3/builds/1027/steps/11/logs/stdio 
>>>
>>>
>>> Can you have a look at this error please?
>>
>> I tested the recipe on Fedora 41 with:
>> * nss 3.107.0 installed with /usr/bin/nss-policy-check present, and
>> * faking uninstalling it by renaming /usr/bin/nss-policy-check
>>
>> Both worked.
>>
>> Some of your build hosts where nss was not installed complained
>> about executing nss-policy-check unconditionally, which is now fixed.
>>
>> I think this is on a build host with a very old nss version installed.
>> Can you uninstall it?
>
> I found an alternative solution but it involves patching out 0
> most of the policy generators:
>
> <bad patch>

Wrong diagnosis.

It only happens for openssh and openssh server configs.
And it should be with with export OLD_OPENSSH=1.

Is it okay if I re-send only the first patch in the series?

Re: [OE-core][PATCH v12 1/5] rpm-sequoia-crypto-policy: New recipe

[Böszörményi Zoltán]

2025. 02. 13. 16:06 keltezéssel, Richard Purdie írta:
> On Thu, 2025-02-13 at 15:43 +0100, Böszörményi Zoltán wrote:
>> 2025. 02. 13. 15:20 keltezéssel, Zoltan Boszormenyi via
>> lists.openembedded.org írta:
>>> 2025. 02. 13. 14:36 keltezéssel, Mathieu Dubois-Briand írta:
>>>> On Wed Feb 12, 2025 at 5:35 AM CET, Zoltán Böszörményi wrote:
>>>>> This ships a crypto policy file for rpm-sequoia.
>>>>>
>>>>> Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
>>>>> ---
>>>> Hi Zoltán,
>>>>
>>>> I believe we have a new issue with this version:
>>>>
>>>>> python/build-crypto-policies.py --reloadcmds policies output
>>>>> /tmp/tmpqvyryz80: line 5: Bad configuration option:
>>>>> pubkeyacceptedalgorithms
>>>>> /tmp/tmpqvyryz80: line 6: Bad configuration option:
>>>>> hostbasedacceptedalgorithms
>>>>> /tmp/tmpqvyryz80: line 8: Bad configuration option:
>>>>> requiredrsasize
>>>>> /tmp/tmpqvyryz80: terminating, 3 bad configuration options
>>>>> There is an error in OpenSSH server generated policy
>>>> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/3/builds/1027/steps/11/logs/stdio
>>>>   
>>>>
>>>>
>>>> Can you have a look at this error please?
>>> I tested the recipe on Fedora 41 with:
>>> * nss 3.107.0 installed with /usr/bin/nss-policy-check present, and
>>> * faking uninstalling it by renaming /usr/bin/nss-policy-check
>>>
>>> Both worked.
>>>
>>> Some of your build hosts where nss was not installed complained
>>> about executing nss-policy-check unconditionally, which is now
>>> fixed.
>>>
>>> I think this is on a build host with a very old nss version
>>> installed.
>>> Can you uninstall it?
>> I found an alternative solution but it involves patching out
>> most of the policy generators:
>>
>> ================================================
>> $ git diff python/policygenerators/__init__.py
>> diff --git a/python/policygenerators/__init__.py
>> b/python/policygenerators/__init__.py
>> index 0e3013e..180fb2a 100644
>> --- a/python/policygenerators/__init__.py
>> +++ b/python/policygenerators/__init__.py
>> @@ -3,34 +3,8 @@
>>    # Copyright (c) 2019 Red Hat, Inc.
>>    # Copyright (c) 2019 Tomáš Mráz <tmraz@fedoraproject.org>
>>
>> -from .bind import BindGenerator
>> -from .gnutls import GnuTLSGenerator
>> -from .java import JavaGenerator
>> -from .krb5 import KRB5Generator
>> -from .libreswan import LibreswanGenerator
>> -from .libssh import LibsshGenerator
>> -from .nss import NSSGenerator
>> -from .openssh import OpenSSHClientGenerator, OpenSSHServerGenerator
>> -from .openssl import (
>> -    OpenSSLConfigGenerator,
>> -    OpenSSLFIPSGenerator,
>> -    OpenSSLGenerator,
>> -)
>> -from .sequoia import RPMSequoiaGenerator, SequoiaGenerator
>> +from .sequoia import RPMSequoiaGenerator
>>
>>    __all__ = [
>> -    'BindGenerator',
>> -    'GnuTLSGenerator',
>> -    'JavaGenerator',
>> -    'KRB5Generator',
>> -    'LibreswanGenerator',
>> -    'LibsshGenerator',
>> -    'NSSGenerator',
>> -    'OpenSSHClientGenerator',
>> -    'OpenSSHServerGenerator',
>> -    'OpenSSLConfigGenerator',
>> -    'OpenSSLFIPSGenerator',
>> -    'OpenSSLGenerator',
>>        'RPMSequoiaGenerator',
>> -    'SequoiaGenerator',
>>    ]
>> ================================================
>>
>> That should work with this old nss version according to
>> the log.do_compile output.
>>
>> I can't see an easy way to make these imports and list conditional,
>> so the patch would be "Upstream-Status: Inappropriate".
>>
>> Since it should only happen for the native build, the patch can be
>>
>> SRC_URI:append:class-native = "..."
>>
>> As far as I know, /usr/bin is filtered from target builds but not
>> from native builds.
> We only allow access to things from HOSTTOOLS, nothing else is meant to
> be used, even for native builds.

As I wrote, I misdiagnosed it. There's no problem with nss-policy-check.

Does HOSTTOOLS include /usr/bin/ssh and /usr/bin/sshd?
Because the test_config() class method only fails for openssh and opensshserver.
They can be ignored with an envvar.

Re: [OE-core][PATCH v12 1/5] rpm-sequoia-crypto-policy: New recipe

[Alexander Kanavin]

Generally it's best to resend the whole patchset, as sending
individual follow up patches doesn't scale for maintainers, they can
easily lose track of how to combine everything into a non-broken set
of commits if many people start sending partial patches at the same
time.

Alex

On Thu, 13 Feb 2025 at 16:14, Böszörményi Zoltán <zboszor@gmail.com> wrote:
>
> 2025. 02. 13. 16:06 keltezéssel, Richard Purdie írta:
> > On Thu, 2025-02-13 at 15:43 +0100, Böszörményi Zoltán wrote:
> >> 2025. 02. 13. 15:20 keltezéssel, Zoltan Boszormenyi via
> >> lists.openembedded.org írta:
> >>> 2025. 02. 13. 14:36 keltezéssel, Mathieu Dubois-Briand írta:
> >>>> On Wed Feb 12, 2025 at 5:35 AM CET, Zoltán Böszörményi wrote:
> >>>>> This ships a crypto policy file for rpm-sequoia.
> >>>>>
> >>>>> Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
> >>>>> ---
> >>>> Hi Zoltán,
> >>>>
> >>>> I believe we have a new issue with this version:
> >>>>
> >>>>> python/build-crypto-policies.py --reloadcmds policies output
> >>>>> /tmp/tmpqvyryz80: line 5: Bad configuration option:
> >>>>> pubkeyacceptedalgorithms
> >>>>> /tmp/tmpqvyryz80: line 6: Bad configuration option:
> >>>>> hostbasedacceptedalgorithms
> >>>>> /tmp/tmpqvyryz80: line 8: Bad configuration option:
> >>>>> requiredrsasize
> >>>>> /tmp/tmpqvyryz80: terminating, 3 bad configuration options
> >>>>> There is an error in OpenSSH server generated policy
> >>>> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/3/builds/1027/steps/11/logs/stdio
> >>>>
> >>>>
> >>>>
> >>>> Can you have a look at this error please?
> >>> I tested the recipe on Fedora 41 with:
> >>> * nss 3.107.0 installed with /usr/bin/nss-policy-check present, and
> >>> * faking uninstalling it by renaming /usr/bin/nss-policy-check
> >>>
> >>> Both worked.
> >>>
> >>> Some of your build hosts where nss was not installed complained
> >>> about executing nss-policy-check unconditionally, which is now
> >>> fixed.
> >>>
> >>> I think this is on a build host with a very old nss version
> >>> installed.
> >>> Can you uninstall it?
> >> I found an alternative solution but it involves patching out
> >> most of the policy generators:
> >>
> >> ================================================
> >> $ git diff python/policygenerators/__init__.py
> >> diff --git a/python/policygenerators/__init__.py
> >> b/python/policygenerators/__init__.py
> >> index 0e3013e..180fb2a 100644
> >> --- a/python/policygenerators/__init__.py
> >> +++ b/python/policygenerators/__init__.py
> >> @@ -3,34 +3,8 @@
> >>    # Copyright (c) 2019 Red Hat, Inc.
> >>    # Copyright (c) 2019 Tomáš Mráz <tmraz@fedoraproject.org>
> >>
> >> -from .bind import BindGenerator
> >> -from .gnutls import GnuTLSGenerator
> >> -from .java import JavaGenerator
> >> -from .krb5 import KRB5Generator
> >> -from .libreswan import LibreswanGenerator
> >> -from .libssh import LibsshGenerator
> >> -from .nss import NSSGenerator
> >> -from .openssh import OpenSSHClientGenerator, OpenSSHServerGenerator
> >> -from .openssl import (
> >> -    OpenSSLConfigGenerator,
> >> -    OpenSSLFIPSGenerator,
> >> -    OpenSSLGenerator,
> >> -)
> >> -from .sequoia import RPMSequoiaGenerator, SequoiaGenerator
> >> +from .sequoia import RPMSequoiaGenerator
> >>
> >>    __all__ = [
> >> -    'BindGenerator',
> >> -    'GnuTLSGenerator',
> >> -    'JavaGenerator',
> >> -    'KRB5Generator',
> >> -    'LibreswanGenerator',
> >> -    'LibsshGenerator',
> >> -    'NSSGenerator',
> >> -    'OpenSSHClientGenerator',
> >> -    'OpenSSHServerGenerator',
> >> -    'OpenSSLConfigGenerator',
> >> -    'OpenSSLFIPSGenerator',
> >> -    'OpenSSLGenerator',
> >>        'RPMSequoiaGenerator',
> >> -    'SequoiaGenerator',
> >>    ]
> >> ================================================
> >>
> >> That should work with this old nss version according to
> >> the log.do_compile output.
> >>
> >> I can't see an easy way to make these imports and list conditional,
> >> so the patch would be "Upstream-Status: Inappropriate".
> >>
> >> Since it should only happen for the native build, the patch can be
> >>
> >> SRC_URI:append:class-native = "..."
> >>
> >> As far as I know, /usr/bin is filtered from target builds but not
> >> from native builds.
> > We only allow access to things from HOSTTOOLS, nothing else is meant to
> > be used, even for native builds.
>
> As I wrote, I misdiagnosed it. There's no problem with nss-policy-check.
>
> Does HOSTTOOLS include /usr/bin/ssh and /usr/bin/sshd?
> Because the test_config() class method only fails for openssh and opensshserver.
> They can be ignored with an envvar.
>

Re: [OE-core][PATCH v12 1/5] rpm-sequoia-crypto-policy: New recipe

[Richard Purdie]

On Thu, 2025-02-13 at 16:14 +0100, Böszörményi Zoltán wrote:
> 2025. 02. 13. 16:06 keltezéssel, Richard Purdie írta:
> > On Thu, 2025-02-13 at 15:43 +0100, Böszörményi Zoltán wrote:
> > > 2025. 02. 13. 15:20 keltezéssel, Zoltan Boszormenyi via
> > > lists.openembedded.org írta:
> > > > 2025. 02. 13. 14:36 keltezéssel, Mathieu Dubois-Briand írta:
> > > > > On Wed Feb 12, 2025 at 5:35 AM CET, Zoltán Böszörményi wrote:
> > > > > > This ships a crypto policy file for rpm-sequoia.
> > > > > > 
> > > > > > Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
> > > > > > ---
> > > > > Hi Zoltán,
> > > > > 
> > > > > I believe we have a new issue with this version:
> > > > > 
> > > > > > python/build-crypto-policies.py --reloadcmds policies
> > > > > > output
> > > > > > /tmp/tmpqvyryz80: line 5: Bad configuration option:
> > > > > > pubkeyacceptedalgorithms
> > > > > > /tmp/tmpqvyryz80: line 6: Bad configuration option:
> > > > > > hostbasedacceptedalgorithms
> > > > > > /tmp/tmpqvyryz80: line 8: Bad configuration option:
> > > > > > requiredrsasize
> > > > > > /tmp/tmpqvyryz80: terminating, 3 bad configuration options
> > > > > > There is an error in OpenSSH server generated policy
> > > > > https://autobuilder.yoctoproject.org/valkyrie/?#/builders/3/builds/1027/steps/11/logs/stdio
> > > > >   
> > > > > 
> > > > > 
> > > > > Can you have a look at this error please?
> > > > I tested the recipe on Fedora 41 with:
> > > > * nss 3.107.0 installed with /usr/bin/nss-policy-check present,
> > > > and
> > > > * faking uninstalling it by renaming /usr/bin/nss-policy-check
> > > > 
> > > > Both worked.
> > > > 
> > > > Some of your build hosts where nss was not installed complained
> > > > about executing nss-policy-check unconditionally, which is now
> > > > fixed.
> > > > 
> > > > I think this is on a build host with a very old nss version
> > > > installed.
> > > > Can you uninstall it?
> > > I found an alternative solution but it involves patching out
> > > most of the policy generators:
> > > 
> > > ================================================
> > > $ git diff python/policygenerators/__init__.py
> > > diff --git a/python/policygenerators/__init__.py
> > > b/python/policygenerators/__init__.py
> > > index 0e3013e..180fb2a 100644
> > > --- a/python/policygenerators/__init__.py
> > > +++ b/python/policygenerators/__init__.py
> > > @@ -3,34 +3,8 @@
> > >    # Copyright (c) 2019 Red Hat, Inc.
> > >    # Copyright (c) 2019 Tomáš Mráz <tmraz@fedoraproject.org>
> > > 
> > > -from .bind import BindGenerator
> > > -from .gnutls import GnuTLSGenerator
> > > -from .java import JavaGenerator
> > > -from .krb5 import KRB5Generator
> > > -from .libreswan import LibreswanGenerator
> > > -from .libssh import LibsshGenerator
> > > -from .nss import NSSGenerator
> > > -from .openssh import OpenSSHClientGenerator,
> > > OpenSSHServerGenerator
> > > -from .openssl import (
> > > -    OpenSSLConfigGenerator,
> > > -    OpenSSLFIPSGenerator,
> > > -    OpenSSLGenerator,
> > > -)
> > > -from .sequoia import RPMSequoiaGenerator, SequoiaGenerator
> > > +from .sequoia import RPMSequoiaGenerator
> > > 
> > >    __all__ = [
> > > -    'BindGenerator',
> > > -    'GnuTLSGenerator',
> > > -    'JavaGenerator',
> > > -    'KRB5Generator',
> > > -    'LibreswanGenerator',
> > > -    'LibsshGenerator',
> > > -    'NSSGenerator',
> > > -    'OpenSSHClientGenerator',
> > > -    'OpenSSHServerGenerator',
> > > -    'OpenSSLConfigGenerator',
> > > -    'OpenSSLFIPSGenerator',
> > > -    'OpenSSLGenerator',
> > >        'RPMSequoiaGenerator',
> > > -    'SequoiaGenerator',
> > >    ]
> > > ================================================
> > > 
> > > That should work with this old nss version according to
> > > the log.do_compile output.
> > > 
> > > I can't see an easy way to make these imports and list
> > > conditional,
> > > so the patch would be "Upstream-Status: Inappropriate".
> > > 
> > > Since it should only happen for the native build, the patch can
> > > be
> > > 
> > > SRC_URI:append:class-native = "..."
> > > 
> > > As far as I know, /usr/bin is filtered from target builds but not
> > > from native builds.
> > We only allow access to things from HOSTTOOLS, nothing else is
> > meant to
> > be used, even for native builds.
> 
> As I wrote, I misdiagnosed it. There's no problem with nss-policy-
> check.
> 
> Does HOSTTOOLS include /usr/bin/ssh and /usr/bin/sshd?
> Because the test_config() class method only fails for openssh and
> opensshserver.
> They can be ignored with an envvar.

Yes, those could be pulled in as we use them in qemu testing so we
should probably set the envvar...

Cheers,

Richard

[OE-core][PATCH v12.1 1/5] rpm-sequoia-crypto-policy: New recipe

[Zoltán Böszörményi]

This ships a crypto policy file for rpm-sequoia.

Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
---
 meta/conf/distro/include/maintainers.inc      |  1 +
 .../rpm-sequoia-crypto-policy_git.bb          | 38 +++++++++++++++++++
 2 files changed, 39 insertions(+)
 create mode 100644 meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb

diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
index bec55a7c1c..648c8fceb8 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -744,6 +744,7 @@ RECIPE_MAINTAINER:pn-rpcbind = "Hongxu Jia <hongxu.jia@windriver.com>"
 RECIPE_MAINTAINER:pn-rng-tools = "Anuj Mittal <anuj.mittal@intel.com>"
 RECIPE_MAINTAINER:pn-rpcsvc-proto = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-rpm = "Robert Yang <liezhi.yang@windriver.com>"
+RECIPE_MAINTAINER:pn-rpm-sequoia-crypto-policy = "Zoltán Böszörményi <zboszor@gmail.com>"
 RECIPE_MAINTAINER:pn-rsync = "Yi Zhao <yi.zhao@windriver.com>"
 RECIPE_MAINTAINER:pn-rt-tests = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-ruby = "Ross Burton <ross.burton@arm.com>"
diff --git a/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb
new file mode 100644
index 0000000000..098881e3da
--- /dev/null
+++ b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb
@@ -0,0 +1,38 @@
+SUMMARY = "Crypto policy for rpm-sequoia"
+HOMEPAGE = "https://gitlab.com/redhat-crypto/fedora-crypto-policies/"
+
+LICENSE = "LGPL-2.1-or-later"
+
+LIC_FILES_CHKSUM = "file://COPYING.LESSER;md5=a6f89e2100d9b6cdffcea4f398e37343"
+
+DEPENDS = "coreutils-native openssl-native make-native"
+
+inherit allarch python3native
+
+SRC_URI = "git://gitlab.com/redhat-crypto/fedora-crypto-policies.git;protocol=https;branch=master"
+
+SRCREV = "032b418a6db842f0eab330eb5909e4604e888728"
+UPSTREAM_CHECK_COMMITS = "1"
+
+S = "${UNPACKDIR}/git"
+
+do_compile () {
+	# Remove most policy variants, leave DEFAULT.pol
+	# It speeds up the build and we only need DEFAULT/rpm-sequoia.
+	rm -f $(ls -1 policies/*.pol | grep -v DEFAULT.pol) || echo nothing to delete
+
+	# Don't validate openssh policy variants.
+	# Validation may fail and these variants are not needed.
+	export OLD_OPENSSH=1
+
+	make ASCIIDOC=echo XSLTPROC=echo
+}
+
+do_install () {
+	install -d -m755 ${D}${datadir}/crypto-policies/back-ends
+	install -m644 ${S}/output/DEFAULT/rpm-sequoia.txt ${D}${datadir}/crypto-policies/back-ends/rpm-sequoia.config
+}
+
+FILES:${PN} = "${datadir}/crypto-policies/back-ends/*"
+
+BBCLASSEXTEND = "native"
-- 
2.48.1

[OE-core][PATCH v12.1 1/5] rpm-sequoia-crypto-policy: New recipe

[Zoltán Böszörményi]

This ships a crypto policy file for rpm-sequoia.

Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
---
 meta/conf/distro/include/maintainers.inc      |  1 +
 .../rpm-sequoia-crypto-policy_git.bb          | 38 +++++++++++++++++++
 2 files changed, 39 insertions(+)
 create mode 100644 meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb

diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
index bec55a7c1c..648c8fceb8 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -744,6 +744,7 @@ RECIPE_MAINTAINER:pn-rpcbind = "Hongxu Jia <hongxu.jia@windriver.com>"
 RECIPE_MAINTAINER:pn-rng-tools = "Anuj Mittal <anuj.mittal@intel.com>"
 RECIPE_MAINTAINER:pn-rpcsvc-proto = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-rpm = "Robert Yang <liezhi.yang@windriver.com>"
+RECIPE_MAINTAINER:pn-rpm-sequoia-crypto-policy = "Zoltán Böszörményi <zboszor@gmail.com>"
 RECIPE_MAINTAINER:pn-rsync = "Yi Zhao <yi.zhao@windriver.com>"
 RECIPE_MAINTAINER:pn-rt-tests = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-ruby = "Ross Burton <ross.burton@arm.com>"
diff --git a/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb
new file mode 100644
index 0000000000..098881e3da
--- /dev/null
+++ b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb
@@ -0,0 +1,38 @@
+SUMMARY = "Crypto policy for rpm-sequoia"
+HOMEPAGE = "https://gitlab.com/redhat-crypto/fedora-crypto-policies/"
+
+LICENSE = "LGPL-2.1-or-later"
+
+LIC_FILES_CHKSUM = "file://COPYING.LESSER;md5=a6f89e2100d9b6cdffcea4f398e37343"
+
+DEPENDS = "coreutils-native openssl-native make-native"
+
+inherit allarch python3native
+
+SRC_URI = "git://gitlab.com/redhat-crypto/fedora-crypto-policies.git;protocol=https;branch=master"
+
+SRCREV = "032b418a6db842f0eab330eb5909e4604e888728"
+UPSTREAM_CHECK_COMMITS = "1"
+
+S = "${UNPACKDIR}/git"
+
+do_compile () {
+	# Remove most policy variants, leave DEFAULT.pol
+	# It speeds up the build and we only need DEFAULT/rpm-sequoia.
+	rm -f $(ls -1 policies/*.pol | grep -v DEFAULT.pol) || echo nothing to delete
+
+	# Don't validate openssh policy variants.
+	# Validation may fail and these variants are not needed.
+	export OLD_OPENSSH=1
+
+	make ASCIIDOC=echo XSLTPROC=echo
+}
+
+do_install () {
+	install -d -m755 ${D}${datadir}/crypto-policies/back-ends
+	install -m644 ${S}/output/DEFAULT/rpm-sequoia.txt ${D}${datadir}/crypto-policies/back-ends/rpm-sequoia.config
+}
+
+FILES:${PN} = "${datadir}/crypto-policies/back-ends/*"
+
+BBCLASSEXTEND = "native"
-- 
2.48.1

Re: [OE-core][PATCH v12 1/5] rpm-sequoia-crypto-policy: New recipe

[Böszörményi Zoltán]

2025. 02. 13. 16:16 keltezéssel, Alexander Kanavin írta:
> Generally it's best to resend the whole patchset, as sending
> individual follow up patches doesn't scale for maintainers, they can
> easily lose track of how to combine everything into a non-broken set
> of commits if many people start sending partial patches at the same
> time.

Got it. I re-sent the whole series with this small fix included.

>
> Alex
>
> On Thu, 13 Feb 2025 at 16:14, Böszörményi Zoltán <zboszor@gmail.com> wrote:
>> 2025. 02. 13. 16:06 keltezéssel, Richard Purdie írta:
>>> On Thu, 2025-02-13 at 15:43 +0100, Böszörményi Zoltán wrote:
>>>> 2025. 02. 13. 15:20 keltezéssel, Zoltan Boszormenyi via
>>>> lists.openembedded.org írta:
>>>>> 2025. 02. 13. 14:36 keltezéssel, Mathieu Dubois-Briand írta:
>>>>>> On Wed Feb 12, 2025 at 5:35 AM CET, Zoltán Böszörményi wrote:
>>>>>>> This ships a crypto policy file for rpm-sequoia.
>>>>>>>
>>>>>>> Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
>>>>>>> ---
>>>>>> Hi Zoltán,
>>>>>>
>>>>>> I believe we have a new issue with this version:
>>>>>>
>>>>>>> python/build-crypto-policies.py --reloadcmds policies output
>>>>>>> /tmp/tmpqvyryz80: line 5: Bad configuration option:
>>>>>>> pubkeyacceptedalgorithms
>>>>>>> /tmp/tmpqvyryz80: line 6: Bad configuration option:
>>>>>>> hostbasedacceptedalgorithms
>>>>>>> /tmp/tmpqvyryz80: line 8: Bad configuration option:
>>>>>>> requiredrsasize
>>>>>>> /tmp/tmpqvyryz80: terminating, 3 bad configuration options
>>>>>>> There is an error in OpenSSH server generated policy
>>>>>> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/3/builds/1027/steps/11/logs/stdio
>>>>>>
>>>>>>
>>>>>>
>>>>>> Can you have a look at this error please?
>>>>> I tested the recipe on Fedora 41 with:
>>>>> * nss 3.107.0 installed with /usr/bin/nss-policy-check present, and
>>>>> * faking uninstalling it by renaming /usr/bin/nss-policy-check
>>>>>
>>>>> Both worked.
>>>>>
>>>>> Some of your build hosts where nss was not installed complained
>>>>> about executing nss-policy-check unconditionally, which is now
>>>>> fixed.
>>>>>
>>>>> I think this is on a build host with a very old nss version
>>>>> installed.
>>>>> Can you uninstall it?
>>>> I found an alternative solution but it involves patching out
>>>> most of the policy generators:
>>>>
>>>> ================================================
>>>> $ git diff python/policygenerators/__init__.py
>>>> diff --git a/python/policygenerators/__init__.py
>>>> b/python/policygenerators/__init__.py
>>>> index 0e3013e..180fb2a 100644
>>>> --- a/python/policygenerators/__init__.py
>>>> +++ b/python/policygenerators/__init__.py
>>>> @@ -3,34 +3,8 @@
>>>>     # Copyright (c) 2019 Red Hat, Inc.
>>>>     # Copyright (c) 2019 Tomáš Mráz <tmraz@fedoraproject.org>
>>>>
>>>> -from .bind import BindGenerator
>>>> -from .gnutls import GnuTLSGenerator
>>>> -from .java import JavaGenerator
>>>> -from .krb5 import KRB5Generator
>>>> -from .libreswan import LibreswanGenerator
>>>> -from .libssh import LibsshGenerator
>>>> -from .nss import NSSGenerator
>>>> -from .openssh import OpenSSHClientGenerator, OpenSSHServerGenerator
>>>> -from .openssl import (
>>>> -    OpenSSLConfigGenerator,
>>>> -    OpenSSLFIPSGenerator,
>>>> -    OpenSSLGenerator,
>>>> -)
>>>> -from .sequoia import RPMSequoiaGenerator, SequoiaGenerator
>>>> +from .sequoia import RPMSequoiaGenerator
>>>>
>>>>     __all__ = [
>>>> -    'BindGenerator',
>>>> -    'GnuTLSGenerator',
>>>> -    'JavaGenerator',
>>>> -    'KRB5Generator',
>>>> -    'LibreswanGenerator',
>>>> -    'LibsshGenerator',
>>>> -    'NSSGenerator',
>>>> -    'OpenSSHClientGenerator',
>>>> -    'OpenSSHServerGenerator',
>>>> -    'OpenSSLConfigGenerator',
>>>> -    'OpenSSLFIPSGenerator',
>>>> -    'OpenSSLGenerator',
>>>>         'RPMSequoiaGenerator',
>>>> -    'SequoiaGenerator',
>>>>     ]
>>>> ================================================
>>>>
>>>> That should work with this old nss version according to
>>>> the log.do_compile output.
>>>>
>>>> I can't see an easy way to make these imports and list conditional,
>>>> so the patch would be "Upstream-Status: Inappropriate".
>>>>
>>>> Since it should only happen for the native build, the patch can be
>>>>
>>>> SRC_URI:append:class-native = "..."
>>>>
>>>> As far as I know, /usr/bin is filtered from target builds but not
>>>> from native builds.
>>> We only allow access to things from HOSTTOOLS, nothing else is meant to
>>> be used, even for native builds.
>> As I wrote, I misdiagnosed it. There's no problem with nss-policy-check.
>>
>> Does HOSTTOOLS include /usr/bin/ssh and /usr/bin/sshd?
>> Because the test_config() class method only fails for openssh and opensshserver.
>> They can be ignored with an envvar.
>>

Re: [OE-core][PATCH v12.1 1/5] rpm-sequoia-crypto-policy: New recipe

[Ross Burton]

On 13 Feb 2025, at 15:21, Zoltan Boszormenyi via lists.openembedded.org <zboszor=gmail.com@lists.openembedded.org> wrote:
> +DEPENDS = "coreutils-native openssl-native make-native"
> +
> +inherit allarch python3native

These dependencies seem unexpected, and if they’re needed then they should be explained.

We assume make on the host, so why do you need make-native? If there’s a good reason, please comment why.

Ditto for coreutils-native: presumably there’s a tool that isn’t in HOSTTOOLS?  What tool?

Typically there’s no need to inherit python3native unless you’re also depending on python3-something-native modules, as by definition there’s a capable python interpreter as it’s running bitbake.

Thanks,
Ross

Re: [OE-core][PATCH v12.1 1/5] rpm-sequoia-crypto-policy: New recipe

[Böszörményi Zoltán]

2025. 02. 20. 15:43 keltezéssel, Ross Burton írta:
> On 13 Feb 2025, at 15:21, Zoltan Boszormenyi via lists.openembedded.org <zboszor=gmail.com@lists.openembedded.org> wrote:
>> +DEPENDS = "coreutils-native openssl-native make-native"
>> +
>> +inherit allarch python3native
> These dependencies seem unexpected, and if they’re needed then they should be explained.
>
> We assume make on the host, so why do you need make-native? If there’s a good reason, please comment why.
>
> Ditto for coreutils-native: presumably there’s a tool that isn’t in HOSTTOOLS?  What tool?
>
> Typically there’s no need to inherit python3native unless you’re also depending on python3-something-native modules, as by definition there’s a capable python interpreter as it’s running bitbake.

Thanks, I will send a followup patch after testing the dependency changes.

>
> Thanks,
> Ross