From: "Böszörményi Zoltán" <zboszor@gmail.com>
To: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>,
openembedded-core@lists.openembedded.org
Cc: Alexander Kanavin <alex.kanavin@gmail.com>,
Randy MacLeod <randy.macleod@windriver.com>,
Khem Raj <raj.khem@gmail.com>
Subject: Re: [OE-core][PATCH v4 2/2] oeqa/selftest/cases/signing.py: Re-enable self-test
Date: Mon, 3 Feb 2025 11:11:15 +0100 [thread overview]
Message-ID: <e75d75e4-2b55-4199-b2ee-e9eb26abafca@gmail.com> (raw)
In-Reply-To: <182057ACF258490B.1760@lists.openembedded.org>
2025. 02. 02. 9:44 keltezéssel, Zoltan Boszormenyi via lists.openembedded.org írta:
> 2025. 02. 01. 15:37 keltezéssel, Mathieu Dubois-Briand írta:
>> On Fri Jan 31, 2025 at 7:43 AM CET, Zoltán Böszörményi wrote:
>>> Enable building rpm with rpm-seqouia for the test.
>>>
>>> Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
>>> ---
>> Sorry, I still get some errors while building:
>>
>> 2025-02-01 14:28:32,979 - oe-selftest - INFO - 9: 40/54 602/618 (56.20s) (0 failed)
>> (signing.Signing.test_signing_packages)
>> 2025-02-01 14:28:32,979 - oe-selftest - INFO -
>> testtools.testresult.real._StringException: Traceback (most recent call last):
>> File
>> "/srv/pokybuild/yocto-worker/oe-selftest-debian/build/meta/lib/oeqa/selftest/cases/signing.py",
>> line 113, in test_signing_packages
>> runCmd('%s/rpmkeys --define "_dbpath %s" --import %s' %
>> File
>> "/srv/pokybuild/yocto-worker/oe-selftest-debian/build/meta/lib/oeqa/utils/commands.py",
>> line 214, in runCmd
>> raise AssertionError("Command '%s' returned non-zero exit status %d:\n%s" %
>> (command, result.status, exc_output))
>> AssertionError: Command
>> '/srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/tmp/work/core2-64-poky-linux/ed/1.20.2/recipe-sysroot-native/usr/bin/rpmkeys
>> --define "_dbpath /tmp/oeqa-rpmdbsj05eco3" --import
>> /srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/meta-selftest/files/signing/key.pub'
>> returned non-zero exit status 1:
>> error: Certificate 7B31316B5D64AD52:
>> Policy rejects 7B31316B5D64AD52: No binding signature at time 2025-02-01T14:28:26Z
>> error:
>> /srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/meta-selftest/files/signing/key.pub:
>> key 1 import failed.
>>
>> https://autobuilder.yoctoproject.org/valkyrie/#/builders/35/builds/893/steps/14/logs/stdio
>>
>> Do you mind having a look at this ?
>
> I have run the self test on a Fedora 41 host and it succeeded there.
>
> Probably you need to fix the crypto policy to allow such a cert with a
> "no binding signature" or replace the cert.
>
> This github issue may have some useful pointers:
> https://github.com/rpm-software-management/rpm-sequoia/issues/46
Can you please try this below?
Setting the envvar SEQUOIA_CRYPTO_POLICY to an empty string
will use the built-in default policy. See
https://github.com/rpm-software-management/rpm-sequoia/blob/main/src/lib.rs#L54
===============================================
diff --git a/meta/lib/oeqa/selftest/cases/signing.py b/meta/lib/oeqa/selftest/cases/signing.py
index 51d1c3fa64..9a820ebc72 100644
--- a/meta/lib/oeqa/selftest/cases/signing.py
+++ b/meta/lib/oeqa/selftest/cases/signing.py
@@ -71,7 +71,6 @@ class Signing(OESelftestTestCase):
"""
import oe.packagedata
- self.skipTest('This test requires rpm-sequoia support in rpm')
self.setup_gpg()
package_classes = get_bb_var('PACKAGE_CLASSES')
@@ -84,9 +83,14 @@ class Signing(OESelftestTestCase):
feature += 'RPM_GPG_PASSPHRASE = "test123"\n'
feature += 'RPM_GPG_NAME = "testuser"\n'
feature += 'GPG_PATH = "%s"\n' % self.gpg_dir
+ feature += 'PACKAGECONFIG:append:pn-rpm-native = " sequoia"\n'
+ feature += 'PACKAGECONFIG:append:pn-rpm = " sequoia"\n'
self.write_config(feature)
+ # Test rpm-sequoia's default built-in policy
+ os.environ['SEQUOIA_CRYPTO_POLICY'] = ''
+
bitbake('-c clean %s' % test_recipe)
bitbake('-f -c package_write_rpm %s' % test_recipe)
@@ -152,6 +156,9 @@ class Signing(OESelftestTestCase):
self.write_config(feature)
+ # Test rpm-sequoia's default built-in policy
+ os.environ['SEQUOIA_CRYPTO_POLICY'] = ''
+
with self.create_new_builddir(os.environ['BUILDDIR'], builddir):
os.environ["PATH"] = nsysroot + ":" + os.environ["PATH"]
@@ -198,6 +205,9 @@ class LockedSignatures(OESelftestTestCase):
feature += 'SIGGEN_LOCKEDSIGS_TASKSIG_CHECK = "warn"\n'
self.write_config(feature)
+ # Test rpm-sequoia's default built-in policy
+ os.environ['SEQUOIA_CRYPTO_POLICY'] = ''
+
# Build a locked recipe
bitbake(test_recipe)
===============================================
It succeeded for me:
$ oe-selftest -r signing
...
2025-02-03 10:53:11,900 - oe-selftest - INFO - oe-selftest () - Ran 3 tests in 2801.617s
2025-02-03 10:53:11,900 - oe-selftest - INFO - oe-selftest - OK - All required tests
passed (successes=3, skipped=0, failures=0, errors=0)
As for an actual crypto policy for rpm-sequoia, I am not sure
how appropriate it would be to create a recipe for Fedora's
crypto-policies package in Yocto.
next prev parent reply other threads:[~2025-02-03 10:11 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-29 12:47 [OE-core][PATCH v3 1/2] rpm-sequoia: New recipe for version 1.7.0 Zoltán Böszörményi
2025-01-29 12:47 ` [OE-core][PATCH v3 2/2] oeqa/selftest/cases/signing.py: Re-enable self-test Zoltán Böszörményi
2025-01-29 13:05 ` Alexander Kanavin
2025-01-29 13:49 ` Böszörményi Zoltán
[not found] ` <181F2E043A3A6FB9.31881@lists.openembedded.org>
2025-01-30 4:44 ` Böszörményi Zoltán
2025-01-30 14:24 ` [OE-core][PATCH v3 1/2] rpm-sequoia: New recipe for version 1.7.0 Mathieu Dubois-Briand
2025-01-31 6:43 ` [OE-core][PATCH v4 " Zoltán Böszörményi
2025-01-31 6:43 ` [OE-core][PATCH v4 2/2] oeqa/selftest/cases/signing.py: Re-enable self-test Zoltán Böszörményi
2025-02-01 14:37 ` Mathieu Dubois-Briand
2025-02-02 8:44 ` Böszörményi Zoltán
[not found] ` <182057ACF258490B.1760@lists.openembedded.org>
2025-02-03 10:11 ` Böszörményi Zoltán [this message]
2025-02-03 11:18 ` Alexander Kanavin
2025-02-03 11:24 ` Böszörményi Zoltán
2025-02-03 12:29 ` Richard Purdie
2025-02-03 12:35 ` Alexander Kanavin
2025-02-03 12:24 ` [OE-core][PATCH v5 1/2] rpm-sequoia: New recipe for version 1.7.0 Zoltán Böszörményi
2025-02-03 12:24 ` [OE-core][PATCH v5 2/2] oeqa/selftest/cases/signing.py: Re-enable self-test Zoltán Böszörményi
2025-02-03 12:37 ` Alexander Kanavin
2025-02-04 12:25 ` Böszörményi Zoltán
[not found] ` <182100E5D19BBE2E.15786@lists.openembedded.org>
2025-02-05 4:39 ` Böszörményi Zoltán
2025-01-31 6:52 ` [OE-core][PATCH v3 1/2] rpm-sequoia: New recipe for version 1.7.0 Alexander Kanavin
[not found] ` <181FB46B3FA62DDF.15786@lists.openembedded.org>
2025-01-31 8:34 ` Alexander Kanavin
2025-01-31 9:54 ` Böszörményi Zoltán
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e75d75e4-2b55-4199-b2ee-e9eb26abafca@gmail.com \
--to=zboszor@gmail.com \
--cc=alex.kanavin@gmail.com \
--cc=mathieu.dubois-briand@bootlin.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=raj.khem@gmail.com \
--cc=randy.macleod@windriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox