Also we need to set it where the signing actually happens, not only in the test.
Alex On Mon 3. Feb 2025 at 13.29, Richard Purdie < [email protected]> wrote: > On Mon, 2025-02-03 at 11:11 +0100, Zoltan Boszormenyi via > lists.openembedded.org wrote: > > 2025. 02. 02. 9:44 keltezéssel, Zoltan Boszormenyi via > lists.openembedded.org írta: > > > 2025. 02. 01. 15:37 keltezéssel, Mathieu Dubois-Briand írta: > > > > On Fri Jan 31, 2025 at 7:43 AM CET, Zoltán Böszörményi wrote: > > > > > Enable building rpm with rpm-seqouia for the test. > > > > > > > > > > Signed-off-by: Zoltán Böszörményi <[email protected]> > > > > > --- > > > > Sorry, I still get some errors while building: > > > > > > > > 2025-02-01 14:28:32,979 - oe-selftest - INFO - 9: 40/54 602/618 > (56.20s) (0 failed) > > > > (signing.Signing.test_signing_packages) > > > > 2025-02-01 14:28:32,979 - oe-selftest - INFO - > > > > testtools.testresult.real._StringException: Traceback (most recent > call last): > > > > File > > > > > "/srv/pokybuild/yocto-worker/oe-selftest-debian/build/meta/lib/oeqa/selftest/cases/signing.py", > > > > > line 113, in test_signing_packages > > > > runCmd('%s/rpmkeys --define "_dbpath %s" --import %s' % > > > > File > > > > > "/srv/pokybuild/yocto-worker/oe-selftest-debian/build/meta/lib/oeqa/utils/commands.py", > > > > > line 214, in runCmd > > > > raise AssertionError("Command '%s' returned non-zero exit > status %d:\n%s" % > > > > (command, result.status, exc_output)) > > > > AssertionError: Command > > > > > '/srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/tmp/work/core2-64-poky-linux/ed/1.20.2/recipe-sysroot-native/usr/bin/rpmkeys > > > > > --define "_dbpath /tmp/oeqa-rpmdbsj05eco3" --import > > > > > /srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/meta-selftest/files/signing/key.pub' > > > > > returned non-zero exit status 1: > > > > error: Certificate 7B31316B5D64AD52: > > > > Policy rejects 7B31316B5D64AD52: No binding signature at time > 2025-02-01T14:28:26Z > > > > error: > > > > > /srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/meta-selftest/files/signing/key.pub: > > > > > key 1 import failed. > > > > > > > > > https://autobuilder.yoctoproject.org/valkyrie/#/builders/35/builds/893/steps/14/logs/stdio > > > > > > > > Do you mind having a look at this ? > > > > > > I have run the self test on a Fedora 41 host and it succeeded there. > > > > > > Probably you need to fix the crypto policy to allow such a cert with a > > > "no binding signature" or replace the cert. > > > > > > This github issue may have some useful pointers: > > > https://github.com/rpm-software-management/rpm-sequoia/issues/46 > > > > Can you please try this below? > > > > Setting the envvar SEQUOIA_CRYPTO_POLICY to an empty string > > will use the built-in default policy. See > > > https://github.com/rpm-software-management/rpm-sequoia/blob/main/src/lib.rs#L54 > > > > =============================================== > > diff --git a/meta/lib/oeqa/selftest/cases/signing.py > b/meta/lib/oeqa/selftest/cases/signing.py > > index 51d1c3fa64..9a820ebc72 100644 > > --- a/meta/lib/oeqa/selftest/cases/signing.py > > +++ b/meta/lib/oeqa/selftest/cases/signing.py > > @@ -71,7 +71,6 @@ class Signing(OESelftestTestCase): > > """ > > import oe.packagedata > > > > - self.skipTest('This test requires rpm-sequoia support in rpm') > > self.setup_gpg() > > > > package_classes = get_bb_var('PACKAGE_CLASSES') > > @@ -84,9 +83,14 @@ class Signing(OESelftestTestCase): > > feature += 'RPM_GPG_PASSPHRASE = "test123"\n' > > feature += 'RPM_GPG_NAME = "testuser"\n' > > feature += 'GPG_PATH = "%s"\n' % self.gpg_dir > > + feature += 'PACKAGECONFIG:append:pn-rpm-native = " sequoia"\n' > > + feature += 'PACKAGECONFIG:append:pn-rpm = " sequoia"\n' > > > > self.write_config(feature) > > > > + # Test rpm-sequoia's default built-in policy > > + os.environ['SEQUOIA_CRYPTO_POLICY'] = '' > > + > > bitbake('-c clean %s' % test_recipe) > > bitbake('-f -c package_write_rpm %s' % test_recipe) > > > > @@ -152,6 +156,9 @@ class Signing(OESelftestTestCase): > > > > self.write_config(feature) > > > > + # Test rpm-sequoia's default built-in policy > > + os.environ['SEQUOIA_CRYPTO_POLICY'] = '' > > + > > with self.create_new_builddir(os.environ['BUILDDIR'], > builddir): > > > > os.environ["PATH"] = nsysroot + ":" + os.environ["PATH"] > > @@ -198,6 +205,9 @@ class LockedSignatures(OESelftestTestCase): > > feature += 'SIGGEN_LOCKEDSIGS_TASKSIG_CHECK = "warn"\n' > > self.write_config(feature) > > > > + # Test rpm-sequoia's default built-in policy > > + os.environ['SEQUOIA_CRYPTO_POLICY'] = '' > > + > > # Build a locked recipe > > bitbake(test_recipe) > > Given the way bitbake clears the environment except for allowed > variables, will that setting make it to where it needs to? > > I've not looked at the specific test so it is possible it can work but > it looks a bit unusual to me. > > Cheers, > > Richard >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#210652): https://lists.openembedded.org/g/openembedded-core/message/210652 Mute This Topic: https://lists.openembedded.org/mt/110911940/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
