diff options
-rw-r--r-- | meta/classes/sstate.bbclass | 8 | ||||
-rw-r--r-- | meta/lib/oe/sstatesig.py | 27 | ||||
-rw-r--r-- | meta/lib/oeqa/selftest/signing.py | 4 |
3 files changed, 30 insertions, 9 deletions
diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass index 3234e7914c..8c623271ad 100644 --- a/meta/classes/sstate.bbclass +++ b/meta/classes/sstate.bbclass | |||
@@ -53,7 +53,13 @@ SSTATEPOSTINSTFUNCS = "" | |||
53 | EXTRA_STAGING_FIXMES ?= "" | 53 | EXTRA_STAGING_FIXMES ?= "" |
54 | SSTATECLEANFUNCS = "" | 54 | SSTATECLEANFUNCS = "" |
55 | 55 | ||
56 | SIGGEN_LOCKEDSIGS_CHECK_LEVEL ?= 'error' | 56 | # Check whether sstate exists for tasks that support sstate and are in the |
57 | # locked signatures file. | ||
58 | SIGGEN_LOCKEDSIGS_SSTATE_EXISTS_CHECK ?= 'error' | ||
59 | |||
60 | # Check whether the task's computed hash matches the task's hash in the | ||
61 | # locked signatures file. | ||
62 | SIGGEN_LOCKEDSIGS_TASKSIG_CHECK ?= "error" | ||
57 | 63 | ||
58 | # The GnuPG key ID and passphrase to use to sign sstate archives (or unset to | 64 | # The GnuPG key ID and passphrase to use to sign sstate archives (or unset to |
59 | # not sign) | 65 | # not sign) |
diff --git a/meta/lib/oe/sstatesig.py b/meta/lib/oe/sstatesig.py index 5828a9def8..b2319ff213 100644 --- a/meta/lib/oe/sstatesig.py +++ b/meta/lib/oe/sstatesig.py | |||
@@ -189,20 +189,35 @@ class SignatureGeneratorOEBasicHash(bb.siggen.SignatureGeneratorBasicHash): | |||
189 | f.write('SIGGEN_LOCKEDSIGS_TYPES_%s = "%s"' % (self.machine, " ".join(types.keys()))) | 189 | f.write('SIGGEN_LOCKEDSIGS_TYPES_%s = "%s"' % (self.machine, " ".join(types.keys()))) |
190 | 190 | ||
191 | def checkhashes(self, missed, ret, sq_fn, sq_task, sq_hash, sq_hashfn, d): | 191 | def checkhashes(self, missed, ret, sq_fn, sq_task, sq_hash, sq_hashfn, d): |
192 | checklevel = d.getVar("SIGGEN_LOCKEDSIGS_CHECK_LEVEL", True) | 192 | warn_msgs = [] |
193 | error_msgs = [] | ||
194 | sstate_missing_msgs = [] | ||
195 | |||
193 | for task in range(len(sq_fn)): | 196 | for task in range(len(sq_fn)): |
194 | if task not in ret: | 197 | if task not in ret: |
195 | for pn in self.lockedsigs: | 198 | for pn in self.lockedsigs: |
196 | if sq_hash[task] in self.lockedsigs[pn].itervalues(): | 199 | if sq_hash[task] in self.lockedsigs[pn].itervalues(): |
197 | if sq_task[task] == 'do_shared_workdir': | 200 | if sq_task[task] == 'do_shared_workdir': |
198 | continue | 201 | continue |
199 | self.mismatch_msgs.append("Locked sig is set for %s:%s (%s) yet not in sstate cache?" | 202 | sstate_missing_msgs.append("Locked sig is set for %s:%s (%s) yet not in sstate cache?" |
200 | % (pn, sq_task[task], sq_hash[task])) | 203 | % (pn, sq_task[task], sq_hash[task])) |
201 | 204 | ||
202 | if self.mismatch_msgs and checklevel == 'warn': | 205 | checklevel = d.getVar("SIGGEN_LOCKEDSIGS_TASKSIG_CHECK", True) |
203 | bb.warn("\n".join(self.mismatch_msgs)) | 206 | if checklevel == 'warn': |
204 | elif self.mismatch_msgs and checklevel == 'error': | 207 | warn_msgs += self.mismatch_msgs |
205 | bb.fatal("\n".join(self.mismatch_msgs)) | 208 | elif checklevel == 'error': |
209 | error_msgs += self.mismatch_msgs | ||
210 | |||
211 | checklevel = d.getVar("SIGGEN_LOCKEDSIGS_SSTATE_EXISTS_CHECK", True) | ||
212 | if checklevel == 'warn': | ||
213 | warn_msgs += sstate_missing_msgs | ||
214 | elif checklevel == 'error': | ||
215 | error_msgs += sstate_missing_msgs | ||
216 | |||
217 | if warn_msgs: | ||
218 | bb.warn("\n".join(warn_msgs)) | ||
219 | if error_msgs: | ||
220 | bb.fatal("\n".join(error_msgs)) | ||
206 | 221 | ||
207 | 222 | ||
208 | # Insert these classes into siggen's namespace so it can see and select them | 223 | # Insert these classes into siggen's namespace so it can see and select them |
diff --git a/meta/lib/oeqa/selftest/signing.py b/meta/lib/oeqa/selftest/signing.py index d2b3f0003c..1babca07df 100644 --- a/meta/lib/oeqa/selftest/signing.py +++ b/meta/lib/oeqa/selftest/signing.py | |||
@@ -160,7 +160,7 @@ class LockedSignatures(oeSelfTest): | |||
160 | bitbake('-S none %s' % test_recipe) | 160 | bitbake('-S none %s' % test_recipe) |
161 | 161 | ||
162 | feature = 'require %s\n' % locked_sigs_file | 162 | feature = 'require %s\n' % locked_sigs_file |
163 | feature += 'SIGGEN_LOCKEDSIGS_CHECK_LEVEL = "warn"\n' | 163 | feature += 'SIGGEN_LOCKEDSIGS_TASKSIG_CHECK = "warn"\n' |
164 | self.write_config(feature) | 164 | self.write_config(feature) |
165 | 165 | ||
166 | # Build a locked recipe | 166 | # Build a locked recipe |
@@ -180,7 +180,7 @@ class LockedSignatures(oeSelfTest): | |||
180 | ret = bitbake(test_recipe) | 180 | ret = bitbake(test_recipe) |
181 | 181 | ||
182 | # Verify you get the warning and that the real task *isn't* run (i.e. the locked signature has worked) | 182 | # Verify you get the warning and that the real task *isn't* run (i.e. the locked signature has worked) |
183 | patt = r'WARNING: The %s:do_package sig \S+ changed, use locked sig \S+ to instead' % test_recipe | 183 | patt = r'WARNING: The %s:do_package sig is computed to be \S+, but the sig is locked to \S+ in SIGGEN_LOCKEDSIGS\S+' % test_recipe |
184 | found_warn = re.search(patt, ret.output) | 184 | found_warn = re.search(patt, ret.output) |
185 | 185 | ||
186 | self.assertIsNotNone(found_warn, "Didn't find the expected warning message. Output: %s" % ret.output) | 186 | self.assertIsNotNone(found_warn, "Didn't find the expected warning message. Output: %s" % ret.output) |