1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
|
from oeqa.selftest.base import oeSelfTest
from oeqa.utils.commands import runCmd, bitbake, get_bb_var
import os
import glob
import re
import shutil
import tempfile
from oeqa.utils.decorators import testcase
from oeqa.utils.ftools import write_file
class Signing(oeSelfTest):
gpg_dir = ""
pub_key_path = ""
secret_key_path = ""
@classmethod
def setUpClass(cls):
# Check that we can find the gpg binary and fail early if we can't
if not shutil.which("gpg"):
raise AssertionError("This test needs GnuPG")
cls.gpg_home_dir = tempfile.TemporaryDirectory(prefix="oeqa-signing-")
cls.gpg_dir = cls.gpg_home_dir.name
cls.pub_key_path = os.path.join(cls.testlayer_path, 'files', 'signing', "key.pub")
cls.secret_key_path = os.path.join(cls.testlayer_path, 'files', 'signing', "key.secret")
runCmd('gpg --homedir %s --import %s %s' % (cls.gpg_dir, cls.pub_key_path, cls.secret_key_path))
@testcase(1362)
def test_signing_packages(self):
"""
Summary: Test that packages can be signed in the package feed
Expected: Package should be signed with the correct key
Product: oe-core
Author: Daniel Istrate <daniel.alexandrux.istrate@intel.com>
AutomatedBy: Daniel Istrate <daniel.alexandrux.istrate@intel.com>
"""
import oe.packagedata
package_classes = get_bb_var('PACKAGE_CLASSES')
if 'package_rpm' not in package_classes:
self.skipTest('This test requires RPM Packaging.')
test_recipe = 'ed'
feature = 'INHERIT += "sign_rpm"\n'
feature += 'RPM_GPG_PASSPHRASE = "test123"\n'
feature += 'RPM_GPG_NAME = "testuser"\n'
feature += 'RPM_GPG_PUBKEY = "%s"\n' % self.pub_key_path
feature += 'GPG_PATH = "%s"\n' % self.gpg_dir
self.write_config(feature)
bitbake('-c cleansstate %s' % test_recipe)
bitbake(test_recipe)
self.add_command_to_tearDown('bitbake -c clean %s' % test_recipe)
pkgdatadir = get_bb_var('PKGDATA_DIR', test_recipe)
pkgdata = oe.packagedata.read_pkgdatafile(pkgdatadir + "/runtime/ed")
if 'PKGE' in pkgdata:
pf = pkgdata['PN'] + "-" + pkgdata['PKGE'] + pkgdata['PKGV'] + '-' + pkgdata['PKGR']
else:
pf = pkgdata['PN'] + "-" + pkgdata['PKGV'] + '-' + pkgdata['PKGR']
deploy_dir_rpm = get_bb_var('DEPLOY_DIR_RPM', test_recipe)
package_arch = get_bb_var('PACKAGE_ARCH', test_recipe).replace('-', '_')
staging_bindir_native = get_bb_var('STAGING_BINDIR_NATIVE')
pkg_deploy = os.path.join(deploy_dir_rpm, package_arch, '.'.join((pf, package_arch, 'rpm')))
# Use a temporary rpmdb
rpmdb = tempfile.mkdtemp(prefix='oeqa-rpmdb')
runCmd('%s/rpm --define "_dbpath %s" --import %s' %
(staging_bindir_native, rpmdb, self.pub_key_path))
ret = runCmd('%s/rpm --define "_dbpath %s" --checksig %s' %
(staging_bindir_native, rpmdb, pkg_deploy))
# tmp/deploy/rpm/i586/ed-1.9-r0.i586.rpm: rsa sha1 md5 OK
self.assertIn('rsa sha1 md5 OK', ret.output, 'Package signed incorrectly.')
shutil.rmtree(rpmdb)
@testcase(1382)
def test_signing_sstate_archive(self):
"""
Summary: Test that sstate archives can be signed
Expected: Package should be signed with the correct key
Product: oe-core
Author: Daniel Istrate <daniel.alexandrux.istrate@intel.com>
AutomatedBy: Daniel Istrate <daniel.alexandrux.istrate@intel.com>
"""
test_recipe = 'ed'
builddir = os.environ.get('BUILDDIR')
sstatedir = os.path.join(builddir, 'test-sstate')
self.add_command_to_tearDown('bitbake -c clean %s' % test_recipe)
self.add_command_to_tearDown('bitbake -c cleansstate %s' % test_recipe)
self.add_command_to_tearDown('rm -rf %s' % sstatedir)
# Determine the pub key signature
ret = runCmd('gpg --homedir %s --list-keys' % self.gpg_dir)
pub_key = re.search(r'^pub\s+\S+/(\S+)\s+', ret.output, re.M)
self.assertIsNotNone(pub_key, 'Failed to determine the public key signature.')
pub_key = pub_key.group(1)
feature = 'SSTATE_SIG_KEY ?= "%s"\n' % pub_key
feature += 'SSTATE_SIG_PASSPHRASE ?= "test123"\n'
feature += 'SSTATE_VERIFY_SIG ?= "1"\n'
feature += 'GPG_PATH = "%s"\n' % self.gpg_dir
feature += 'SSTATE_DIR = "%s"\n' % sstatedir
self.write_config(feature)
bitbake('-c cleansstate %s' % test_recipe)
bitbake(test_recipe)
recipe_sig = glob.glob(sstatedir + '/*/*:ed:*_package.tgz.sig')
recipe_tgz = glob.glob(sstatedir + '/*/*:ed:*_package.tgz')
self.assertEqual(len(recipe_sig), 1, 'Failed to find .sig file.')
self.assertEqual(len(recipe_tgz), 1, 'Failed to find .tgz file.')
ret = runCmd('gpg --homedir %s --verify %s %s' % (self.gpg_dir, recipe_sig[0], recipe_tgz[0]))
# gpg: Signature made Thu 22 Oct 2015 01:45:09 PM EEST using RSA key ID 61EEFB30
# gpg: Good signature from "testuser (nocomment) <testuser@email.com>"
self.assertIn('gpg: Good signature from', ret.output, 'Package signed incorrectly.')
class LockedSignatures(oeSelfTest):
@testcase(1420)
def test_locked_signatures(self):
"""
Summary: Test locked signature mechanism
Expected: Locked signatures will prevent task to run
Product: oe-core
Author: Daniel Istrate <daniel.alexandrux.istrate@intel.com>
AutomatedBy: Daniel Istrate <daniel.alexandrux.istrate@intel.com>
"""
test_recipe = 'ed'
locked_sigs_file = 'locked-sigs.inc'
self.add_command_to_tearDown('rm -f %s' % os.path.join(self.builddir, locked_sigs_file))
bitbake(test_recipe)
# Generate locked sigs include file
bitbake('-S none %s' % test_recipe)
feature = 'require %s\n' % locked_sigs_file
feature += 'SIGGEN_LOCKEDSIGS_TASKSIG_CHECK = "warn"\n'
self.write_config(feature)
# Build a locked recipe
bitbake(test_recipe)
# Make a change that should cause the locked task signature to change
recipe_append_file = test_recipe + '_' + get_bb_var('PV', test_recipe) + '.bbappend'
recipe_append_path = os.path.join(self.testlayer_path, 'recipes-test', test_recipe, recipe_append_file)
feature = 'SUMMARY += "test locked signature"\n'
os.mkdir(os.path.join(self.testlayer_path, 'recipes-test', test_recipe))
write_file(recipe_append_path, feature)
self.add_command_to_tearDown('rm -rf %s' % os.path.join(self.testlayer_path, 'recipes-test', test_recipe))
# Build the recipe again
ret = bitbake(test_recipe)
# Verify you get the warning and that the real task *isn't* run (i.e. the locked signature has worked)
patt = r'WARNING: The %s:do_package sig is computed to be \S+, but the sig is locked to \S+ in SIGGEN_LOCKEDSIGS\S+' % test_recipe
found_warn = re.search(patt, ret.output)
self.assertIsNotNone(found_warn, "Didn't find the expected warning message. Output: %s" % ret.output)
|