On Mon, 2025-02-03 at 11:11 +0100, Zoltan Boszormenyi via lists.openembedded.org wrote: > 2025. 02. 02. 9:44 keltezéssel, Zoltan Boszormenyi via lists.openembedded.org > írta: > > 2025. 02. 01. 15:37 keltezéssel, Mathieu Dubois-Briand írta: > > > On Fri Jan 31, 2025 at 7:43 AM CET, Zoltán Böszörményi wrote: > > > > Enable building rpm with rpm-seqouia for the test. > > > > > > > > Signed-off-by: Zoltán Böszörményi <[email protected]> > > > > --- > > > Sorry, I still get some errors while building: > > > > > > 2025-02-01 14:28:32,979 - oe-selftest - INFO - 9: 40/54 602/618 (56.20s) > > > (0 failed) > > > (signing.Signing.test_signing_packages) > > > 2025-02-01 14:28:32,979 - oe-selftest - INFO - > > > testtools.testresult.real._StringException: Traceback (most recent call > > > last): > > > File > > > "/srv/pokybuild/yocto-worker/oe-selftest-debian/build/meta/lib/oeqa/selftest/cases/signing.py", > > > > > > line 113, in test_signing_packages > > > runCmd('%s/rpmkeys --define "_dbpath %s" --import %s' % > > > File > > > "/srv/pokybuild/yocto-worker/oe-selftest-debian/build/meta/lib/oeqa/utils/commands.py", > > > > > > line 214, in runCmd > > > raise AssertionError("Command '%s' returned non-zero exit status > > > %d:\n%s" % > > > (command, result.status, exc_output)) > > > AssertionError: Command > > > '/srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/tmp/work/core2-64-poky-linux/ed/1.20.2/recipe-sysroot-native/usr/bin/rpmkeys > > > > > > --define "_dbpath /tmp/oeqa-rpmdbsj05eco3" --import > > > /srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/meta-selftest/files/signing/key.pub' > > > > > > returned non-zero exit status 1: > > > error: Certificate 7B31316B5D64AD52: > > > Policy rejects 7B31316B5D64AD52: No binding signature at time > > > 2025-02-01T14:28:26Z > > > error: > > > /srv/pokybuild/yocto-worker/oe-selftest-debian/build/build-st-3250811/meta-selftest/files/signing/key.pub: > > > > > > key 1 import failed. > > > > > > https://autobuilder.yoctoproject.org/valkyrie/#/builders/35/builds/893/steps/14/logs/stdio > > > > > > Do you mind having a look at this ? > > > > I have run the self test on a Fedora 41 host and it succeeded there. > > > > Probably you need to fix the crypto policy to allow such a cert with a > > "no binding signature" or replace the cert. > > > > This github issue may have some useful pointers: > > https://github.com/rpm-software-management/rpm-sequoia/issues/46 > > Can you please try this below? > > Setting the envvar SEQUOIA_CRYPTO_POLICY to an empty string > will use the built-in default policy. See > https://github.com/rpm-software-management/rpm-sequoia/blob/main/src/lib.rs#L54 > > =============================================== > diff --git a/meta/lib/oeqa/selftest/cases/signing.py > b/meta/lib/oeqa/selftest/cases/signing.py > index 51d1c3fa64..9a820ebc72 100644 > --- a/meta/lib/oeqa/selftest/cases/signing.py > +++ b/meta/lib/oeqa/selftest/cases/signing.py > @@ -71,7 +71,6 @@ class Signing(OESelftestTestCase): > """ > import oe.packagedata > > - self.skipTest('This test requires rpm-sequoia support in rpm') > self.setup_gpg() > > package_classes = get_bb_var('PACKAGE_CLASSES') > @@ -84,9 +83,14 @@ class Signing(OESelftestTestCase): > feature += 'RPM_GPG_PASSPHRASE = "test123"\n' > feature += 'RPM_GPG_NAME = "testuser"\n' > feature += 'GPG_PATH = "%s"\n' % self.gpg_dir > + feature += 'PACKAGECONFIG:append:pn-rpm-native = " sequoia"\n' > + feature += 'PACKAGECONFIG:append:pn-rpm = " sequoia"\n' > > self.write_config(feature) > > + # Test rpm-sequoia's default built-in policy > + os.environ['SEQUOIA_CRYPTO_POLICY'] = '' > + > bitbake('-c clean %s' % test_recipe) > bitbake('-f -c package_write_rpm %s' % test_recipe) > > @@ -152,6 +156,9 @@ class Signing(OESelftestTestCase): > > self.write_config(feature) > > + # Test rpm-sequoia's default built-in policy > + os.environ['SEQUOIA_CRYPTO_POLICY'] = '' > + > with self.create_new_builddir(os.environ['BUILDDIR'], builddir): > > os.environ["PATH"] = nsysroot + ":" + os.environ["PATH"] > @@ -198,6 +205,9 @@ class LockedSignatures(OESelftestTestCase): > feature += 'SIGGEN_LOCKEDSIGS_TASKSIG_CHECK = "warn"\n' > self.write_config(feature) > > + # Test rpm-sequoia's default built-in policy > + os.environ['SEQUOIA_CRYPTO_POLICY'] = '' > + > # Build a locked recipe > bitbake(test_recipe)
Given the way bitbake clears the environment except for allowed variables, will that setting make it to where it needs to? I've not looked at the specific test so it is possible it can work but it looks a bit unusual to me. Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#210651): https://lists.openembedded.org/g/openembedded-core/message/210651 Mute This Topic: https://lists.openembedded.org/mt/110911940/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
