From patchwork Mon Nov  8 16:08:39 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Adrian Freihofer <adrian.freihofer@gmail.com>
X-Patchwork-Id: 1552425
Return-Path: <swupdate+bncBCX6VENNTAPRBFMXUWGAMGQERJFOEAI@googlegroups.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: bilbo.ozlabs.org;
	dkim=pass (2048-bit key;
 unprotected) header.d=googlegroups.com header.i=@googlegroups.com
 header.a=rsa-sha256 header.s=20210112 header.b=cQkfVmVl;
	dkim=pass (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20210112 header.b=cooH9Haf;
	dkim-atps=neutral
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=googlegroups.com
 (client-ip=2a00:1450:4864:20::13c; helo=mail-lf1-x13c.google.com;
 envelope-from=swupdate+bncbcx6venntaprbfmxuwgamgqerjfoeai@googlegroups.com;
 receiver=<UNKNOWN>)
Received: from mail-lf1-x13c.google.com (mail-lf1-x13c.google.com
 [IPv6:2a00:1450:4864:20::13c])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by bilbo.ozlabs.org (Postfix) with ESMTPS id 4Hnwyz5Bqvz9sRK
	for <incoming@patchwork.ozlabs.org>; Tue,  9 Nov 2021 03:08:58 +1100 (AEDT)
Received: by mail-lf1-x13c.google.com with SMTP id
 i34-20020a0565123e2200b0040019ae61d5sf6602081lfv.20
        for <incoming@patchwork.ozlabs.org>;
 Mon, 08 Nov 2021 08:08:58 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1636387734; cv=pass;
        d=google.com; s=arc-20160816;
        b=rLRdjdQU8rm4XLYouQRDi2ve8usV4oIBgPCf1FQUIFnJ5I7y6Bt+b57Hup8gG5vA0Y
         VmzBm4vmd84uyhdQnGpQ9ap2DRNINe8y9LjXhZQl/oN3frpyAO71TzWSBBB9AjnY0Hi/
         kO67gTRpyMagqznaEpCkszRqAL1lhoo/Qninl1hKYpb9xSQufRVS8CNCwjcRrB31nGNO
         AFKECL5OzHlwLK6mBZXy3hK+kOEqiJY80czKiplS4caOrdrJ+1fRTVdaqVcyNRFhcNrT
         MODC2YYvjOhqDxkhJKzidhOC5MnxCek0MCrhD3Jvsny1XDQNSV3tSgfhtXICFD0WbT1o
         QOpA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:sender:dkim-signature
         :dkim-signature;
        bh=oG1jgExso8tpYqZM5/xUlVg5H9C4nNjq8bass7WHvVQ=;
        b=IIkHdpF380z37FztMFHlTrEVaAcCcmfrsIPBwLa6x2nC1RGF5lkO8/qTUvk4u7oaMW
         puyVVYo6cddpba6hjVNvRBkPtXK/kDsnVSuV7yS4G6TzyKTyavlcmLGx5ZlHD1aduvBD
         lPhQXl2dybsaT7vuXznzl8MOkSwMXSBvMkq7FdxcOt19r3rejBS62h/4YpnXGSYos0Yn
         PXgisR/TTcgREO51HhyBgsSjnanSQYlo+MvxuZc8s8F8QRfpGF3LNa1m6sTlLvzyRdHD
         dqCcgAuso6IFQmtyNhXDRsda4G5Lfdd3HXTB2+dRBIgURV74XAUU3SVFCx12wcxGtGVs
         XDYQ==
ARC-Authentication-Results: i=2; gmr-mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=cCmfqSgk;
       spf=pass (google.com: domain of adrian.freihofer@gmail.com designates
 2a00:1450:4864:20::532 as permitted sender)
 smtp.mailfrom=adrian.freihofer@gmail.com;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20210112;
        h=sender:from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:x-original-sender:x-original-authentication-results
         :precedence:mailing-list:list-id:list-post:list-help:list-archive
         :list-subscribe:list-unsubscribe;
        bh=oG1jgExso8tpYqZM5/xUlVg5H9C4nNjq8bass7WHvVQ=;
        b=cQkfVmVllwNizVSFh4x2YaLChDprzMcOhhw8MzBEdTSqL0aocoy/an0KBf7FlvSOSo
         nwTQA5eeqDy3KRJE/Sr4IUddKqsY9EZzdMriB4t0g/DTvhHQzcarZjVImyXaLSQDaSvl
         9tou9Fkp76olgOhmf9WcikVQzIX8L6QJ4nMnj04b1g6mofWNaW4gPxkQ8HnVhv3lFHd0
         AzEt8tligXxK6pMQcDRc0VmX1v07Jk0qKyrLOH25Oy5ob2CeRzpKHcCoYptmP2DKbJv/
         vwZ/wng/YbNt3AI31KExKe1bjJyPdd2Y1DeVvsP/w+HeRrZr2wzA8j8XsKdijNTbcI0n
         JStQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:x-original-sender:x-original-authentication-results
         :precedence:mailing-list:list-id:list-post:list-help:list-archive
         :list-subscribe:list-unsubscribe;
        bh=oG1jgExso8tpYqZM5/xUlVg5H9C4nNjq8bass7WHvVQ=;
        b=cooH9Hafr2SmgcKpr0hNF7yOHVyqug5rbu06DdUXtmjMkkIFB9AMNw/pdMJ//XJmer
         BALjIV2NJenI0y/W1zFIZqCt7MOSVBnqI8zxpOVpNLoVWm70DrkW49GqYpUd66oEvcPA
         /qoFC1laHMV7LoL4xxokU5w6RRsrP59Rh3L6nonMpbw3R5ISgSHuqosq1RBhg9iF2L9G
         8ba/13pJvJ0zf1+N+Y7l/2IQhcRXsZnugfhFn+PTUHQO6pqnAYaOAvIO4CniaIOSoWQY
         3EK8gyKRxtClSe5lSNTObtOvCL9AOhfITXVhVhEUUL9797cvqgNuTpczrooOX4TlwEzZ
         GJXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=sender:x-gm-message-state:from:to:cc:subject:date:message-id
         :in-reply-to:references:mime-version:x-original-sender
         :x-original-authentication-results:precedence:mailing-list:list-id
         :x-spam-checked-in-group:list-post:list-help:list-archive
         :list-subscribe:list-unsubscribe;
        bh=oG1jgExso8tpYqZM5/xUlVg5H9C4nNjq8bass7WHvVQ=;
        b=phnMXoNUaDliC1ZWNe8nojadMiASujYm9RNaTN93EiwEt6/AlRc5D//c8xFVAJ6faF
         QaBCiP8UxgRRZhNQyeGBgodm81hpR1tdrj2YR+0Z+MtGUDpkDZ+ZqNS71kRm3UVr8gTX
         eZzkAoB9w+SJwVvxLejiRlnCgBCRiPJEkIuSzwr1/3zSfRVGzMrVV4hjkH0BvPLlVhG/
         aB0nJMkv9tIHLLi91zIWqqSSV0I1988v9Ok8/8gSaybSjXjZ+xbcIBnTFrcwequc/VeD
         4i48n9eGZb7yfErM8ggEJsvRvvO4h9ZzGrsvJU09VW/dLaZOG47G+SkaypKtu40ZUzjr
         DaQw==
Sender: swupdate@googlegroups.com
X-Gm-Message-State: AOAM532DigQLedej775OMFqD73VwvGQ/X5TTbNHF3oY/8F7dn/7xn0hs
	HEhegAUJKTorw1pCCINLuA0=
X-Google-Smtp-Source: 
 ABdhPJz4mp+J094bn1cIcV+ZO/ln0hBZAZ1qlfshkFeMUsPUu1cbL0nF5AIE3MQjAIUtj4O+Z6LGGg==
X-Received: by 2002:a05:6512:159d:: with SMTP id
 bp29mr374007lfb.65.1636387733858;
        Mon, 08 Nov 2021 08:08:53 -0800 (PST)
X-BeenThere: swupdate@googlegroups.com
Received: by 2002:a05:6512:31d4:: with SMTP id j20ls1324429lfe.2.gmail; Mon,
 08 Nov 2021 08:08:52 -0800 (PST)
X-Received: by 2002:a05:6512:3a84:: with SMTP id
 q4mr357361lfu.215.1636387732750;
        Mon, 08 Nov 2021 08:08:52 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1636387732; cv=none;
        d=google.com; s=arc-20160816;
        b=txxT5932CfhGLuQEaSWObVKRvjVej4beKRPl9TMZEuYgT9//PUzhwNf8QgBFVo0/cL
         t2bWudqyQUE3f96qT0VIK8NivpMJ7HUt1q+ZRGre+wVjy0BIOHKgymB7F8Z08SGAfG9f
         jTdlALXUEO7bF+xs3LRm00GwdoHF+KN1IVulhmAhjQpHLQ/OuuH59StF9MsnvdNHC1nq
         Pn84uIRWxlXzOtvXPc6tuMGKVd3oti9zl7zYifaQOaHCNgis915yHO6/S5TtorfdQ3EQ
         FM5mbTo/eIHgs7bz6k6ANP4tRDAz94Y77aRDiVj0w1lIPNvjoXgaAf3iOV+bI596uknE
         XJTA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=Da3CcjGXmZwrXH7rGEjf4v2fCFsK94h4kU8BD4RCAtY=;
        b=aClbDFds7W5Im3GXlYl3GKapeFlkpWoANx3fM/Huvmviw6/S414Nvuu9SXyenhMP9t
         dTnza9AhfkE8TZ5ZiG2r3pxpHL2vvSc3oor+QLqbeoyp4qi8NZrGqAPvkCeODHT6DXxI
         k9zgKyNChBu5IDPtLBx+EFqPCC+3VlPB6lyJzILgDGXezDlwnCpo3z/i93NKsI+hS2L4
         o79E3CeyGn7NcXCClq3BxzitI/CdBM7weQaw3wtt/epal7i6Tv7OIriJbAsp/XcNx8FS
         s6pG2F8h+La3i4p+TtbpEpylqUXvsoJ80tuBQaQf0CFz5SEl77xo9gXH0CcSEqjN7zVY
         NwFQ==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=cCmfqSgk;
       spf=pass (google.com: domain of adrian.freihofer@gmail.com designates
 2a00:1450:4864:20::532 as permitted sender)
 smtp.mailfrom=adrian.freihofer@gmail.com;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com.
 [2a00:1450:4864:20::532])
        by gmr-mx.google.com with ESMTPS id
 f11si608574lfg.4.2021.11.08.08.08.52
        for <swupdate@googlegroups.com>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Mon, 08 Nov 2021 08:08:52 -0800 (PST)
Received-SPF: pass (google.com: domain of adrian.freihofer@gmail.com
 designates 2a00:1450:4864:20::532 as permitted sender)
 client-ip=2a00:1450:4864:20::532;
Received: by mail-ed1-x532.google.com with SMTP id g14so63905634edz.2
        for <swupdate@googlegroups.com>; Mon, 08 Nov 2021 08:08:52 -0800 (PST)
X-Received: by 2002:a17:907:6eaa:: with SMTP id
 sh42mr473624ejc.556.1636387731536;
        Mon, 08 Nov 2021 08:08:51 -0800 (PST)
Received: from md2ramxc.ad001.siemens.net ([62.32.0.69])
        by smtp.gmail.com with ESMTPSA id w7sm6458698edc.4.2021.11.08.08.08.50
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 08 Nov 2021 08:08:51 -0800 (PST)
From: Adrian Freihofer <adrian.freihofer@gmail.com>
To: swupdate@googlegroups.com
Cc: Adrian Freihofer <adrian.freihofer@siemens.com>
Subject: [swupdate] [meta-swupdate][PATCH v2 1/2] swupdate-common: improve
 signing
Date: Mon,  8 Nov 2021 17:08:39 +0100
Message-Id: <20211108160840.61647-2-adrian.freihofer@siemens.com>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20211108160840.61647-1-adrian.freihofer@siemens.com>
References: <20211108160840.61647-1-adrian.freihofer@siemens.com>
MIME-Version: 1.0
X-Original-Sender: adrian.freihofer@gmail.com
X-Original-Authentication-Results: gmr-mx.google.com;       dkim=pass
 header.i=@gmail.com header.s=20210112 header.b=cCmfqSgk;       spf=pass
 (google.com: domain of adrian.freihofer@gmail.com designates
 2a00:1450:4864:20::532 as permitted sender)
 smtp.mailfrom=adrian.freihofer@gmail.com;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Precedence: list
Mailing-list: list swupdate@googlegroups.com;
 contact swupdate+owners@googlegroups.com
List-ID: <swupdate.googlegroups.com>
X-Spam-Checked-In-Group: swupdate@googlegroups.com
X-Google-Group-Id: 605343134186
List-Post: <https://groups.google.com/group/swupdate/post>,
 <mailto:swupdate@googlegroups.com>
List-Help: <https://groups.google.com/support/>,
 <mailto:swupdate+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/swupdate
List-Subscribe: <https://groups.google.com/group/swupdate/subscribe>,
 <mailto:swupdate+subscribe@googlegroups.com>
List-Unsubscribe: 
 <mailto:googlegroups-manage+605343134186+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/swupdate/subscribe>

Improve signing implementation and related task dependencies.

Replace os.system with subprocess.run. os.system does not show any helpful
error messages and therefore signing simply fails. Since os.system was
replaced by the more verbose subprocess.run, several interesting error
patterns occurred. Especially when running more complex build flows with
rm_work active the signing step failed sometimes.

subprocess.run exceptions showed different errors:
- openssl binary not found: Fixed dependencies
- openssl fails because the "-passin file:'%s' " parameter is invalid.
  With the list based syntax of subprocess.run this gets fixed without '

Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
---
 classes/swupdate-common.bbclass | 54 ++++++++++++---------------------
 1 file changed, 20 insertions(+), 34 deletions(-)

diff --git a/classes/swupdate-common.bbclass b/classes/swupdate-common.bbclass
index f483398..c91ee4e 100644
--- a/classes/swupdate-common.bbclass
+++ b/classes/swupdate-common.bbclass
@@ -1,6 +1,6 @@
 DEPENDS += "\
     cpio-native \
-    ${@ 'openssl-native' if d.getVar('SWUPDATE_SIGNING', True) else ''} \
+    ${@ 'openssl-native' if d.getVar('SWUPDATE_SIGNING') or d.getVar('SWUPDATE_ENCRYPT_SWDESC') or d.getVarFlags('SWUPDATE_IMAGES_ENCRYPTED') else ''} \
 "
 
 do_swuimage[umask] = "022"
@@ -30,11 +30,12 @@ def swupdate_getdepends(d):
     deps = []
     images = (d.getVar('IMAGE_DEPENDS', True) or "").split()
     for image in images:
-            adddep(image , deps)
+        adddep(image , deps)
 
     depstr = ""
     for dep in deps:
         depstr += " " + dep + ":do_build"
+
     return depstr
 
 def swupdate_get_sha256(s, filename):
@@ -228,6 +229,7 @@ def swupdate_expand_auto_versions(d, s):
 
 def prepare_sw_description(d):
     import shutil
+    import subprocess
 
     s = d.getVar('S', True)
     swupdate_expand_bitbake_variables(d, s)
@@ -247,13 +249,19 @@ def prepare_sw_description(d):
         bb.warn('SWUPDATE_SIGNING = "1" is deprecated, falling back to "RSA". It is advised to set it to "RSA" if using RSA signing.')
         signing = "RSA"
     if signing:
+        def get_pwd_file_args():
+            pwd_args = []
+            pwd_file = d.getVar('SWUPDATE_PASSWORD_FILE', True)
+            if pwd_file:
+                pwd_args = ["-passin", "file:%s" % pwd_file]
+            return pwd_args
+
+        sw_desc_sig = os.path.join(s, 'sw-description.sig')
+        sw_desc =  os.path.join(s, 'sw-description.plain' if encrypt else 'sw-description')
+
         if signing == "CUSTOM":
-            sign_tool = d.getVar('SWUPDATE_SIGN_TOOL', True)
-            if sign_tool:
-                ret = os.system(sign_tool)
-                if ret != 0:
-                    bb.fatal("Failed to sign with %s" % (sign_tool))
-            else:
+            signcmd = d.getVar('SWUPDATE_SIGN_TOOL', True)
+            if not sign_tool:
                 bb.fatal("Custom SWUPDATE_SIGN_TOOL is not given")
         elif signing == "RSA":
             privkey = d.getVar('SWUPDATE_PRIVATE_KEY', True)
@@ -261,18 +269,7 @@ def prepare_sw_description(d):
                 bb.fatal("SWUPDATE_PRIVATE_KEY isn't set")
             if not os.path.exists(privkey):
                 bb.fatal("SWUPDATE_PRIVATE_KEY %s doesn't exist" % (privkey))
-            passout = d.getVar('SWUPDATE_PASSWORD_FILE', True)
-            if passout:
-                passout = "-passin file:'%s' " % (passout)
-            else:
-                passout = ""
-            signcmd = "openssl dgst -sha256 -sign '%s' %s -out '%s' '%s'" % (
-                privkey,
-                passout,
-                os.path.join(s, 'sw-description.sig'),
-                os.path.join(s, 'sw-description.plain' if encrypt else 'sw-description'))
-            if os.system(signcmd) != 0:
-                bb.fatal("Failed to sign sw-description with %s" % (privkey))
+            signcmd = ["openssl", "dgst", "-sha256", "-sign", privkey] + get_pwd_file_args() + ["-out", sw_desc_sig, sw_desc]
         elif signing == "CMS":
             cms_cert = d.getVar('SWUPDATE_CMS_CERT', True)
             if not cms_cert:
@@ -284,21 +281,10 @@ def prepare_sw_description(d):
                 bb.fatal("SWUPDATE_CMS_KEY isn't set")
             if not os.path.exists(cms_key):
                 bb.fatal("SWUPDATE_CMS_KEY %s doesn't exist" % (cms_key))
-            passout = d.getVar('SWUPDATE_PASSWORD_FILE', True)
-            if passout:
-                passout = "-passin file:'%s' " % (passout)
-            else:
-                passout = ""
-            signcmd = "openssl cms -sign -in '%s' -out '%s' -signer '%s' -inkey '%s' %s -outform DER -nosmimecap -binary" % (
-                os.path.join(s, 'sw-description.plain' if encrypt else 'sw-description'),
-                os.path.join(s, 'sw-description.sig'),
-                cms_cert,
-                cms_key,
-                passout)
-            if os.system(signcmd) != 0:
-                bb.fatal("Failed to sign sw-description with %s" % (privkey))
+            signcmd = ["openssl", "cms", "-sign", "-in", sw_desc, "-out", sw_desc_sig, "-signer", cms_cert, "-inkey", cms_key] + get_pwd_file_args() + ["-outform", "DER", "-nosmimecap", "-binary"]
         else:
-            bb.fatal("Unrecognized SWUPDATE_SIGNING mechanism.");
+            bb.fatal("Unrecognized SWUPDATE_SIGNING mechanism.")
+        subprocess.run(signcmd, check=True)
 
 
 def swupdate_add_src_uri(d, list_for_cpio):