From patchwork Thu Nov 4 18:18:47 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adrian Freihofer X-Patchwork-Id: 1551134 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=googlegroups.com header.i=@googlegroups.com header.a=rsa-sha256 header.s=20210112 header.b=tP81/3hc; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=TVMxSGv7; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=googlegroups.com (client-ip=2a00:1450:4864:20::138; helo=mail-lf1-x138.google.com; envelope-from=swupdate+bncbcx6venntaprbfoiscgamgqeprkozxq@googlegroups.com; receiver=) Received: from mail-lf1-x138.google.com (mail-lf1-x138.google.com [IPv6:2a00:1450:4864:20::138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4HlX31224Pz9sX3 for ; Fri, 5 Nov 2021 05:19:07 +1100 (AEDT) Received: by mail-lf1-x138.google.com with SMTP id p19-20020a056512139300b003ff6dfea137sf2283983lfa.9 for ; Thu, 04 Nov 2021 11:19:07 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1636049942; cv=pass; d=google.com; s=arc-20160816; b=IeA5fmutesAsA7U/jG62NOH9HxnRykC5Fi9tWpJ4tlyuMk0SRnc+Wrz3lhO3KL8rDq SSyu2nGKF7Wi8uk83LOioEGdFWazKc4NT/A/Z+Q7MJtf+9QRHRAf7a013x2uqcXC1pPp uCA5YHCeWa5gH4VLGxXnWvbKeaM5Vus1ofKw//9kWB7F/o0HKUtSUZlnsGuwWYIaXOyC 4U0fqNsi8BCCbllIt4aZtDjZSyr/BCvkt12bIt2BYc6jmjjGakqEQAiwQZeIokaOg0gK z3mrD8PzxjUpbYtvYiusVue431JF5b87s3p8WDT3m48OAYlOW56HjfA0OcXpMaN/B8Q1 1Otg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:dkim-signature :dkim-signature; bh=DgJUdfQYIfmrE/fJlQaxTQLQ4MuRH8JBjCebvvd0+ng=; b=WMEiwuYvx0rvG0Fy4gF+NoOBk88oWNJrqlRjXnw7j/DbGj7nxJn8pBsAwzz8NXy05a ufuFWwxlSf/lStDh5hvrUsTORRHUR92wEwQytMcQ8rgFJZ73UlQtxB8QJSZuSpYL1Sva TDFJN5L62KDUeJpUIPvRiyyYySIYajpPIJ7nBQDo9kyjtPkIo+M6S51hoyWLWQjHvOWE 6cX1yrHaJDlq1BqfQhNUOHnZYdxAGWLJQw5IC3AFGcjxuIP9kQsox4D4zDKZMAVeCfBL eRt12XTIfACRkO4JMyqJ8b0wNWza+cTe8G9XaAGZViRD+ut0gucVs3H34F0jxE/J3y6D BfYQ== ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=MeVe6O8r; spf=pass (google.com: domain of adrian.freihofer@gmail.com designates 2a00:1450:4864:20::533 as permitted sender) smtp.mailfrom=adrian.freihofer@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20210112; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:x-original-sender:x-original-authentication-results :precedence:mailing-list:list-id:list-post:list-help:list-archive :list-subscribe:list-unsubscribe; bh=DgJUdfQYIfmrE/fJlQaxTQLQ4MuRH8JBjCebvvd0+ng=; b=tP81/3hcd7oS4gLrhs6Yfo7a+rhU5qdz/kHf1IhfvKIQz1W207R+PDSAMFUJ4QnYmd E6nDehifirWJCX1XkPN8Ta1YYJqMXuVVqWfA1sVgLtlEe7V4mtrmXAUgGTNzxSeLsJyl 0ZbWEf5JkoWOiUSvz2K9zrC4cIOMr4kP9PeDE+vFNlsr2uEI/yg4qp30X8R0oD8YJoky P5f5iDacEDKIS/dQFYKjT5RvNPfzTXsr/bClj0IFE/0zkQXDQm7Muw5PSXZ3xDxteEJD op8KaGmdpw91S5CA1HOpRFOrrrzfySmzYU+RgVElp6fQ1hqJWLWlpmGrFDzP4elHjNCD d+sg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:x-original-sender:x-original-authentication-results :precedence:mailing-list:list-id:list-post:list-help:list-archive :list-subscribe:list-unsubscribe; bh=DgJUdfQYIfmrE/fJlQaxTQLQ4MuRH8JBjCebvvd0+ng=; b=TVMxSGv7dWX+qbVPxhpNyzsrbmTN6Fo7hTlozrw9udInfb1+WUsx8yIExlWjhRU2kd 2T+N91kjGc03F0OlH+C5rOvPmMfDMxvgeelYjVOD11YexKyNT+sqyugA2V+WXGkz5PWB xKS6n/mbRpbgECfUsMdtitHX2I4hEuCWNCPxFZ1aa8bS49h8+/nS4ONtAA2H8P6Ld4c/ o1vITrL1TvOyfyDBFW2ATmPQio55Wh7Y/rzwXtCpGoQORF4kY0w0lom5p25YFzBcGFOP hR7yniHHt7OijAvO0CUEvTPyaqlop7BU0JyJK27X/oqnFVAgdE6kj/BAM/VeCmnb6w70 IFcg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=sender:x-gm-message-state:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:x-original-sender :x-original-authentication-results:precedence:mailing-list:list-id :x-spam-checked-in-group:list-post:list-help:list-archive :list-subscribe:list-unsubscribe; bh=DgJUdfQYIfmrE/fJlQaxTQLQ4MuRH8JBjCebvvd0+ng=; b=w0c5ID7BB2twspj7D2SfWpgGu3o3MFpDQ4PK7wwhgzLsu3hAJ2olxUFnHzEfwDjqlh s1XhPNMeamOc3sfSIb5lTNmKNZA/DBOTeGbkdafqMY/Ok67jeRH0avtzWS0Y12OpdYe6 5O4QWk4UiIcrk2y3K1Y42Dkz8HVj/AZ5BvaJwFp286O7urU5AJ+RuugGvpHqHJGZ9XLG AoeekIWim22jlq6pWtNazuvKNzARZhwRwgNcNPjPttbLk8IdevcG07+eMzIInzY414fI FvDjrxS7sWasPHy4kegFBVHIKUucJe4UayYmhf6NkxxOSQVSB7F4VXDf7m4hkXCWbriZ gbdQ== Sender: swupdate@googlegroups.com X-Gm-Message-State: AOAM532vl9jcGeRu4x5hU31EKGOhrB1BiiI9+klHz39tAAmwOWCCLx0v ogzWE9H32pAS9DJd1lQmA30= X-Google-Smtp-Source: ABdhPJxw5TFBfnFm8r8yHgWNNdFPhLfXeYiSpq+iYivbheUEogAXxJagqcUYTX7CjqBldSHWGVN6kA== X-Received: by 2002:a05:6512:1109:: with SMTP id l9mr44140305lfg.563.1636049941876; Thu, 04 Nov 2021 11:19:01 -0700 (PDT) X-BeenThere: swupdate@googlegroups.com Received: by 2002:a05:651c:178b:: with SMTP id bn11ls1147596ljb.7.gmail; Thu, 04 Nov 2021 11:19:00 -0700 (PDT) X-Received: by 2002:a2e:a287:: with SMTP id k7mr53392456lja.295.1636049940862; Thu, 04 Nov 2021 11:19:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1636049940; cv=none; d=google.com; s=arc-20160816; b=1FtOW02rIMIJRaMQzCB5oeqMRjgNE9usj3/xVL+pEJFiMl2/tkmrC1EkRscu0Aju0D TFWeDgPF5v2neonteKDcBe/ap1t3veuEp+t3X8txgO3j0PxCk3rv7A5WPpT2xKWgFYdT PpplSTlzRdRQE3kZLZSdf5ttYqiNj4rZSuNwOT0JOguBxncktOjSIuOpeUlu8KovMxgW Cj4r3rOTm3uM/xcuHT/Xdjk5XIH7YFJswKdP4so0Sfs1GhUUnzHWqcVIjO8IXcITdZ0/ XLUS68J4lNhH9nW+Wqnv0QHZcDdWc7UdRI7wFSgFjQLv8p5oM0XyGaHXylmCLgIYlwPm /xUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature; bh=ma7w2AnXVWR4pT4VtMysgUB58DfW4FLk4vVxHLe5UKU=; b=bCPU1uZmnXsKvwQ/sNDouWvXmLYnc6Xx/+03wwcA73tCD9LTfLGlPmoktI+WE/3uhK dUvkGhwunsUXw/9jGAG2GTJWS1GWz2qcxQ4CLBQebWFO5qSbKruUTQcDcOSE4MRjHY7b pvWjdz2upaf21cbsNiddI3f2hfIBtDMZe6O1IMwUOb7gmOQOjQPFP6k1e8GHMoLrHQ5n obN1Ig9GTBmM5lmIJjZOg1V+d7PDbvsF4thSXYu1bvxG7DYlO8sMD0MtNu4sbnpw2l8e lBi8x2s0pIauDn/DlfWJsco6p1RSKQfyjpD1YcMVWmvm7k7CCRB9dp+AqLImCV9JMNok YsKQ== ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=MeVe6O8r; spf=pass (google.com: domain of adrian.freihofer@gmail.com designates 2a00:1450:4864:20::533 as permitted sender) smtp.mailfrom=adrian.freihofer@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com. [2a00:1450:4864:20::533]) by gmr-mx.google.com with ESMTPS id z12si512225lfd.12.2021.11.04.11.19.00 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 04 Nov 2021 11:19:00 -0700 (PDT) Received-SPF: pass (google.com: domain of adrian.freihofer@gmail.com designates 2a00:1450:4864:20::533 as permitted sender) client-ip=2a00:1450:4864:20::533; Received: by mail-ed1-x533.google.com with SMTP id ee33so24738044edb.8 for ; Thu, 04 Nov 2021 11:19:00 -0700 (PDT) X-Received: by 2002:a17:907:7fa8:: with SMTP id qk40mr37786105ejc.497.1636049939229; Thu, 04 Nov 2021 11:18:59 -0700 (PDT) Received: from md2ramxc.lan.ffah.ch ([62.32.0.69]) by smtp.gmail.com with ESMTPSA id g9sm2890402ejo.60.2021.11.04.11.18.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Nov 2021 11:18:58 -0700 (PDT) From: Adrian Freihofer To: swupdate@googlegroups.com Cc: Adrian Freihofer Subject: [swupdate] [meta-swupdate][PATCH 1/2] swupdate-common: improve signing Date: Thu, 4 Nov 2021 19:18:47 +0100 Message-Id: <20211104181848.4185983-2-adrian.freihofer@siemens.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211104181848.4185983-1-adrian.freihofer@siemens.com> References: <20211104181848.4185983-1-adrian.freihofer@siemens.com> MIME-Version: 1.0 X-Original-Sender: adrian.freihofer@gmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=MeVe6O8r; spf=pass (google.com: domain of adrian.freihofer@gmail.com designates 2a00:1450:4864:20::533 as permitted sender) smtp.mailfrom=adrian.freihofer@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Precedence: list Mailing-list: list swupdate@googlegroups.com; contact swupdate+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: swupdate@googlegroups.com X-Google-Group-Id: 605343134186 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , Improve the implementation of signatures and related task dependencies. os.system gets replaced by subprocess.run. os.system does not display helpful error messages and therefore signing fails without a useful error description. Since os.system has been replaced by the more modern subprocess.run, some interesting error patterns have become visible. In particular, when running more complex build flows when rm_work was active, the signing step sometimes failed becaus: - openssl binary not found: fixed dependencies - openssl fails because the parameter "-passin file:'%s' " is invalid. With the list-based syntax of subprocess.run, this is handled without ' Signed-off-by: Adrian Freihofer --- classes/swupdate-common.bbclass | 70 ++++++++++++++------------------- 1 file changed, 30 insertions(+), 40 deletions(-) diff --git a/classes/swupdate-common.bbclass b/classes/swupdate-common.bbclass index f483398..9d81cfb 100644 --- a/classes/swupdate-common.bbclass +++ b/classes/swupdate-common.bbclass @@ -1,8 +1,3 @@ -DEPENDS += "\ - cpio-native \ - ${@ 'openssl-native' if d.getVar('SWUPDATE_SIGNING', True) else ''} \ -" - do_swuimage[umask] = "022" SSTATETASKS += "do_swuimage" SSTATE_SKIP_CREATION_task-swuimage = '1' @@ -15,26 +10,36 @@ do_swuimage[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}" do_swuimage[stamp-extra-info] = "${MACHINE}" python () { - deps = " " + swupdate_getdepends(d) + deps = " " + swuimage_getdepends(d) d.appendVarFlag('do_swuimage', 'depends', deps) d.delVarFlag('do_fetch', 'noexec') d.delVarFlag('do_unpack', 'noexec') } -def swupdate_getdepends(d): +def swuimage_getdepends(d): def adddep(depstr, deps): for i in (depstr or "").split(): if i not in deps: deps.append(i) + # Artifacts deps = [] images = (d.getVar('IMAGE_DEPENDS', True) or "").split() for image in images: - adddep(image , deps) + adddep(image , deps) depstr = "" for dep in deps: depstr += " " + dep + ":do_build" + + # openssl + if d.getVar('SWUPDATE_SIGNING') or d.getVar('SWUPDATE_ENCRYPT_SWDESC') or d.getVarFlags('SWUPDATE_IMAGES_ENCRYPTED'): + depstr += " openssl-native:do_populate_sysroot" + # cpio + depstr += " cpio-native:do_populate_sysroot" + # Always (also with rm_work active) files to workdir + depstr += ' ' + d.getVar('PN') + ":do_unpack" + return depstr def swupdate_get_sha256(s, filename): @@ -228,6 +233,7 @@ def swupdate_expand_auto_versions(d, s): def prepare_sw_description(d): import shutil + import subprocess s = d.getVar('S', True) swupdate_expand_bitbake_variables(d, s) @@ -247,13 +253,19 @@ def prepare_sw_description(d): bb.warn('SWUPDATE_SIGNING = "1" is deprecated, falling back to "RSA". It is advised to set it to "RSA" if using RSA signing.') signing = "RSA" if signing: + def get_pwd_file_args(): + pwd_args = [] + pwd_file = d.getVar('SWUPDATE_PASSWORD_FILE', True) + if pwd_file: + pwd_args = ["-passin", "file:%s" % pwd_file] + return pwd_args + + sw_desc_sig = os.path.join(s, 'sw-description.sig') + sw_desc = os.path.join(s, 'sw-description.plain' if encrypt else 'sw-description') + if signing == "CUSTOM": - sign_tool = d.getVar('SWUPDATE_SIGN_TOOL', True) - if sign_tool: - ret = os.system(sign_tool) - if ret != 0: - bb.fatal("Failed to sign with %s" % (sign_tool)) - else: + signcmd = d.getVar('SWUPDATE_SIGN_TOOL', True) + if not sign_tool: bb.fatal("Custom SWUPDATE_SIGN_TOOL is not given") elif signing == "RSA": privkey = d.getVar('SWUPDATE_PRIVATE_KEY', True) @@ -261,18 +273,7 @@ def prepare_sw_description(d): bb.fatal("SWUPDATE_PRIVATE_KEY isn't set") if not os.path.exists(privkey): bb.fatal("SWUPDATE_PRIVATE_KEY %s doesn't exist" % (privkey)) - passout = d.getVar('SWUPDATE_PASSWORD_FILE', True) - if passout: - passout = "-passin file:'%s' " % (passout) - else: - passout = "" - signcmd = "openssl dgst -sha256 -sign '%s' %s -out '%s' '%s'" % ( - privkey, - passout, - os.path.join(s, 'sw-description.sig'), - os.path.join(s, 'sw-description.plain' if encrypt else 'sw-description')) - if os.system(signcmd) != 0: - bb.fatal("Failed to sign sw-description with %s" % (privkey)) + signcmd = ["openssl", "dgst", "-sha256", "-sign", privkey] + get_pwd_file_args() + ["-out", sw_desc_sig, sw_desc] elif signing == "CMS": cms_cert = d.getVar('SWUPDATE_CMS_CERT', True) if not cms_cert: @@ -284,21 +285,10 @@ def prepare_sw_description(d): bb.fatal("SWUPDATE_CMS_KEY isn't set") if not os.path.exists(cms_key): bb.fatal("SWUPDATE_CMS_KEY %s doesn't exist" % (cms_key)) - passout = d.getVar('SWUPDATE_PASSWORD_FILE', True) - if passout: - passout = "-passin file:'%s' " % (passout) - else: - passout = "" - signcmd = "openssl cms -sign -in '%s' -out '%s' -signer '%s' -inkey '%s' %s -outform DER -nosmimecap -binary" % ( - os.path.join(s, 'sw-description.plain' if encrypt else 'sw-description'), - os.path.join(s, 'sw-description.sig'), - cms_cert, - cms_key, - passout) - if os.system(signcmd) != 0: - bb.fatal("Failed to sign sw-description with %s" % (privkey)) + signcmd = ["openssl", "cms", "-sign", "-in", sw_desc, "-out", sw_desc_sig, "-signer", cms_cert, "-inkey", cms_key] + get_pwd_file_args() + ["-outform", "DER", "-nosmimecap", "-binary"] else: - bb.fatal("Unrecognized SWUPDATE_SIGNING mechanism."); + bb.fatal("Unrecognized SWUPDATE_SIGNING mechanism.") + subprocess.run(signcmd, check=True) def swupdate_add_src_uri(d, list_for_cpio):