Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 1 | from oeqa.selftest.case import OESelftestTestCase |
| 2 | from oeqa.utils.commands import runCmd, bitbake, get_bb_var, get_bb_vars |
| 3 | import os |
Brad Bishop | f86d055 | 2018-12-04 14:18:15 -0800 | [diff] [blame^] | 4 | import oe |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 5 | import glob |
| 6 | import re |
| 7 | import shutil |
| 8 | import tempfile |
Brad Bishop | f86d055 | 2018-12-04 14:18:15 -0800 | [diff] [blame^] | 9 | from contextlib import contextmanager |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 10 | from oeqa.core.decorator.oeid import OETestID |
| 11 | from oeqa.utils.ftools import write_file |
| 12 | |
| 13 | |
| 14 | class Signing(OESelftestTestCase): |
| 15 | |
| 16 | gpg_dir = "" |
| 17 | pub_key_path = "" |
| 18 | secret_key_path = "" |
| 19 | |
Brad Bishop | f86d055 | 2018-12-04 14:18:15 -0800 | [diff] [blame^] | 20 | def setup_gpg(self): |
| 21 | bitbake('gnupg-native -c addto_recipe_sysroot') |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 22 | |
Brad Bishop | f86d055 | 2018-12-04 14:18:15 -0800 | [diff] [blame^] | 23 | self.gpg_dir = tempfile.mkdtemp(prefix="oeqa-signing-") |
| 24 | self.track_for_cleanup(self.gpg_dir) |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 25 | |
Brad Bishop | f86d055 | 2018-12-04 14:18:15 -0800 | [diff] [blame^] | 26 | self.pub_key_path = os.path.join(self.testlayer_path, 'files', 'signing', "key.pub") |
| 27 | self.secret_key_path = os.path.join(self.testlayer_path, 'files', 'signing', "key.secret") |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 28 | |
Brad Bishop | f86d055 | 2018-12-04 14:18:15 -0800 | [diff] [blame^] | 29 | nsysroot = get_bb_var("RECIPE_SYSROOT_NATIVE", "gnupg-native") |
| 30 | runCmd('gpg --batch --homedir %s --import %s %s' % (self.gpg_dir, self.pub_key_path, self.secret_key_path), native_sysroot=nsysroot) |
| 31 | return nsysroot + get_bb_var("bindir_native") |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 32 | |
Brad Bishop | f86d055 | 2018-12-04 14:18:15 -0800 | [diff] [blame^] | 33 | |
| 34 | @contextmanager |
| 35 | def create_new_builddir(self, builddir, newbuilddir): |
| 36 | bb.utils.mkdirhier(newbuilddir) |
| 37 | oe.path.copytree(builddir + "/conf", newbuilddir + "/conf") |
| 38 | oe.path.copytree(builddir + "/cache", newbuilddir + "/cache") |
| 39 | |
| 40 | origenv = os.environ.copy() |
| 41 | |
| 42 | for e in os.environ: |
| 43 | if builddir in os.environ[e]: |
| 44 | os.environ[e] = os.environ[e].replace(builddir, newbuilddir) |
| 45 | |
| 46 | os.chdir(newbuilddir) |
| 47 | try: |
| 48 | yield |
| 49 | finally: |
| 50 | for e in origenv: |
| 51 | os.environ[e] = origenv[e] |
| 52 | os.chdir(builddir) |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 53 | |
| 54 | @OETestID(1362) |
| 55 | def test_signing_packages(self): |
| 56 | """ |
| 57 | Summary: Test that packages can be signed in the package feed |
| 58 | Expected: Package should be signed with the correct key |
| 59 | Expected: Images can be created from signed packages |
| 60 | Product: oe-core |
| 61 | Author: Daniel Istrate <daniel.alexandrux.istrate@intel.com> |
| 62 | Author: Alexander Kanavin <alexander.kanavin@intel.com> |
| 63 | AutomatedBy: Daniel Istrate <daniel.alexandrux.istrate@intel.com> |
| 64 | """ |
| 65 | import oe.packagedata |
| 66 | |
Brad Bishop | f86d055 | 2018-12-04 14:18:15 -0800 | [diff] [blame^] | 67 | self.setup_gpg() |
| 68 | |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 69 | package_classes = get_bb_var('PACKAGE_CLASSES') |
| 70 | if 'package_rpm' not in package_classes: |
| 71 | self.skipTest('This test requires RPM Packaging.') |
| 72 | |
| 73 | test_recipe = 'ed' |
| 74 | |
| 75 | feature = 'INHERIT += "sign_rpm"\n' |
| 76 | feature += 'RPM_GPG_PASSPHRASE = "test123"\n' |
| 77 | feature += 'RPM_GPG_NAME = "testuser"\n' |
| 78 | feature += 'GPG_PATH = "%s"\n' % self.gpg_dir |
| 79 | |
| 80 | self.write_config(feature) |
| 81 | |
| 82 | bitbake('-c clean %s' % test_recipe) |
| 83 | bitbake('-f -c package_write_rpm %s' % test_recipe) |
| 84 | |
| 85 | self.add_command_to_tearDown('bitbake -c clean %s' % test_recipe) |
| 86 | |
| 87 | needed_vars = ['PKGDATA_DIR', 'DEPLOY_DIR_RPM', 'PACKAGE_ARCH', 'STAGING_BINDIR_NATIVE'] |
| 88 | bb_vars = get_bb_vars(needed_vars, test_recipe) |
| 89 | pkgdatadir = bb_vars['PKGDATA_DIR'] |
| 90 | pkgdata = oe.packagedata.read_pkgdatafile(pkgdatadir + "/runtime/ed") |
| 91 | if 'PKGE' in pkgdata: |
| 92 | pf = pkgdata['PN'] + "-" + pkgdata['PKGE'] + pkgdata['PKGV'] + '-' + pkgdata['PKGR'] |
| 93 | else: |
| 94 | pf = pkgdata['PN'] + "-" + pkgdata['PKGV'] + '-' + pkgdata['PKGR'] |
| 95 | deploy_dir_rpm = bb_vars['DEPLOY_DIR_RPM'] |
| 96 | package_arch = bb_vars['PACKAGE_ARCH'].replace('-', '_') |
| 97 | staging_bindir_native = bb_vars['STAGING_BINDIR_NATIVE'] |
| 98 | |
| 99 | pkg_deploy = os.path.join(deploy_dir_rpm, package_arch, '.'.join((pf, package_arch, 'rpm'))) |
| 100 | |
| 101 | # Use a temporary rpmdb |
| 102 | rpmdb = tempfile.mkdtemp(prefix='oeqa-rpmdb') |
| 103 | |
| 104 | runCmd('%s/rpmkeys --define "_dbpath %s" --import %s' % |
| 105 | (staging_bindir_native, rpmdb, self.pub_key_path)) |
| 106 | |
| 107 | ret = runCmd('%s/rpmkeys --define "_dbpath %s" --checksig %s' % |
| 108 | (staging_bindir_native, rpmdb, pkg_deploy)) |
| 109 | # tmp/deploy/rpm/i586/ed-1.9-r0.i586.rpm: rsa sha1 md5 OK |
Brad Bishop | 316dfdd | 2018-06-25 12:45:53 -0400 | [diff] [blame] | 110 | self.assertIn('digests signatures OK', ret.output, 'Package signed incorrectly.') |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 111 | shutil.rmtree(rpmdb) |
| 112 | |
| 113 | #Check that an image can be built from signed packages |
| 114 | self.add_command_to_tearDown('bitbake -c clean core-image-minimal') |
| 115 | bitbake('-c clean core-image-minimal') |
| 116 | bitbake('core-image-minimal') |
| 117 | |
| 118 | |
| 119 | @OETestID(1382) |
| 120 | def test_signing_sstate_archive(self): |
| 121 | """ |
| 122 | Summary: Test that sstate archives can be signed |
| 123 | Expected: Package should be signed with the correct key |
| 124 | Product: oe-core |
| 125 | Author: Daniel Istrate <daniel.alexandrux.istrate@intel.com> |
| 126 | AutomatedBy: Daniel Istrate <daniel.alexandrux.istrate@intel.com> |
| 127 | """ |
| 128 | |
| 129 | test_recipe = 'ed' |
| 130 | |
Brad Bishop | f86d055 | 2018-12-04 14:18:15 -0800 | [diff] [blame^] | 131 | # Since we need gpg but we can't use gpg-native for sstate signatures, we |
| 132 | # build gpg-native in our original builddir then run the tests in a second one. |
| 133 | builddir = os.environ.get('BUILDDIR') + "-testsign" |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 134 | sstatedir = os.path.join(builddir, 'test-sstate') |
| 135 | |
Brad Bishop | f86d055 | 2018-12-04 14:18:15 -0800 | [diff] [blame^] | 136 | nsysroot = self.setup_gpg() |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 137 | |
| 138 | feature = 'SSTATE_SIG_KEY ?= "testuser"\n' |
| 139 | feature += 'SSTATE_SIG_PASSPHRASE ?= "test123"\n' |
| 140 | feature += 'SSTATE_VERIFY_SIG ?= "1"\n' |
| 141 | feature += 'GPG_PATH = "%s"\n' % self.gpg_dir |
| 142 | feature += 'SSTATE_DIR = "%s"\n' % sstatedir |
| 143 | # Any mirror might have partial sstate without .sig files, triggering failures |
| 144 | feature += 'SSTATE_MIRRORS_forcevariable = ""\n' |
| 145 | |
| 146 | self.write_config(feature) |
| 147 | |
Brad Bishop | f86d055 | 2018-12-04 14:18:15 -0800 | [diff] [blame^] | 148 | with self.create_new_builddir(os.environ['BUILDDIR'], builddir): |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 149 | |
Brad Bishop | f86d055 | 2018-12-04 14:18:15 -0800 | [diff] [blame^] | 150 | os.environ["PATH"] = nsysroot + ":" + os.environ["PATH"] |
| 151 | self.add_command_to_tearDown('bitbake -c clean %s' % test_recipe) |
| 152 | self.add_command_to_tearDown('rm -rf %s' % sstatedir) |
| 153 | self.add_command_to_tearDown('rm -rf %s' % builddir) |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 154 | |
Brad Bishop | f86d055 | 2018-12-04 14:18:15 -0800 | [diff] [blame^] | 155 | bitbake('-c clean %s' % test_recipe) |
| 156 | bitbake('-c populate_lic %s' % test_recipe) |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 157 | |
Brad Bishop | f86d055 | 2018-12-04 14:18:15 -0800 | [diff] [blame^] | 158 | recipe_sig = glob.glob(sstatedir + '/*/*:ed:*_populate_lic.tgz.sig') |
| 159 | recipe_tgz = glob.glob(sstatedir + '/*/*:ed:*_populate_lic.tgz') |
| 160 | |
| 161 | self.assertEqual(len(recipe_sig), 1, 'Failed to find .sig file.') |
| 162 | self.assertEqual(len(recipe_tgz), 1, 'Failed to find .tgz file.') |
| 163 | |
| 164 | ret = runCmd('gpg --homedir %s --verify %s %s' % (self.gpg_dir, recipe_sig[0], recipe_tgz[0])) |
| 165 | # gpg: Signature made Thu 22 Oct 2015 01:45:09 PM EEST using RSA key ID 61EEFB30 |
| 166 | # gpg: Good signature from "testuser (nocomment) <testuser@email.com>" |
| 167 | self.assertIn('gpg: Good signature from', ret.output, 'Package signed incorrectly.') |
Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 168 | |
| 169 | |
| 170 | class LockedSignatures(OESelftestTestCase): |
| 171 | |
| 172 | @OETestID(1420) |
| 173 | def test_locked_signatures(self): |
| 174 | """ |
| 175 | Summary: Test locked signature mechanism |
| 176 | Expected: Locked signatures will prevent task to run |
| 177 | Product: oe-core |
| 178 | Author: Daniel Istrate <daniel.alexandrux.istrate@intel.com> |
| 179 | AutomatedBy: Daniel Istrate <daniel.alexandrux.istrate@intel.com> |
| 180 | """ |
| 181 | |
| 182 | test_recipe = 'ed' |
| 183 | locked_sigs_file = 'locked-sigs.inc' |
| 184 | |
| 185 | self.add_command_to_tearDown('rm -f %s' % os.path.join(self.builddir, locked_sigs_file)) |
| 186 | |
| 187 | bitbake(test_recipe) |
| 188 | # Generate locked sigs include file |
| 189 | bitbake('-S none %s' % test_recipe) |
| 190 | |
| 191 | feature = 'require %s\n' % locked_sigs_file |
| 192 | feature += 'SIGGEN_LOCKEDSIGS_TASKSIG_CHECK = "warn"\n' |
| 193 | self.write_config(feature) |
| 194 | |
| 195 | # Build a locked recipe |
| 196 | bitbake(test_recipe) |
| 197 | |
| 198 | # Make a change that should cause the locked task signature to change |
| 199 | recipe_append_file = test_recipe + '_' + get_bb_var('PV', test_recipe) + '.bbappend' |
| 200 | recipe_append_path = os.path.join(self.testlayer_path, 'recipes-test', test_recipe, recipe_append_file) |
| 201 | feature = 'SUMMARY += "test locked signature"\n' |
| 202 | |
| 203 | os.mkdir(os.path.join(self.testlayer_path, 'recipes-test', test_recipe)) |
| 204 | write_file(recipe_append_path, feature) |
| 205 | |
| 206 | self.add_command_to_tearDown('rm -rf %s' % os.path.join(self.testlayer_path, 'recipes-test', test_recipe)) |
| 207 | |
| 208 | # Build the recipe again |
| 209 | ret = bitbake(test_recipe) |
| 210 | |
| 211 | # Verify you get the warning and that the real task *isn't* run (i.e. the locked signature has worked) |
| 212 | patt = r'WARNING: The %s:do_package sig is computed to be \S+, but the sig is locked to \S+ in SIGGEN_LOCKEDSIGS\S+' % test_recipe |
| 213 | found_warn = re.search(patt, ret.output) |
| 214 | |
| 215 | self.assertIsNotNone(found_warn, "Didn't find the expected warning message. Output: %s" % ret.output) |