Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / 5b9ede0403237c7dace972affa65cf64a1aadd0e / . / poky / meta / lib / oeqa / selftest / cases / signing.py
blob: 0edaf400bbeaef9860a541eb3ef8fb55bb77f414 [file] [log] [blame]
Brad Bishopd7bf8c12018-02-25 22:55:05 -0500[diff] [blame]1from oeqa.selftest.case import OESelftestTestCase
2from oeqa.utils.commands import runCmd, bitbake, get_bb_var, get_bb_vars
3import os
Brad Bishopf86d0552018-12-04 14:18:15 -0800[diff] [blame]4import oe
Brad Bishopd7bf8c12018-02-25 22:55:05 -0500[diff] [blame]5import glob
6import re
7import shutil
8import tempfile
Brad Bishopf86d0552018-12-04 14:18:15 -0800[diff] [blame]9from contextlib import contextmanager
Brad Bishopd7bf8c12018-02-25 22:55:05 -0500[diff] [blame]10from oeqa.core.decorator.oeid import OETestID
11from oeqa.utils.ftools import write_file
12
13
14class Signing(OESelftestTestCase):
15
16 gpg_dir = ""
17 pub_key_path = ""
18 secret_key_path = ""
19
Brad Bishopf86d0552018-12-04 14:18:15 -0800[diff] [blame]20 def setup_gpg(self):
21 bitbake('gnupg-native -c addto_recipe_sysroot')
Brad Bishopd7bf8c12018-02-25 22:55:05 -0500[diff] [blame]22
Brad Bishopf86d0552018-12-04 14:18:15 -0800[diff] [blame]23 self.gpg_dir = tempfile.mkdtemp(prefix="oeqa-signing-")
24 self.track_for_cleanup(self.gpg_dir)
Brad Bishopd7bf8c12018-02-25 22:55:05 -0500[diff] [blame]25
Brad Bishopf86d0552018-12-04 14:18:15 -0800[diff] [blame]26 self.pub_key_path = os.path.join(self.testlayer_path, 'files', 'signing', "key.pub")
27 self.secret_key_path = os.path.join(self.testlayer_path, 'files', 'signing', "key.secret")
Brad Bishopd7bf8c12018-02-25 22:55:05 -0500[diff] [blame]28
Brad Bishopf86d0552018-12-04 14:18:15 -0800[diff] [blame]29 nsysroot = get_bb_var("RECIPE_SYSROOT_NATIVE", "gnupg-native")
30 runCmd('gpg --batch --homedir %s --import %s %s' % (self.gpg_dir, self.pub_key_path, self.secret_key_path), native_sysroot=nsysroot)
31 return nsysroot + get_bb_var("bindir_native")
Brad Bishopd7bf8c12018-02-25 22:55:05 -0500[diff] [blame]32
Brad Bishopf86d0552018-12-04 14:18:15 -0800[diff] [blame]33
34 @contextmanager
35 def create_new_builddir(self, builddir, newbuilddir):
36 bb.utils.mkdirhier(newbuilddir)
37 oe.path.copytree(builddir + "/conf", newbuilddir + "/conf")
38 oe.path.copytree(builddir + "/cache", newbuilddir + "/cache")
39
40 origenv = os.environ.copy()
41
42 for e in os.environ:
43 if builddir in os.environ[e]:
44 os.environ[e] = os.environ[e].replace(builddir, newbuilddir)
45
46 os.chdir(newbuilddir)
47 try:
48 yield
49 finally:
50 for e in origenv:
51 os.environ[e] = origenv[e]
52 os.chdir(builddir)
Brad Bishopd7bf8c12018-02-25 22:55:05 -0500[diff] [blame]53
54 @OETestID(1362)
55 def test_signing_packages(self):
56 """
57 Summary: Test that packages can be signed in the package feed
58 Expected: Package should be signed with the correct key
59 Expected: Images can be created from signed packages
60 Product: oe-core
61 Author: Daniel Istrate <daniel.alexandrux.istrate@intel.com>
62 Author: Alexander Kanavin <alexander.kanavin@intel.com>
63 AutomatedBy: Daniel Istrate <daniel.alexandrux.istrate@intel.com>
64 """
65 import oe.packagedata
66
Brad Bishopf86d0552018-12-04 14:18:15 -0800[diff] [blame]67 self.setup_gpg()
68
Brad Bishopd7bf8c12018-02-25 22:55:05 -0500[diff] [blame]69 package_classes = get_bb_var('PACKAGE_CLASSES')
70 if 'package_rpm' not in package_classes:
71 self.skipTest('This test requires RPM Packaging.')
72
73 test_recipe = 'ed'
74
75 feature = 'INHERIT += "sign_rpm"\n'
76 feature += 'RPM_GPG_PASSPHRASE = "test123"\n'
77 feature += 'RPM_GPG_NAME = "testuser"\n'
78 feature += 'GPG_PATH = "%s"\n' % self.gpg_dir
79
80 self.write_config(feature)
81
82 bitbake('-c clean %s' % test_recipe)
83 bitbake('-f -c package_write_rpm %s' % test_recipe)
84
85 self.add_command_to_tearDown('bitbake -c clean %s' % test_recipe)
86
87 needed_vars = ['PKGDATA_DIR', 'DEPLOY_DIR_RPM', 'PACKAGE_ARCH', 'STAGING_BINDIR_NATIVE']
88 bb_vars = get_bb_vars(needed_vars, test_recipe)
89 pkgdatadir = bb_vars['PKGDATA_DIR']
90 pkgdata = oe.packagedata.read_pkgdatafile(pkgdatadir + "/runtime/ed")
91 if 'PKGE' in pkgdata:
92 pf = pkgdata['PN'] + "-" + pkgdata['PKGE'] + pkgdata['PKGV'] + '-' + pkgdata['PKGR']
93 else:
94 pf = pkgdata['PN'] + "-" + pkgdata['PKGV'] + '-' + pkgdata['PKGR']
95 deploy_dir_rpm = bb_vars['DEPLOY_DIR_RPM']
96 package_arch = bb_vars['PACKAGE_ARCH'].replace('-', '_')
97 staging_bindir_native = bb_vars['STAGING_BINDIR_NATIVE']
98
99 pkg_deploy = os.path.join(deploy_dir_rpm, package_arch, '.'.join((pf, package_arch, 'rpm')))
100
101 # Use a temporary rpmdb
102 rpmdb = tempfile.mkdtemp(prefix='oeqa-rpmdb')
103
104 runCmd('%s/rpmkeys --define "_dbpath %s" --import %s' %
105 (staging_bindir_native, rpmdb, self.pub_key_path))
106
107 ret = runCmd('%s/rpmkeys --define "_dbpath %s" --checksig %s' %
108 (staging_bindir_native, rpmdb, pkg_deploy))
109 # tmp/deploy/rpm/i586/ed-1.9-r0.i586.rpm: rsa sha1 md5 OK
Brad Bishop316dfdd2018-06-25 12:45:53 -0400[diff] [blame]110 self.assertIn('digests signatures OK', ret.output, 'Package signed incorrectly.')
Brad Bishopd7bf8c12018-02-25 22:55:05 -0500[diff] [blame]111 shutil.rmtree(rpmdb)
112
113 #Check that an image can be built from signed packages
114 self.add_command_to_tearDown('bitbake -c clean core-image-minimal')
115 bitbake('-c clean core-image-minimal')
116 bitbake('core-image-minimal')
117
118
119 @OETestID(1382)
120 def test_signing_sstate_archive(self):
121 """
122 Summary: Test that sstate archives can be signed
123 Expected: Package should be signed with the correct key
124 Product: oe-core
125 Author: Daniel Istrate <daniel.alexandrux.istrate@intel.com>
126 AutomatedBy: Daniel Istrate <daniel.alexandrux.istrate@intel.com>
127 """
128
129 test_recipe = 'ed'
130
Brad Bishopf86d0552018-12-04 14:18:15 -0800[diff] [blame]131 # Since we need gpg but we can't use gpg-native for sstate signatures, we
132 # build gpg-native in our original builddir then run the tests in a second one.
133 builddir = os.environ.get('BUILDDIR') + "-testsign"
Brad Bishopd7bf8c12018-02-25 22:55:05 -0500[diff] [blame]134 sstatedir = os.path.join(builddir, 'test-sstate')
135
Brad Bishopf86d0552018-12-04 14:18:15 -0800[diff] [blame]136 nsysroot = self.setup_gpg()
Brad Bishopd7bf8c12018-02-25 22:55:05 -0500[diff] [blame]137
138 feature = 'SSTATE_SIG_KEY ?= "testuser"\n'
139 feature += 'SSTATE_SIG_PASSPHRASE ?= "test123"\n'
140 feature += 'SSTATE_VERIFY_SIG ?= "1"\n'
141 feature += 'GPG_PATH = "%s"\n' % self.gpg_dir
142 feature += 'SSTATE_DIR = "%s"\n' % sstatedir
143 # Any mirror might have partial sstate without .sig files, triggering failures
144 feature += 'SSTATE_MIRRORS_forcevariable = ""\n'
145
146 self.write_config(feature)
147
Brad Bishopf86d0552018-12-04 14:18:15 -0800[diff] [blame]148 with self.create_new_builddir(os.environ['BUILDDIR'], builddir):
Brad Bishopd7bf8c12018-02-25 22:55:05 -0500[diff] [blame]149
Brad Bishopf86d0552018-12-04 14:18:15 -0800[diff] [blame]150 os.environ["PATH"] = nsysroot + ":" + os.environ["PATH"]
151 self.add_command_to_tearDown('bitbake -c clean %s' % test_recipe)
152 self.add_command_to_tearDown('rm -rf %s' % sstatedir)
153 self.add_command_to_tearDown('rm -rf %s' % builddir)
Brad Bishopd7bf8c12018-02-25 22:55:05 -0500[diff] [blame]154
Brad Bishopf86d0552018-12-04 14:18:15 -0800[diff] [blame]155 bitbake('-c clean %s' % test_recipe)
156 bitbake('-c populate_lic %s' % test_recipe)
Brad Bishopd7bf8c12018-02-25 22:55:05 -0500[diff] [blame]157
Brad Bishopf86d0552018-12-04 14:18:15 -0800[diff] [blame]158 recipe_sig = glob.glob(sstatedir + '/*/*:ed:*_populate_lic.tgz.sig')
159 recipe_tgz = glob.glob(sstatedir + '/*/*:ed:*_populate_lic.tgz')
160
161 self.assertEqual(len(recipe_sig), 1, 'Failed to find .sig file.')
162 self.assertEqual(len(recipe_tgz), 1, 'Failed to find .tgz file.')
163
164 ret = runCmd('gpg --homedir %s --verify %s %s' % (self.gpg_dir, recipe_sig[0], recipe_tgz[0]))
165 # gpg: Signature made Thu 22 Oct 2015 01:45:09 PM EEST using RSA key ID 61EEFB30
166 # gpg: Good signature from "testuser (nocomment) <testuser@email.com>"
167 self.assertIn('gpg: Good signature from', ret.output, 'Package signed incorrectly.')
Brad Bishopd7bf8c12018-02-25 22:55:05 -0500[diff] [blame]168
169
170class LockedSignatures(OESelftestTestCase):
171
172 @OETestID(1420)
173 def test_locked_signatures(self):
174 """
175 Summary: Test locked signature mechanism
176 Expected: Locked signatures will prevent task to run
177 Product: oe-core
178 Author: Daniel Istrate <daniel.alexandrux.istrate@intel.com>
179 AutomatedBy: Daniel Istrate <daniel.alexandrux.istrate@intel.com>
180 """
181
182 test_recipe = 'ed'
183 locked_sigs_file = 'locked-sigs.inc'
184
185 self.add_command_to_tearDown('rm -f %s' % os.path.join(self.builddir, locked_sigs_file))
186
187 bitbake(test_recipe)
188 # Generate locked sigs include file
189 bitbake('-S none %s' % test_recipe)
190
191 feature = 'require %s\n' % locked_sigs_file
192 feature += 'SIGGEN_LOCKEDSIGS_TASKSIG_CHECK = "warn"\n'
193 self.write_config(feature)
194
195 # Build a locked recipe
196 bitbake(test_recipe)
197
198 # Make a change that should cause the locked task signature to change
199 recipe_append_file = test_recipe + '_' + get_bb_var('PV', test_recipe) + '.bbappend'
200 recipe_append_path = os.path.join(self.testlayer_path, 'recipes-test', test_recipe, recipe_append_file)
201 feature = 'SUMMARY += "test locked signature"\n'
202
203 os.mkdir(os.path.join(self.testlayer_path, 'recipes-test', test_recipe))
204 write_file(recipe_append_path, feature)
205
206 self.add_command_to_tearDown('rm -rf %s' % os.path.join(self.testlayer_path, 'recipes-test', test_recipe))
207
208 # Build the recipe again
209 ret = bitbake(test_recipe)
210
211 # Verify you get the warning and that the real task *isn't* run (i.e. the locked signature has worked)
212 patt = r'WARNING: The %s:do_package sig is computed to be \S+, but the sig is locked to \S+ in SIGGEN_LOCKEDSIGS\S+' % test_recipe
213 found_warn = re.search(patt, ret.output)
214
215 self.assertIsNotNone(found_warn, "Didn't find the expected warning message. Output: %s" % ret.output)