Blame - import-layers/yocto-poky/meta/lib/oeqa/selftest/cases/signing.py - openbmc/openbmc

blob: b3d1a8292ecb2a937bb67243305c074d2bd5259f [file] [log] [blame]

Brad Bishop	d7bf8c1	2018-02-25 22:55:05 -0500	[diff] [blame^]	1	from oeqa.selftest.case import OESelftestTestCase
				2	from oeqa.utils.commands import runCmd, bitbake, get_bb_var, get_bb_vars
				3	import os
				4	import glob
				5	import re
				6	import shutil
				7	import tempfile
				8	from oeqa.core.decorator.oeid import OETestID
				9	from oeqa.utils.ftools import write_file
				10
				11
				12	class Signing(OESelftestTestCase):
				13
				14	gpg_dir = ""
				15	pub_key_path = ""
				16	secret_key_path = ""
				17
				18	@classmethod
				19	def setUpClass(cls):
				20	super(Signing, cls).setUpClass()
				21	# Check that we can find the gpg binary and fail early if we can't
				22	if not shutil.which("gpg"):
				23	raise AssertionError("This test needs GnuPG")
				24
				25	cls.gpg_dir = tempfile.mkdtemp(prefix="oeqa-signing-")
				26
				27	cls.pub_key_path = os.path.join(cls.testlayer_path, 'files', 'signing', "key.pub")
				28	cls.secret_key_path = os.path.join(cls.testlayer_path, 'files', 'signing', "key.secret")
				29
				30	runCmd('gpg --batch --homedir %s --import %s %s' % (cls.gpg_dir, cls.pub_key_path, cls.secret_key_path))
				31
				32	@classmethod
				33	def tearDownClass(cls):
				34	shutil.rmtree(cls.gpg_dir, ignore_errors=True)
				35
				36	@OETestID(1362)
				37	def test_signing_packages(self):
				38	"""
				39	Summary: Test that packages can be signed in the package feed
				40	Expected: Package should be signed with the correct key
				41	Expected: Images can be created from signed packages
				42	Product: oe-core
				43	Author: Daniel Istrate <daniel.alexandrux.istrate@intel.com>
				44	Author: Alexander Kanavin <alexander.kanavin@intel.com>
				45	AutomatedBy: Daniel Istrate <daniel.alexandrux.istrate@intel.com>
				46	"""
				47	import oe.packagedata
				48
				49	package_classes = get_bb_var('PACKAGE_CLASSES')
				50	if 'package_rpm' not in package_classes:
				51	self.skipTest('This test requires RPM Packaging.')
				52
				53	test_recipe = 'ed'
				54
				55	feature = 'INHERIT += "sign_rpm"\n'
				56	feature += 'RPM_GPG_PASSPHRASE = "test123"\n'
				57	feature += 'RPM_GPG_NAME = "testuser"\n'
				58	feature += 'GPG_PATH = "%s"\n' % self.gpg_dir
				59
				60	self.write_config(feature)
				61
				62	bitbake('-c clean %s' % test_recipe)
				63	bitbake('-f -c package_write_rpm %s' % test_recipe)
				64
				65	self.add_command_to_tearDown('bitbake -c clean %s' % test_recipe)
				66
				67	needed_vars = ['PKGDATA_DIR', 'DEPLOY_DIR_RPM', 'PACKAGE_ARCH', 'STAGING_BINDIR_NATIVE']
				68	bb_vars = get_bb_vars(needed_vars, test_recipe)
				69	pkgdatadir = bb_vars['PKGDATA_DIR']
				70	pkgdata = oe.packagedata.read_pkgdatafile(pkgdatadir + "/runtime/ed")
				71	if 'PKGE' in pkgdata:
				72	pf = pkgdata['PN'] + "-" + pkgdata['PKGE'] + pkgdata['PKGV'] + '-' + pkgdata['PKGR']
				73	else:
				74	pf = pkgdata['PN'] + "-" + pkgdata['PKGV'] + '-' + pkgdata['PKGR']
				75	deploy_dir_rpm = bb_vars['DEPLOY_DIR_RPM']
				76	package_arch = bb_vars['PACKAGE_ARCH'].replace('-', '_')
				77	staging_bindir_native = bb_vars['STAGING_BINDIR_NATIVE']
				78
				79	pkg_deploy = os.path.join(deploy_dir_rpm, package_arch, '.'.join((pf, package_arch, 'rpm')))
				80
				81	# Use a temporary rpmdb
				82	rpmdb = tempfile.mkdtemp(prefix='oeqa-rpmdb')
				83
				84	runCmd('%s/rpmkeys --define "_dbpath %s" --import %s' %
				85	(staging_bindir_native, rpmdb, self.pub_key_path))
				86
				87	ret = runCmd('%s/rpmkeys --define "_dbpath %s" --checksig %s' %
				88	(staging_bindir_native, rpmdb, pkg_deploy))
				89	# tmp/deploy/rpm/i586/ed-1.9-r0.i586.rpm: rsa sha1 md5 OK
				90	self.assertIn('rsa sha1 (md5) pgp md5 OK', ret.output, 'Package signed incorrectly.')
				91	shutil.rmtree(rpmdb)
				92
				93	#Check that an image can be built from signed packages
				94	self.add_command_to_tearDown('bitbake -c clean core-image-minimal')
				95	bitbake('-c clean core-image-minimal')
				96	bitbake('core-image-minimal')
				97
				98
				99	@OETestID(1382)
				100	def test_signing_sstate_archive(self):
				101	"""
				102	Summary: Test that sstate archives can be signed
				103	Expected: Package should be signed with the correct key
				104	Product: oe-core
				105	Author: Daniel Istrate <daniel.alexandrux.istrate@intel.com>
				106	AutomatedBy: Daniel Istrate <daniel.alexandrux.istrate@intel.com>
				107	"""
				108
				109	test_recipe = 'ed'
				110
				111	builddir = os.environ.get('BUILDDIR')
				112	sstatedir = os.path.join(builddir, 'test-sstate')
				113
				114	self.add_command_to_tearDown('bitbake -c clean %s' % test_recipe)
				115	self.add_command_to_tearDown('rm -rf %s' % sstatedir)
				116
				117	feature = 'SSTATE_SIG_KEY ?= "testuser"\n'
				118	feature += 'SSTATE_SIG_PASSPHRASE ?= "test123"\n'
				119	feature += 'SSTATE_VERIFY_SIG ?= "1"\n'
				120	feature += 'GPG_PATH = "%s"\n' % self.gpg_dir
				121	feature += 'SSTATE_DIR = "%s"\n' % sstatedir
				122	# Any mirror might have partial sstate without .sig files, triggering failures
				123	feature += 'SSTATE_MIRRORS_forcevariable = ""\n'
				124
				125	self.write_config(feature)
				126
				127	bitbake('-c clean %s' % test_recipe)
				128	bitbake(test_recipe)
				129
				130	recipe_sig = glob.glob(sstatedir + '//:ed:*_package.tgz.sig')
				131	recipe_tgz = glob.glob(sstatedir + '//:ed:*_package.tgz')
				132
				133	self.assertEqual(len(recipe_sig), 1, 'Failed to find .sig file.')
				134	self.assertEqual(len(recipe_tgz), 1, 'Failed to find .tgz file.')
				135
				136	ret = runCmd('gpg --homedir %s --verify %s %s' % (self.gpg_dir, recipe_sig[0], recipe_tgz[0]))
				137	# gpg: Signature made Thu 22 Oct 2015 01:45:09 PM EEST using RSA key ID 61EEFB30
				138	# gpg: Good signature from "testuser (nocomment) <testuser@email.com>"
				139	self.assertIn('gpg: Good signature from', ret.output, 'Package signed incorrectly.')
				140
				141
				142	class LockedSignatures(OESelftestTestCase):
				143
				144	@OETestID(1420)
				145	def test_locked_signatures(self):
				146	"""
				147	Summary: Test locked signature mechanism
				148	Expected: Locked signatures will prevent task to run
				149	Product: oe-core
				150	Author: Daniel Istrate <daniel.alexandrux.istrate@intel.com>
				151	AutomatedBy: Daniel Istrate <daniel.alexandrux.istrate@intel.com>
				152	"""
				153
				154	test_recipe = 'ed'
				155	locked_sigs_file = 'locked-sigs.inc'
				156
				157	self.add_command_to_tearDown('rm -f %s' % os.path.join(self.builddir, locked_sigs_file))
				158
				159	bitbake(test_recipe)
				160	# Generate locked sigs include file
				161	bitbake('-S none %s' % test_recipe)
				162
				163	feature = 'require %s\n' % locked_sigs_file
				164	feature += 'SIGGEN_LOCKEDSIGS_TASKSIG_CHECK = "warn"\n'
				165	self.write_config(feature)
				166
				167	# Build a locked recipe
				168	bitbake(test_recipe)
				169
				170	# Make a change that should cause the locked task signature to change
				171	recipe_append_file = test_recipe + '_' + get_bb_var('PV', test_recipe) + '.bbappend'
				172	recipe_append_path = os.path.join(self.testlayer_path, 'recipes-test', test_recipe, recipe_append_file)
				173	feature = 'SUMMARY += "test locked signature"\n'
				174
				175	os.mkdir(os.path.join(self.testlayer_path, 'recipes-test', test_recipe))
				176	write_file(recipe_append_path, feature)
				177
				178	self.add_command_to_tearDown('rm -rf %s' % os.path.join(self.testlayer_path, 'recipes-test', test_recipe))
				179
				180	# Build the recipe again
				181	ret = bitbake(test_recipe)
				182
				183	# Verify you get the warning and that the real task isn't run (i.e. the locked signature has worked)
				184	patt = r'WARNING: The %s:do_package sig is computed to be \S+, but the sig is locked to \S+ in SIGGEN_LOCKEDSIGS\S+' % test_recipe
				185	found_warn = re.search(patt, ret.output)
				186
				187	self.assertIsNotNone(found_warn, "Didn't find the expected warning message. Output: %s" % ret.output)