Placing the key import logic under signing-keys cannot ensure all
target recipes are always signed. Instead, place it before
do_package_write_rpm.
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
When the SIGNING_MODEL is set to "user", the signing-keys recipes will
run failed on the get_public_keys task. uks_rpm_keys_dir() function
could not return the right rpm_keys directory when the
SIGNING_MODEL is set to "user".
Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
encrypted-storage layer will include more security features about encrypted
storage so the term "encrypted-storage" won't be used to specify a dedicated
technology term such as "LUKS".
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
If "GPG_PATH" is set in the init script, then "signing-keys"
get_public_keys task will execute failed.
So the "GPG_PATH" directory would be created when "GPG_PATH" is set.
The do_get_public_keys failed to import gpg key error information is as following:
----------------------------------------------------------------------------------------
ERROR: signing-keys-1.0-r0 do_get_public_keys: Function failed: Failed to import gpg key
(layers/meta-secure-core/meta-signing-key/files/rpm_keys/RPM-GPG-PRIVKEY-SecureCore):
gpg: fatal: can't create directory
`tmp/deploy/images/intel-corei7-64/.gnupg': No such file or directory
Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
The keyutils-doc package supply some same name man7 files with
man-pages, it will cause the rpm package installation or upgrade failed.
The keyutils-doc and man-pages rpm packages' transction check error
information is as following:
--------------------------------------------------------------------
Running transaction test
Error: Transaction check error:
file /usr/share/man/man7/keyrings.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
file /usr/share/man/man7/persistent-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
file /usr/share/man/man7/process-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
file /usr/share/man/man7/session-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
file /usr/share/man/man7/thread-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
file /usr/share/man/man7/user-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
file /usr/share/man/man7/user-session-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
commit 52bf3b6636f95a(meta-integrity: move gpg keyring initialization
to signing-keys) tried to initialize keyring in the task check_public_keys
of the recipe signing-keys. However, it does work with the recipe
signing-keys only, and GPG_PATH can't be passed to other recipes.
We bring the python anonymous function back, and it makes sure GPG_PATH
is set before signing the packages for every recipe.
Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
Currently, OPENSSL_LIB is only used for locating openssl.cnf in order
to work around openssl-1.1.x.
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
