[OE-core] [RFC PATCH 3/3] classes/sstate: regenerate sstate when signing enabled

Sat Jul 27 10:12:43 UTC 2019

On Fri, 2019-07-26 at 11:26 +0000, Joshua Lock via Openembedded-core
wrote:
> This change ensures that the task signatures changes, and therefore
> sstate tasks are rerun, when signing is enabled. This has the
> positive outcome that if signing is enabled new signed shared state
> objects will be produced, rather than just signing shared state
> objects for tasks where no work has been performed yet.
> 
> The downside of this change is that enabling/disabling sstate object
> signing alters the taskhash and results in rebuilding the world.
> 
> Signed-off-by: Joshua Lock <jlock at vmware.com>
> ---
>  meta/classes/sstate.bbclass | 10 ++++++++--
>  meta/lib/oe/gpg_sign.py     | 10 ++++++++++
>  2 files changed, 18 insertions(+), 2 deletions(-)
> 
> diff --git a/meta/classes/sstate.bbclass
> b/meta/classes/sstate.bbclass
> index 3342c5ef50..b060e15053 100644
> --- a/meta/classes/sstate.bbclass
> +++ b/meta/classes/sstate.bbclass
> @@ -659,8 +659,12 @@ def sstate_package(ss, d):
>      if d.getVar('SSTATE_SKIP_CREATION') == '1':
>          return
>  
> +    sstate_create_package = ['sstate_report_unihash',
> 'sstate_create_package']
> +    if d.getVar('SSTATE_SIG_KEY'):
> +        sstate_create_package.append('sstate_sign_package')
> +
>      for f in (d.getVar('SSTATECREATEFUNCS') or '').split() + \
> -             ['sstate_report_unihash', 'sstate_create_package',
> 'sstate_sign_package'] + \
> +             sstate_create_package + \
>               (d.getVar('SSTATEPOSTCREATEFUNCS') or '').split():
>          # All hooks should run in SSTATE_BUILDDIR.
>          bb.build.exec_func(f, d, (sstatebuild,))
> @@ -774,7 +778,7 @@ sstate_create_package () {
>  }
>  
>  python sstate_sign_package () {
> -    from oe.gpg_sign import get_signer
> +    from oe.gpg_sign import get_signer, SignFailedError
>  
>      if d.getVar('SSTATE_SIG_KEY'):
>          signer = get_signer(d, 'local')
> @@ -783,6 +787,8 @@ python sstate_sign_package () {
>              os.unlink(sstate_pkg + '.sig')
>          signer.detach_sign(sstate_pkg, d.getVar('SSTATE_SIG_KEY',
> False), None,
>                             d.getVar('SSTATE_SIG_PASSPHRASE'),
> armor=False)
> +    else:
> +        raise SignFailedError("Can't sign sstate packages without
> key, SSTATE_SIG_KEY empty")
>  }
>  
>  python sstate_report_unihash() {
> diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
> index 2fd8c3b1ac..ec5ace0dd0 100644
> --- a/meta/lib/oe/gpg_sign.py
> +++ b/meta/lib/oe/gpg_sign.py
> @@ -123,6 +123,16 @@ class LocalSigner(object):
>          return ret
>  
>  
> +class SignFailedError(bb.build.FuncFailed):
> +    def __init__(self, description, name=None, logfile=None):
> +        self.description = description
> +        self.name = name
> +        self.logfile = logfile
> +
> +    def __str__(self):
> +        return 'Signing failed: %s' % self.description
> +
> +

Whilst this subclass is quite pythonic, I'm not sure we want to do
this. At the back of my mind is the feeling that FuncFailed is a bit
pointless :/.

Put differently, what does this buy us that bb.fatal() doesn't?

We do have a few users of FuncFailed in OECore but not many (about
8)...

Cheers,

Richard