[OE-core] [RFC PATCH 3/3] classes/sstate: regenerate sstate when signing enabled

Joshua Lock jlock at vmware.com
Tue Jul 30 09:58:52 UTC 2019 


> On 27 Jul 2019, at 11:12, Richard Purdie <richard.purdie at linuxfoundation.org> wrote:
> 
> On Fri, 2019-07-26 at 11:26 +0000, Joshua Lock via Openembedded-core
> wrote:
>> This change ensures that the task signatures changes, and therefore
>> sstate tasks are rerun, when signing is enabled. This has the
>> positive outcome that if signing is enabled new signed shared state
>> objects will be produced, rather than just signing shared state
>> objects for tasks where no work has been performed yet.
>> 
>> The downside of this change is that enabling/disabling sstate object
>> signing alters the taskhash and results in rebuilding the world.
>> 
>> Signed-off-by: Joshua Lock <jlock at vmware.com>
>> ---
>> meta/classes/sstate.bbclass | 10 ++++++++--
>> meta/lib/oe/gpg_sign.py     | 10 ++++++++++
>> 2 files changed, 18 insertions(+), 2 deletions(-)
>> 
>> diff --git a/meta/classes/sstate.bbclass
>> b/meta/classes/sstate.bbclass
>> index 3342c5ef50..b060e15053 100644
>> --- a/meta/classes/sstate.bbclass
>> +++ b/meta/classes/sstate.bbclass
>> @@ -659,8 +659,12 @@ def sstate_package(ss, d):
>>     if d.getVar('SSTATE_SKIP_CREATION') == '1':
>>         return
>> 
>> +    sstate_create_package = ['sstate_report_unihash',
>> 'sstate_create_package']
>> +    if d.getVar('SSTATE_SIG_KEY'):
>> +        sstate_create_package.append('sstate_sign_package')
>> +
>>     for f in (d.getVar('SSTATECREATEFUNCS') or '').split() + \
>> -             ['sstate_report_unihash', 'sstate_create_package',
>> 'sstate_sign_package'] + \
>> +             sstate_create_package + \
>>              (d.getVar('SSTATEPOSTCREATEFUNCS') or '').split():
>>         # All hooks should run in SSTATE_BUILDDIR.
>>         bb.build.exec_func(f, d, (sstatebuild,))
>> @@ -774,7 +778,7 @@ sstate_create_package () {
>> }
>> 
>> python sstate_sign_package () {
>> -    from oe.gpg_sign import get_signer
>> +    from oe.gpg_sign import get_signer, SignFailedError
>> 
>>     if d.getVar('SSTATE_SIG_KEY'):
>>         signer = get_signer(d, 'local')
>> @@ -783,6 +787,8 @@ python sstate_sign_package () {
>>             os.unlink(sstate_pkg + '.sig')
>>         signer.detach_sign(sstate_pkg, d.getVar('SSTATE_SIG_KEY',
>> False), None,
>>                            d.getVar('SSTATE_SIG_PASSPHRASE'),
>> armor=False)
>> +    else:
>> +        raise SignFailedError("Can't sign sstate packages without
>> key, SSTATE_SIG_KEY empty")
>> }
>> 
>> python sstate_report_unihash() {
>> diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
>> index 2fd8c3b1ac..ec5ace0dd0 100644
>> --- a/meta/lib/oe/gpg_sign.py
>> +++ b/meta/lib/oe/gpg_sign.py
>> @@ -123,6 +123,16 @@ class LocalSigner(object):
>>         return ret
>> 
>> 
>> +class SignFailedError(bb.build.FuncFailed):
>> +    def __init__(self, description, name=None, logfile=None):
>> +        self.description = description
>> +        self.name = name
>> +        self.logfile = logfile
>> +
>> +    def __str__(self):
>> +        return 'Signing failed: %s' % self.description
>> +
>> +
> 
> Whilst this subclass is quite pythonic, I'm not sure we want to do
> this. At the back of my mind is the feeling that FuncFailed is a bit
> pointless :/.

This is pointless in more ways than one, because above I changed the SSTATECREATEFUNCS to only include sstate_sign_package if SSTATE_SIG_KEY is set this exception shouldn’t ever be raised.

I’ll send an update series with this class and its usage dropped.

Joshua

> Put differently, what does this buy us that bb.fatal() doesn't?
> 
> We do have a few users of FuncFailed in OECore but not many (about
> 8)...
> 
> Cheers,
> 
> Richard
> 
> 
>

More information about the Openembedded-core mailing list