[yocto] Failure Inheriting rpm_sign
Chris Trobridge
christrobridge at hotmail.com
Wed Jan 11 04:33:05 PST 2017
On Mon, 2017-01-09 at 10:47 -0800, Khem Raj wrote:
> On Fri, Jan 6, 2017 at 3:52 AM, Chris Trobridge
> <christrobridge at hotmail.com> wrote:
> > I am getting "Exception: OSError: [Errno 7] Argument list too long"
> > for sign_rpm in the do_package_write_rpm tasks for the
> > linux-yocto and glibc-locale recipes.
> >
> > This is building core-image-minimal (and also my own image) with
> > morty (5aa481d) on Fedora 25.
> >
> > I have enabled the rpm signing with:
> >
> > INHERIT += " sign_rpm"
> > RPM_GPG_NAME = "{name}"
> > RPM_GPG_PASSPHRASE = "{passphrase}"
> > IMAGE_INSTALL_append = " signing-keys-rpm"
> >
> > The error message makes some sense in as much as these recipes
> > produce a lot of packages (for example, glibc-locale produces 1791
> > packages) and the command line in the log is pretty big, although
> > reading around I didn't find a consensus on what the max command
> > line should be.
> >
> > The code to sign rpms is in meta/lib/oe/gpg_sign.py
> > b/meta/lib/oe/gpg_sign.py and it builds up one command line with
> > all the packages.
> >
> > I changed the code (patch appended) to sign each rpm in a separate
> > command and the build completed successfully. The signing
> > operations take a large amount of time so I think this might be a
> > reasonable change but you may have other concerns.
>
> This certainly is useful, perhaps the signing bits can be moved to
> individual
> recipe packaging tasks that way it may be parallelized a bit
>
Thanks Raj,
Something needs to be done as, unless I've messed up somewhere, you
cannot build even core-image-minimal with rpm signing enabled so the
sign_rpm class is effectively broken.
The change I made works, but it's true is less efficient than signing
rpms individually. The expense of the signature generation meant it
wasn't inefficient to sign each package in a recipe with a separate
command.
However, looking in package_rpm.bbclass, the end of do_package_rpm()
has:
if d.getVar('RPM_SIGN_PACKAGES', True) == '1':
bb.build.exec_func("sign_rpm", d)
So, to avoid confusion, all the rpms in one recipe are packaged in
task, and then that task calls the function sign all the packages. I
don't know if there's a way for do_package_rpm() to spawn tasks to sign
each package individually.
I also found I needed 'IMAGE_INSTALL_append = " signing-keys-rpm"'
local.conf, to deploy the public key but in sign_rpms.bbclass there is:
do_package_index[depends] += "signing-keys:do_deploy"
do_rootfs[depends] += "signing-keys:do_populate_sysroot"
It may be this isn't quite what is required.
Regards,
Chris
More information about the yocto
mailing list