[yocto] Failure Inheriting rpm_sign

Chris Trobridge christrobridge at hotmail.com
Wed Jan 11 04:33:05 PST 2017 

On Mon, 2017-01-09 at 10:47 -0800, Khem Raj wrote:
> On Fri, Jan 6, 2017 at 3:52 AM, Chris Trobridge
> <christrobridge at hotmail.com> wrote:
> > I am getting "Exception: OSError: [Errno 7] Argument list too long"
> > for sign_rpm in the do_package_write_rpm tasks for the
> > linux-yocto and glibc-locale recipes.
> > 
> > This is building core-image-minimal (and also my own image) with
> > morty (5aa481d) on Fedora 25.
> > 
> > I have enabled the rpm signing with:
> > 
> > INHERIT += " sign_rpm"
> > RPM_GPG_NAME = "{name}"
> > RPM_GPG_PASSPHRASE = "{passphrase}"
> > IMAGE_INSTALL_append = " signing-keys-rpm"
> > 
> > The error message makes some sense in as much as these recipes
> > produce a lot of packages (for example, glibc-locale produces 1791
> > packages) and the command line in the log is pretty big, although
> > reading around I didn't find a consensus on what the max command
> > line should be.
> > 
> > The code to sign rpms is in meta/lib/oe/gpg_sign.py
> > b/meta/lib/oe/gpg_sign.py and it builds up one command line with
> > all the packages.
> > 
> > I changed the code (patch appended) to sign each rpm in a separate
> > command and the build completed successfully.  The signing
> > operations take a large amount of time so I think this might be a
> > reasonable change but you may have other concerns.
> 
> This certainly is useful, perhaps the signing bits can be moved to
> individual
> recipe packaging tasks that way it may be parallelized a bit
> 

Thanks Raj,

Something needs to be done as, unless I've messed up somewhere, you
cannot build even core-image-minimal with rpm signing enabled so the
sign_rpm class is effectively broken.

The change I made works, but it's true is less efficient than signing
rpms individually.  The expense of the signature generation meant it
wasn't inefficient to sign each package in a recipe with a separate
command.

However, looking in package_rpm.bbclass, the end of do_package_rpm()
has:

if d.getVar('RPM_SIGN_PACKAGES', True) == '1':
    bb.build.exec_func("sign_rpm", d)

So, to avoid confusion, all the rpms in one recipe are packaged in
task, and then that task calls the function  sign all the packages.  I
don't know if there's a way for do_package_rpm() to spawn tasks to sign
each package individually.

I also found I needed 'IMAGE_INSTALL_append = " signing-keys-rpm"'
local.conf, to deploy the public key but in sign_rpms.bbclass there is:

do_package_index[depends] += "signing-keys:do_deploy"
do_rootfs[depends] += "signing-keys:do_populate_sysroot"

It may be this isn't quite what is required.

Regards,
Chris

More information about the yocto mailing list