From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Fri, 25 Jun 2021 11:47:13 +0200 Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33]) by lore.white.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1lwiQb-0001Xr-Lc for lore@lore.pengutronix.de; Fri, 25 Jun 2021 11:47:13 +0200 Received: from localhost ([127.0.0.1] helo=metis.ext.pengutronix.de) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1lwiQb-00085V-89; Fri, 25 Jun 2021 11:47:13 +0200 Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lwiQO-00085E-Uj; Fri, 25 Jun 2021 11:47:00 +0200 Received: from [2a0a:edc0:0:1101:1d::39] (helo=dude03.red.stw.pengutronix.de) by drehscheibe.grey.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1lwiQO-0002gP-Dm; Fri, 25 Jun 2021 11:47:00 +0200 Received: from mol by dude03.red.stw.pengutronix.de with local (Exim 4.92) (envelope-from ) id 1lwiQO-005dYE-As; Fri, 25 Jun 2021 11:47:00 +0200 Date: Fri, 25 Jun 2021 11:47:00 +0200 From: Michael Olbrich To: ptxdist@pengutronix.de Message-ID: <20210625094700.GB4015839@pengutronix.de> Mail-Followup-To: ptxdist@pengutronix.de, "mkl@pengutronix.de" References: <20210621201347.ewjj47rlzi2cqolh@pengutronix.de> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-Sent-From: Pengutronix Hildesheim X-URL: http://www.pengutronix.de/ X-IRC: #ptxdist @freenode X-Accept-Language: de,en X-Accept-Content-Type: text/plain User-Agent: Mutt/1.10.1 (2018-07-13) Subject: Re: [ptxdist] allow network access to HSM in order to sign X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Cc: "mkl@pengutronix.de" Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false On Wed, Jun 23, 2021 at 05:08:09AM +0000, Denis Osterland-Heim wrote: > Am Dienstag, den 22.06.2021, 15:05 +0200 schrieb Marc Kleine-Budde: > > On 6/22/21 6:36 AM, Denis Osterland-Heim wrote: > > > Please have a look at https://git.pengutronix.de/cgit/ptxdist/commit/?id=4b3be8225f389c7db0e2d665e8e600cb2cf52b91 . > > > This should answer your question. > > > > Thanks. > You're welcome. > > > > > However that doesn't work, as the proprietary I'm using refuses to work with > > https_proxy="" and I don't want to add more binary patches to the lib. > :-/ > > Maybe it would be an option to add a configuration switch to disable this behavior. > So your code-signing-provider may select this. > > --- a/scripts/lib/ptxd_make_world_common.sh > +++ b/scripts/lib/ptxd_make_world_common.sh > @@ -397,7 +397,7 @@ ptxd_make_world_init() { > # > # try to prevent downloads outside the get stage > # > - if [ "${pkg_stage}" != "get" ]; then > + if [ "${pkg_stage}" != "get" ] && [ -z "${PTXCONF_DISABLE_DOWNLOAD_CHECK}" ]; then > pkg_env="HTTPS_PROXY=- HTTP_PROXY=- https_proxy=- http_proxy=- ${pkg_env}" > fi > > Not sure if this is really works. I'd like to avoid disabling this globally. Maybe something like this: In the signing provider rules/pre makefile: CODE_SIGNING_NETWORK_ACCESS := YES In the packages that use it: _NETWORK_ACCESS := $(CODE_SIGNING_NETWORK_ACCESS) Add it to ptx/env and then check for it in ptxd_make_world_init(). Michael -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de