From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Fri, 25 Jun 2021 14:21:19 +0200 Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33]) by lore.white.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1lwkpi-0004wn-VS for lore@lore.pengutronix.de; Fri, 25 Jun 2021 14:21:19 +0200 Received: from localhost ([127.0.0.1] helo=metis.ext.pengutronix.de) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1lwkpi-0001L2-KB; Fri, 25 Jun 2021 14:21:18 +0200 Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lwkpV-0001Ki-NF for ptxdist@pengutronix.de; Fri, 25 Jun 2021 14:21:05 +0200 Received: from [2a0a:edc0:0:1101:1d::39] (helo=dude03.red.stw.pengutronix.de) by drehscheibe.grey.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1lwkpV-0002q1-7U for ptxdist@pengutronix.de; Fri, 25 Jun 2021 14:21:05 +0200 Received: from mol by dude03.red.stw.pengutronix.de with local (Exim 4.92) (envelope-from ) id 1lwkpV-006ty7-64 for ptxdist@pengutronix.de; Fri, 25 Jun 2021 14:21:05 +0200 Date: Fri, 25 Jun 2021 14:21:05 +0200 From: Michael Olbrich To: ptxdist@pengutronix.de Message-ID: <20210625122105.GC4015839@pengutronix.de> Mail-Followup-To: ptxdist@pengutronix.de References: <20210621201347.ewjj47rlzi2cqolh@pengutronix.de> <20210625094700.GB4015839@pengutronix.de> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-Sent-From: Pengutronix Hildesheim X-URL: http://www.pengutronix.de/ X-IRC: #ptxdist @freenode X-Accept-Language: de,en X-Accept-Content-Type: text/plain User-Agent: Mutt/1.10.1 (2018-07-13) Subject: Re: [ptxdist] allow network access to HSM in order to sign X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false On Fri, Jun 25, 2021 at 11:54:30AM +0000, Denis Osterland-Heim wrote: > Hi, > = > diff --git a/rules/pre/010-code-signing.make b/rules/pre/010-code-signing= .make > index 370595600..557f4913e 100644 > --- a/rules/pre/010-code-signing.make > +++ b/rules/pre/010-code-signing.make > @@ -16,6 +16,6 @@ CODE_SIGNING_ENV =3D \ > # to communicate with a server in an other stage than get > # > ptx/online-code-signing-provider =3D $(eval CODE_SIGNING_ENV +=3D \ > - HTTPS_PROXY=3D HTTP_PROXY=3D https_proxy=3D http_proxy=3D) > + ptxd_allow_network_access=3Dcode-signing) I think, this might work as well: ptx/online-code-signing-provider =3D $(eval CODE_SIGNING_ENV +=3D \ env -u HTTPS_PROXY -u HTTP_PROXY -u https_proxy -u http_proxy No other changes. But I'm not sure if that breaks some escaping with other stuff in the command-line. Michael > = > # vim: syntax=3Dmake > diff --git a/scripts/lib/ptxd_make_world_common.sh b/scripts/lib/ptxd_mak= e_world_common.sh > index 7d1db67bf..90d097931 100644 > --- a/scripts/lib/ptxd_make_world_common.sh > +++ b/scripts/lib/ptxd_make_world_common.sh > @@ -397,7 +397,7 @@ ptxd_make_world_init() { > # > # try to prevent downloads outside the get stage > # > - if [ "${pkg_stage}" !=3D "get" ]; then > + if [ "${pkg_stage}" !=3D "get" ] && ! grep -Eq '\sptxd_allow_network= _access=3D\S+' <<< "${pkg_env}"; then > pkg_env=3D"HTTPS_PROXY=3D- HTTP_PROXY=3D- https_proxy=3D- http_pr= oxy=3D- ${pkg_env}" > fi > = > = > Might do it, without touching the code-signer user files. > = > Regards, Denis > = > Am Freitag, den 25.06.2021, 11:47 +0200 schrieb Michael Olbrich: > > On Wed, Jun 23, 2021 at 05:08:09AM +0000, Denis Osterland-Heim wrote: > > > Am Dienstag, den 22.06.2021, 15:05 +0200 schrieb Marc Kleine-Budde: > > > > On 6/22/21 6:36 AM, Denis Osterland-Heim wrote: > > > > > Please have a look at https://git.pengutronix.de/cgit/ptxdist/com= mit/?id=3D4b3be8225f389c7db0e2d665e8e600cb2cf52b91 . > > > > > This should answer your question. > > > > > > > > Thanks. > > > > > > You're welcome. > > > > > > > > > > > However that doesn't work, as the proprietary I'm using refuses to = work with > > > > https_proxy=3D"" and I don't want to add more binary patches to the= lib. > > > > > > :-/ > > > > > > Maybe it would be an option to add a configuration switch to disable = this behavior. > > > So your code-signing-provider may select this. > > > > > > --- a/scripts/lib/ptxd_make_world_common.sh > > > +++ b/scripts/lib/ptxd_make_world_common.sh > > > @@ -397,7 +397,7 @@ ptxd_make_world_init() { > > > # > > > # try to prevent downloads outside the get stage > > > # > > > - if [ "${pkg_stage}" !=3D "get" ]; then > > > + if [ "${pkg_stage}" !=3D "get" ] && [ -z "${PTXCONF_DISABLE_DOWN= LOAD_CHECK}" ]; then > > > pkg_env=3D"HTTPS_PROXY=3D- HTTP_PROXY=3D- https_proxy=3D- htt= p_proxy=3D- ${pkg_env}" > > > fi > > > > > > Not sure if this is really works. > > > > I'd like to avoid disabling this globally. Maybe something like this: > > > > In the signing provider rules/pre makefile: > > > > CODE_SIGNING_NETWORK_ACCESS :=3D YES > > > > In the packages that use it: > > > > _NETWORK_ACCESS :=3D $(CODE_SIGNING_NETWORK_ACCESS) > > > > Add it to ptx/env and then check for it in ptxd_make_world_init(). > > > > Michael > > > Diehl Connectivity Solutions GmbH > Gesch=E4ftsf=FChrung: Horst Leonberger > Sitz der Gesellschaft: N=FCrnberg - Registergericht: Amtsgericht > N=FCrnberg: HRB 32315 > = > ________________________________ > = > Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-M= ail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen. > Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhal= ten haben. Bitte loeschen Sie in diesem Fall die Nachricht. > Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung= und/oder Publikation dieser E-Mail ist strengstens untersagt. > = > - Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten = Sie unter: > = > https://www.diehl.com/group/de/transparenz-und-informationspflichten/ > = > The contents of the above mentioned e-mail is not legally binding. This e= -mail contains confidential and/or legally protected information. Please in= form us if you have received this e-mail by > mistake and delete it in such a case. Each unauthorized reproduction, dis= closure, alteration, distribution and/or publication of this e-mail is stri= ctly prohibited. > = > - For general information on data protection and your respective rights p= lease visit: > = > https://www.diehl.com/group/en/transparency-and-information-obligations/ > = > = > _______________________________________________ > ptxdist mailing list > ptxdist@pengutronix.de > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request= @pengutronix.de -- = Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@p= engutronix.de