* [ptxdist] allow network access to HSM in order to sign @ 2021-06-21 20:13 Marc Kleine-Budde 2021-06-22 4:36 ` Denis Osterland-Heim 0 siblings, 1 reply; 7+ messages in thread From: Marc Kleine-Budde @ 2021-06-21 20:13 UTC (permalink / raw) To: ptxdist, mol [-- Attachment #1.1: Type: text/plain, Size: 513 bytes --] Hello Michael, since commit: | ab4af48ba403 ptxd_make_world_init: try to prevent downloads outside the get stage signing using a HSM doesn't work anymore, as the signing client evaluated the https_proxy variable. regards, Marc -- Pengutronix e.K. | Marc Kleine-Budde | Embedded Linux | https://www.pengutronix.de | Vertretung West/Dortmund | Phone: +49-231-2826-924 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 484 bytes --] [-- Attachment #2: Type: text/plain, Size: 181 bytes --] _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [ptxdist] allow network access to HSM in order to sign 2021-06-21 20:13 [ptxdist] allow network access to HSM in order to sign Marc Kleine-Budde @ 2021-06-22 4:36 ` Denis Osterland-Heim 2021-06-22 13:05 ` Marc Kleine-Budde 0 siblings, 1 reply; 7+ messages in thread From: Denis Osterland-Heim @ 2021-06-22 4:36 UTC (permalink / raw) To: ptxdist Hi Marc, Please have a look at https://git.pengutronix.de/cgit/ptxdist/commit/?id=4b3be8225f389c7db0e2d665e8e600cb2cf52b91 . This should answer your question. Regards, Denis Am Montag, den 21.06.2021, 22:13 +0200 schrieb Marc Kleine-Budde: > Hello Michael, > > since commit: > > > ab4af48ba403 ptxd_make_world_init: try to prevent downloads outside the get stage > > signing using a HSM doesn't work anymore, as the signing client > evaluated the https_proxy variable. > > regards, > Marc > > _______________________________________________ > ptxdist mailing list > ptxdist@pengutronix.de > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de Diehl Connectivity Solutions GmbH Geschäftsführung: Horst Leonberger Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht Nürnberg: HRB 32315 ________________________________ Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen. Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht. Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt. - Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter: https://www.diehl.com/group/de/transparenz-und-informationspflichten/ The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited. - For general information on data protection and your respective rights please visit: https://www.diehl.com/group/en/transparency-and-information-obligations/ _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [ptxdist] allow network access to HSM in order to sign 2021-06-22 4:36 ` Denis Osterland-Heim @ 2021-06-22 13:05 ` Marc Kleine-Budde 2021-06-23 5:08 ` Denis Osterland-Heim 0 siblings, 1 reply; 7+ messages in thread From: Marc Kleine-Budde @ 2021-06-22 13:05 UTC (permalink / raw) To: ptxdist, Denis Osterland-Heim [-- Attachment #1.1.1: Type: text/plain, Size: 657 bytes --] On 6/22/21 6:36 AM, Denis Osterland-Heim wrote: > Please have a look at https://git.pengutronix.de/cgit/ptxdist/commit/?id=4b3be8225f389c7db0e2d665e8e600cb2cf52b91 . > This should answer your question. Thanks. However that doesn't work, as the proprietary I'm using refuses to work with https_proxy="" and I don't want to add more binary patches to the lib. regards, Marc -- Pengutronix e.K. | Marc Kleine-Budde | Embedded Linux | https://www.pengutronix.de | Vertretung West/Dortmund | Phone: +49-231-2826-924 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | [-- Attachment #1.2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 488 bytes --] [-- Attachment #2: Type: text/plain, Size: 181 bytes --] _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [ptxdist] allow network access to HSM in order to sign 2021-06-22 13:05 ` Marc Kleine-Budde @ 2021-06-23 5:08 ` Denis Osterland-Heim 2021-06-25 9:47 ` Michael Olbrich 0 siblings, 1 reply; 7+ messages in thread From: Denis Osterland-Heim @ 2021-06-23 5:08 UTC (permalink / raw) To: ptxdist, mkl Hi, Am Dienstag, den 22.06.2021, 15:05 +0200 schrieb Marc Kleine-Budde: > On 6/22/21 6:36 AM, Denis Osterland-Heim wrote: > > Please have a look at https://git.pengutronix.de/cgit/ptxdist/commit/?id=4b3be8225f389c7db0e2d665e8e600cb2cf52b91 . > > This should answer your question. > > Thanks. You're welcome. > > However that doesn't work, as the proprietary I'm using refuses to work with > https_proxy="" and I don't want to add more binary patches to the lib. :-/ Maybe it would be an option to add a configuration switch to disable this behavior. So your code-signing-provider may select this. --- a/scripts/lib/ptxd_make_world_common.sh +++ b/scripts/lib/ptxd_make_world_common.sh @@ -397,7 +397,7 @@ ptxd_make_world_init() { # # try to prevent downloads outside the get stage # - if [ "${pkg_stage}" != "get" ]; then + if [ "${pkg_stage}" != "get" ] && [ -z "${PTXCONF_DISABLE_DOWNLOAD_CHECK}" ]; then pkg_env="HTTPS_PROXY=- HTTP_PROXY=- https_proxy=- http_proxy=- ${pkg_env}" fi Not sure if this is really works. Regards, Denis > > regards, > Marc > Diehl Connectivity Solutions GmbH Geschäftsführung: Horst Leonberger Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht Nürnberg: HRB 32315 ________________________________ Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen. Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht. Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt. - Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter: https://www.diehl.com/group/de/transparenz-und-informationspflichten/ The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited. - For general information on data protection and your respective rights please visit: https://www.diehl.com/group/en/transparency-and-information-obligations/ _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [ptxdist] allow network access to HSM in order to sign 2021-06-23 5:08 ` Denis Osterland-Heim @ 2021-06-25 9:47 ` Michael Olbrich 2021-06-25 11:54 ` Denis Osterland-Heim 0 siblings, 1 reply; 7+ messages in thread From: Michael Olbrich @ 2021-06-25 9:47 UTC (permalink / raw) To: ptxdist; +Cc: mkl On Wed, Jun 23, 2021 at 05:08:09AM +0000, Denis Osterland-Heim wrote: > Am Dienstag, den 22.06.2021, 15:05 +0200 schrieb Marc Kleine-Budde: > > On 6/22/21 6:36 AM, Denis Osterland-Heim wrote: > > > Please have a look at https://git.pengutronix.de/cgit/ptxdist/commit/?id=4b3be8225f389c7db0e2d665e8e600cb2cf52b91 . > > > This should answer your question. > > > > Thanks. > You're welcome. > > > > > However that doesn't work, as the proprietary I'm using refuses to work with > > https_proxy="" and I don't want to add more binary patches to the lib. > :-/ > > Maybe it would be an option to add a configuration switch to disable this behavior. > So your code-signing-provider may select this. > > --- a/scripts/lib/ptxd_make_world_common.sh > +++ b/scripts/lib/ptxd_make_world_common.sh > @@ -397,7 +397,7 @@ ptxd_make_world_init() { > # > # try to prevent downloads outside the get stage > # > - if [ "${pkg_stage}" != "get" ]; then > + if [ "${pkg_stage}" != "get" ] && [ -z "${PTXCONF_DISABLE_DOWNLOAD_CHECK}" ]; then > pkg_env="HTTPS_PROXY=- HTTP_PROXY=- https_proxy=- http_proxy=- ${pkg_env}" > fi > > Not sure if this is really works. I'd like to avoid disabling this globally. Maybe something like this: In the signing provider rules/pre makefile: CODE_SIGNING_NETWORK_ACCESS := YES In the packages that use it: <PKG>_NETWORK_ACCESS := $(CODE_SIGNING_NETWORK_ACCESS) Add it to ptx/env and then check for it in ptxd_make_world_init(). Michael -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [ptxdist] allow network access to HSM in order to sign 2021-06-25 9:47 ` Michael Olbrich @ 2021-06-25 11:54 ` Denis Osterland-Heim 2021-06-25 12:21 ` Michael Olbrich 0 siblings, 1 reply; 7+ messages in thread From: Denis Osterland-Heim @ 2021-06-25 11:54 UTC (permalink / raw) To: ptxdist Hi, diff --git a/rules/pre/010-code-signing.make b/rules/pre/010-code-signing.make index 370595600..557f4913e 100644 --- a/rules/pre/010-code-signing.make +++ b/rules/pre/010-code-signing.make @@ -16,6 +16,6 @@ CODE_SIGNING_ENV = \ # to communicate with a server in an other stage than get # ptx/online-code-signing-provider = $(eval CODE_SIGNING_ENV += \ - HTTPS_PROXY= HTTP_PROXY= https_proxy= http_proxy=) + ptxd_allow_network_access=code-signing) # vim: syntax=make diff --git a/scripts/lib/ptxd_make_world_common.sh b/scripts/lib/ptxd_make_world_common.sh index 7d1db67bf..90d097931 100644 --- a/scripts/lib/ptxd_make_world_common.sh +++ b/scripts/lib/ptxd_make_world_common.sh @@ -397,7 +397,7 @@ ptxd_make_world_init() { # # try to prevent downloads outside the get stage # - if [ "${pkg_stage}" != "get" ]; then + if [ "${pkg_stage}" != "get" ] && ! grep -Eq '\sptxd_allow_network_access=\S+' <<< "${pkg_env}"; then pkg_env="HTTPS_PROXY=- HTTP_PROXY=- https_proxy=- http_proxy=- ${pkg_env}" fi Might do it, without touching the code-signer user files. Regards, Denis Am Freitag, den 25.06.2021, 11:47 +0200 schrieb Michael Olbrich: > On Wed, Jun 23, 2021 at 05:08:09AM +0000, Denis Osterland-Heim wrote: > > Am Dienstag, den 22.06.2021, 15:05 +0200 schrieb Marc Kleine-Budde: > > > On 6/22/21 6:36 AM, Denis Osterland-Heim wrote: > > > > Please have a look at https://git.pengutronix.de/cgit/ptxdist/commit/?id=4b3be8225f389c7db0e2d665e8e600cb2cf52b91 . > > > > This should answer your question. > > > > > > Thanks. > > > > You're welcome. > > > > > > > > However that doesn't work, as the proprietary I'm using refuses to work with > > > https_proxy="" and I don't want to add more binary patches to the lib. > > > > :-/ > > > > Maybe it would be an option to add a configuration switch to disable this behavior. > > So your code-signing-provider may select this. > > > > --- a/scripts/lib/ptxd_make_world_common.sh > > +++ b/scripts/lib/ptxd_make_world_common.sh > > @@ -397,7 +397,7 @@ ptxd_make_world_init() { > > # > > # try to prevent downloads outside the get stage > > # > > - if [ "${pkg_stage}" != "get" ]; then > > + if [ "${pkg_stage}" != "get" ] && [ -z "${PTXCONF_DISABLE_DOWNLOAD_CHECK}" ]; then > > pkg_env="HTTPS_PROXY=- HTTP_PROXY=- https_proxy=- http_proxy=- ${pkg_env}" > > fi > > > > Not sure if this is really works. > > I'd like to avoid disabling this globally. Maybe something like this: > > In the signing provider rules/pre makefile: > > CODE_SIGNING_NETWORK_ACCESS := YES > > In the packages that use it: > > <PKG>_NETWORK_ACCESS := $(CODE_SIGNING_NETWORK_ACCESS) > > Add it to ptx/env and then check for it in ptxd_make_world_init(). > > Michael > Diehl Connectivity Solutions GmbH Geschäftsführung: Horst Leonberger Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht Nürnberg: HRB 32315 ________________________________ Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen. Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht. Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt. - Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter: https://www.diehl.com/group/de/transparenz-und-informationspflichten/ The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited. - For general information on data protection and your respective rights please visit: https://www.diehl.com/group/en/transparency-and-information-obligations/ _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [ptxdist] allow network access to HSM in order to sign 2021-06-25 11:54 ` Denis Osterland-Heim @ 2021-06-25 12:21 ` Michael Olbrich 0 siblings, 0 replies; 7+ messages in thread From: Michael Olbrich @ 2021-06-25 12:21 UTC (permalink / raw) To: ptxdist On Fri, Jun 25, 2021 at 11:54:30AM +0000, Denis Osterland-Heim wrote: > Hi, > > diff --git a/rules/pre/010-code-signing.make b/rules/pre/010-code-signing.make > index 370595600..557f4913e 100644 > --- a/rules/pre/010-code-signing.make > +++ b/rules/pre/010-code-signing.make > @@ -16,6 +16,6 @@ CODE_SIGNING_ENV = \ > # to communicate with a server in an other stage than get > # > ptx/online-code-signing-provider = $(eval CODE_SIGNING_ENV += \ > - HTTPS_PROXY= HTTP_PROXY= https_proxy= http_proxy=) > + ptxd_allow_network_access=code-signing) I think, this might work as well: ptx/online-code-signing-provider = $(eval CODE_SIGNING_ENV += \ env -u HTTPS_PROXY -u HTTP_PROXY -u https_proxy -u http_proxy No other changes. But I'm not sure if that breaks some escaping with other stuff in the command-line. Michael > > # vim: syntax=make > diff --git a/scripts/lib/ptxd_make_world_common.sh b/scripts/lib/ptxd_make_world_common.sh > index 7d1db67bf..90d097931 100644 > --- a/scripts/lib/ptxd_make_world_common.sh > +++ b/scripts/lib/ptxd_make_world_common.sh > @@ -397,7 +397,7 @@ ptxd_make_world_init() { > # > # try to prevent downloads outside the get stage > # > - if [ "${pkg_stage}" != "get" ]; then > + if [ "${pkg_stage}" != "get" ] && ! grep -Eq '\sptxd_allow_network_access=\S+' <<< "${pkg_env}"; then > pkg_env="HTTPS_PROXY=- HTTP_PROXY=- https_proxy=- http_proxy=- ${pkg_env}" > fi > > > Might do it, without touching the code-signer user files. > > Regards, Denis > > Am Freitag, den 25.06.2021, 11:47 +0200 schrieb Michael Olbrich: > > On Wed, Jun 23, 2021 at 05:08:09AM +0000, Denis Osterland-Heim wrote: > > > Am Dienstag, den 22.06.2021, 15:05 +0200 schrieb Marc Kleine-Budde: > > > > On 6/22/21 6:36 AM, Denis Osterland-Heim wrote: > > > > > Please have a look at https://git.pengutronix.de/cgit/ptxdist/commit/?id=4b3be8225f389c7db0e2d665e8e600cb2cf52b91 . > > > > > This should answer your question. > > > > > > > > Thanks. > > > > > > You're welcome. > > > > > > > > > > > However that doesn't work, as the proprietary I'm using refuses to work with > > > > https_proxy="" and I don't want to add more binary patches to the lib. > > > > > > :-/ > > > > > > Maybe it would be an option to add a configuration switch to disable this behavior. > > > So your code-signing-provider may select this. > > > > > > --- a/scripts/lib/ptxd_make_world_common.sh > > > +++ b/scripts/lib/ptxd_make_world_common.sh > > > @@ -397,7 +397,7 @@ ptxd_make_world_init() { > > > # > > > # try to prevent downloads outside the get stage > > > # > > > - if [ "${pkg_stage}" != "get" ]; then > > > + if [ "${pkg_stage}" != "get" ] && [ -z "${PTXCONF_DISABLE_DOWNLOAD_CHECK}" ]; then > > > pkg_env="HTTPS_PROXY=- HTTP_PROXY=- https_proxy=- http_proxy=- ${pkg_env}" > > > fi > > > > > > Not sure if this is really works. > > > > I'd like to avoid disabling this globally. Maybe something like this: > > > > In the signing provider rules/pre makefile: > > > > CODE_SIGNING_NETWORK_ACCESS := YES > > > > In the packages that use it: > > > > <PKG>_NETWORK_ACCESS := $(CODE_SIGNING_NETWORK_ACCESS) > > > > Add it to ptx/env and then check for it in ptxd_make_world_init(). > > > > Michael > > > Diehl Connectivity Solutions GmbH > Geschäftsführung: Horst Leonberger > Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht > Nürnberg: HRB 32315 > > ________________________________ > > Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen. > Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht. > Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt. > > - Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter: > > https://www.diehl.com/group/de/transparenz-und-informationspflichten/ > > The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by > mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited. > > - For general information on data protection and your respective rights please visit: > > https://www.diehl.com/group/en/transparency-and-information-obligations/ > > > _______________________________________________ > ptxdist mailing list > ptxdist@pengutronix.de > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-06-25 12:21 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-06-21 20:13 [ptxdist] allow network access to HSM in order to sign Marc Kleine-Budde 2021-06-22 4:36 ` Denis Osterland-Heim 2021-06-22 13:05 ` Marc Kleine-Budde 2021-06-23 5:08 ` Denis Osterland-Heim 2021-06-25 9:47 ` Michael Olbrich 2021-06-25 11:54 ` Denis Osterland-Heim 2021-06-25 12:21 ` Michael Olbrich
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox