| Message ID | 20210810134557.2444863-9-stefanb@linux.vnet.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ima-evm-utils: Add support for signing with pkcs11 URIs | expand |
On Tue, 2021-08-10 at 09:45 -0400, Stefan Berger wrote: > From: Stefan Berger <stefanb@linux.ibm.com> > > Get the packages for pkcs11 testing on the CI/CD system. > > This is the status on various distros: > > - Alpine: could not find package with pkcs11 engine > - Alt Linux: works > - Debian: debian:stable: evmctl is not able to find the pkcs11 module but > preceeding openssl command line tests with the pkcs11 URI succeeded; > cannot recreate the issue locally in the debian:stable container > --> disabled on Ubuntu and Debian > - CentOS7: tests with pkcs11 URI fail on openssl command line level > - CentOS: works > - Fedora: works > - OpenSuSE Leap: package not available in main repo > - OpenSuSE Tumbleweed: works In patch 7/8 there's a comment of requiring a certain release. Should there be a test for a specific version? Then only run the pkcs11 tests if that version or later is installed. thanks, Mimi
On 9/3/21 3:17 PM, Mimi Zohar wrote: > On Tue, 2021-08-10 at 09:45 -0400, Stefan Berger wrote: >> From: Stefan Berger <stefanb@linux.ibm.com> >> >> Get the packages for pkcs11 testing on the CI/CD system. >> >> This is the status on various distros: >> >> - Alpine: could not find package with pkcs11 engine >> - Alt Linux: works >> - Debian: debian:stable: evmctl is not able to find the pkcs11 module but >> preceeding openssl command line tests with the pkcs11 URI succeeded; >> cannot recreate the issue locally in the debian:stable container >> --> disabled on Ubuntu and Debian >> - CentOS7: tests with pkcs11 URI fail on openssl command line level >> - CentOS: works >> - Fedora: works >> - OpenSuSE Leap: package not available in main repo >> - OpenSuSE Tumbleweed: works > In patch 7/8 there's a comment of requiring a certain release. Should > there be a test for a specific version? Then only run the pkcs11 tests > if that version or later is installed. I'll add a test into softhsm_setup checking that the version identifier is at least 2.2.0. Stefan > thanks, > > Mimi >
diff --git a/ci/alt.sh b/ci/alt.sh index 884c995..65389be 100755 --- a/ci/alt.sh +++ b/ci/alt.sh @@ -12,12 +12,15 @@ apt-get install -y \ asciidoc \ attr \ docbook-style-xsl \ + gnutls-utils \ libattr-devel \ libkeyutils-devel \ + libp11 \ libssl-devel \ openssl \ openssl-gost-engine \ rpm-build \ + softhsm \ wget \ xsltproc \ xxd \ diff --git a/ci/fedora.sh b/ci/fedora.sh index 2d80915..0993607 100755 --- a/ci/fedora.sh +++ b/ci/fedora.sh @@ -25,6 +25,7 @@ yum -y install \ automake \ diffutils \ docbook-xsl \ + gnutls-utils \ gzip \ keyutils-libs-devel \ libattr-devel \ @@ -33,6 +34,7 @@ yum -y install \ make \ openssl \ openssl-devel \ + openssl-pkcs11 \ pkg-config \ procps \ sudo \ @@ -42,3 +44,9 @@ yum -y install \ yum -y install docbook5-style-xsl || true yum -y install swtpm || true + +# SoftHSM is available via EPEL on CentOS +if [ -f /etc/centos-release ]; then + yum -y install epel-release +fi +yum -y install softhsm || true \ No newline at end of file diff --git a/ci/tumbleweed.sh b/ci/tumbleweed.sh index dfc478b..4e3da0c 100755 --- a/ci/tumbleweed.sh +++ b/ci/tumbleweed.sh @@ -42,6 +42,9 @@ zypper --non-interactive install --force-resolution --no-recommends \ which \ xsltproc +zypper --non-interactive install --force-resolution --no-recommends \ + gnutls openssl-engine-libp11 softhsm || true + if [ -f /usr/lib/ibmtss/tpm_server -a ! -e /usr/local/bin/tpm_server ]; then ln -s /usr/lib/ibmtss/tpm_server /usr/local/bin fi