embedded linux - What's the 'correct' way to stage optional server certificates for a bitbake recipe?

Question

Given a recipe for a server program that's written to use SSL if a cert/key pair are provided on the system image -- what's the 'proper' way to handle installing those certs from a bitbake viewpoint? Especially concerning 'during development' of the server software, where I need to provide self-signed certs while we test things.

I have a solution in place, but I'm not sure it's optimal, and it felt like I was fighting the tooling too much to do this. So it's time to ask.

Here's what I have.

If you setup whitelist environment variables for:

SERVER_RECIPE_NAME_CERT = '/absolute/path/to/cert.pem'
SERVER_RECIPE_NAME_CERT_KEY = '/absolute/path/to/key.pem'

Then, in the server recipe I've mangled in the following where I'd normally just have the SRC_URI I've created a python function that gets expanded into the SRC_URI if the cert variables are set.

def certfile_src(d):
    files = ''
    if d.getVar('SERVER_RECIPE_NAME_CERT') is not None:
        files = files + 'file://' + d.getVar('SERVER_RECIPE_NAME_CERT', True)

    if d.getVar('SERVER_RECIPE_NAME_CERT_KEY') is not None:
        files = files + ' ' + 'file://' + d.getVar('SERVER_RECIPE_NAME_CERT_KEY', True)

    return files

SRC_URI = "
        git://${GO_IMPORT} 
        ${@certfile_src(d)} 
"

I had issues with using a python function syntax instead of the def syntax, but in retrospect that may have been because I had the python function below the SRC_URI assignment. I should probably try doing it that way again, as I preferred that syntax.

So to summarize the questions:

1. Have I reinvented the wheel in a less efficient manner? Is there a 'right way' or 'better way' to do this with existing tooling?
2. I probably should have used ${PN} in the getVar, so that this could be copied / pasted cross-recipe since this is a common pattern for some things I'm working with.
3. I probably should make this a 'class' ... which makes me wonder if there is one already that I missed, but I'm not sure if a class can modify the SRC_URI... do they even need to? Could I have just done all this in a do_install_append() and copied the certs from the absolute path source into ${D}${sysconfdir}/... without making QA checks fail like crazy?

Answer 1

You have to make sure that your environment variables are listed in your host exported environment variable called BB_ENV_EXTRAWHITE (c.f. https://docs.yoctoproject.org/bitbake/bitbake-user-manual/bitbake-user-manual-ref-variables.html#term-BB_ENV_EXTRAWHITE). This is required otherwise a change in your environment variables won't be picked up by the build.

You want to use SRC_URI because it has a mechanism to check the checksum of the files between builds so that if the path to your certs is the same but the certs are different, the recipe is still rebuilt.