OpenSSL or GPG support

340 views
Skip to first unread message

masrur....@gmail.com

unread,
Jun 18, 2015, 9:55:41 AM6/18/15
to opkg-...@googlegroups.com
Hi,

Wanted to know how I can sign an IPK package either using an OpenSSL or GPG private key and get opkg to verify the package prior to upgrade using the public key. Is there any instructions available for this?

Thanks,
Masrur

Alejandro del Castillo

unread,
Jun 19, 2015, 5:33:59 PM6/19/15
to opkg-...@googlegroups.com


On 06/18/2015 08:55 AM, masrur....@gmail.com wrote:
> Hi,
>
> Wanted to know how I can sign an IPK package either using an OpenSSL or GPG private key and get opkg to verify the package prior to upgrade using the public key. Is there any instructions available for this?
>

Hi Masrur,

Per-package signing is new to opkg 0.3 (just released). Previous versions
(0.2.x) only had support for checking the package feed itself. The following
thread provides more information on how to configure opkg with authentication:

https://lists.yoctoproject.org/pipermail/yocto/2015-May/024804.html

Opkg has support for both gpg and openssl. This link has great information on
how to creates keys/certificates and how to sign:

https://github.com/balaji-reddy/OpkgCheckSignature/blob/master/opkg_signature_check.txt

--
cheers,

Alejandro

jfin...@gmail.com

unread,
Aug 18, 2015, 5:27:26 PM8/18/15
to opkg-devel, alejandro....@ni.com

Alejandro,

I am looking into signing individual packages as well. I followed the instructions for signing via OpenSSL in your previous post and it seems to have worked correctly. However, when installing the package I don't see any acknowledgement that it is checking the signature.

I can manually change the signature file before I create the ipk file and it will installs correctly.

I am using opkg 0.3.0 that has been configured using './configure --enable-openssl' and I've created a conf file with 'option check_signature' and 'option signature_ca_file path/to/my/public.pem'.

Is there something else that needs to be done to check the signature upon installation?

Sincerely,

Jamie

Alejandro del Castillo

unread,
Aug 20, 2015, 7:09:12 PM8/20/15
to opkg-...@googlegroups.com
if you are going to do per-package signing, instead of using the option
check_signature, you need to use check_pkg_signature. Also, you will need to set
the option "signature_type openssl" on your conf file as well (I think the
document linked above is missing this step).

I am hoping to create documentation on signing before the 0.4 release.

Hope this helps
--
Cheers,

Alejandro
Reply all
Reply to author
Forward
0 new messages