[yocto] opkg and gpg signed ipk packages

[Sona Sarmadi]

Thanks Paul for your quick feedback .

> opkg 0.2.x only has support for checking the package feed signature. To use
> this, add the line 'option check_signature 1' to your opkg.conf file and place a
> Packages.sig file next to the Packages file in your package feed. ASCII-
> armoured signatures are not supported.

Ok, even if we can't sign the individual .ipk files, by signing the Packages file we can achieve some
Level of authentication, e.g. if someone tampers with the .ipk files they can't change the matching 
checksum in the Packages.sig. The checksumming algorithm used for packages is MD5 now which is
 not really secure. Is it possible to use another algorithm. I guess if we use a better checksum for 
packages, there is no need for Signing each individual .ipk patches, signing package feed (Packages) 
would be enough. Right?

> opkg-0.3.0-rc2 extends this. Signatures for each package are supported, add
> the line 'option check_pkg_signature 1' to your opkg.conf file to use this.
> Then for a package named package_v1.ipk you'd need to create a
> package_v1.ipk.sig file in the same directory. ASCII-armoured signatures are
> used with the file extension .asc instead of .sig if the line 'option
> signature_type gpg-asc' is added to your opkg.conf file. The 'Filename' in the
> package feed should always refer to the ipk file, the signature is detached
> rather than included with the file.
> I've not used these options in a while so I might have remembered
> something wrong, but the general idea is right.
> 

//Sona