[yocto] opkg and gpg signed ipk packages
Paul Barker
paul at paulbarker.me.uk
Fri May 8 09:23:11 PDT 2015
On Fri, May 08, 2015 at 02:26:26PM +0000, Sona Sarmadi wrote:
> Thanks Paul for your quick feedback .
>
> > opkg 0.2.x only has support for checking the package feed signature. To use
> > this, add the line 'option check_signature 1' to your opkg.conf file and place a
> > Packages.sig file next to the Packages file in your package feed. ASCII-
> > armoured signatures are not supported.
>
> Ok, even if we can't sign the individual .ipk files, by signing the Packages file we can achieve some
> Level of authentication, e.g. if someone tampers with the .ipk files they can't change the matching
> checksum in the Packages.sig. The checksumming algorithm used for packages is MD5 now which is
> not really secure. Is it possible to use another algorithm. I guess if we use a better checksum for
> packages, there is no need for Signing each individual .ipk patches, signing package feed (Packages)
> would be enough. Right?
>
SHA256 is also supported. In OpenEmbedded, use the PACKAGECONFIG 'sha256' then
ensure that your Packages file contains a 'SHA256sum: ...' line for each
package.
Again, these instructions are fairly rough as I haven't used them for a while.
Thanks,
--
Paul Barker
Email: paul at paulbarker.me.uk
http://www.paulbarker.me.uk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20150508/d1a98138/attachment.pgp>
More information about the yocto
mailing list