Hello, I am trying to sign our ipk-packages and the package feed using GPG. As far as I can tell the signatures are correctly generated using this in the local.conf:
INHERIT += "sign_package_feed sign_ipk" PACKAGE_FEED_GPG_NAME ?= "73CE8000" PACKAGE_FEED_GPG_PASSPHRASE_FILE ?= "/var/lib/jenkins/.gnupg/passwd.txt" IPK_GPG_NAME ?= "73CE8000" IPK_GPG_PASSPHRASE_FILE ?= "/var/lib/jenkins/.gnupg/passwd.txt" GPG_PATH ?= "/var/lib/jenkins/.gnupg" The public key is installed using opkg-keyrings and this config: OPKG_KEYRING_KEYS = "73CE8000" On the target I am able to verify that the public key is available: root@scb-anders05:~# opkg-key list /etc/opkg/trusted.gpg --------------------- pub rsa2048 2017-08-04 [SC] B104E37136084E68203BB2CD5676B9F373CE8000 uid [unknown] Company <m...@example.tld> sub rsa2048 2017-08-04 [E] The opkg.conf contains: option check_signature 1 #option check_pkg_signature 1 option signature_type gpg-asc But when I try opkg update I get: root@scb-anders05:~# opkg update Downloading http://internalhost:8000/puck/pyro-develop/ipk/all/Packages.gz. Downloading http://internalhost:8000/puck/pyro-develop/ipk/all/Packages.asc. Downloading http://internalhost:8000/puck/pyro-develop/ipk/cortexa8hf-neon/Packages.gz. Downloading http://internalhost:8000/puck/pyro-develop/ipk/cortexa8hf-neon/Packages.asc. Downloading http://internalhost:8000/puck/pyro-develop/ipk/scb/Packages.gz. Downloading http://internalhost:8000/puck/pyro-develop/ipk/scb/Packages.asc. Collected errors: * opkg_verify_gpg_signature: Signature status returned error: No public key * pkg_src_verify: Signature verification failed for all. * opkg_verify_gpg_signature: Signature status returned error: No public key * pkg_src_verify: Signature verification failed for cortexa8hf-neon. * opkg_verify_gpg_signature: Signature status returned error: No public key * pkg_src_verify: Signature verification failed for scb. When manually loading the Packages and Packages.asc and verify the signature on the target it seems to work: root@scb-anders05:~# opkg-key adv --verify Packages.asc Packages Executing: gpg --no-options --no-default-keyring --keyring /etc/opkg/trusted.gpg --secret-keyring /etc/opkg/secring.gpg --trustdb-name /etc/opkg/trustdb.gpg --verify Packages.asc Packages gpg: Signature made Fri Aug 4 17:00:52 2017 CEST gpg: using RSA key 5676B9F373CE8000 gpg: Good signature from "Company <m...@example.tld>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: B104 E371 3608 4E68 203B B2CD 5676 B9F3 73CE 8000 Even after changing the trust-level for the public key to 5 (ultimate), opkg update does not accept the signature. Does anybody have an idea what's going on and how I can fix this? Regards Christian KOSTAL Industrie Elektrik GmbH - Sitz Lüdenscheid, Registergericht Iserlohn HRB 3924 - USt-Id-Nr./Vat No.: DE 813742170 Postanschrift: An der Bellmerei 10, D-58513 Lüdenscheid * Telefon: +49 2351 16-0 * Telefax: +49 2351 16-2400 Werksanschrift: Lange Eck 11, D-58099 Hagen * Tel. +49 2331 8040-601 * Fax +49 2331 8040-602 Geschäftsführung: Dr.-Ing. Dipl.-Wirt.Ing. Manfred Gerhard, Dipl.-Ing. Marwin Kinzl, Dipl.-Oec. Andreas Kostal
-- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto