On 08/07/2017 04:51 AM, Andersen, Christian wrote: > Hello, > > I am trying to sign our ipk-packages and the package feed using GPG. As > far as I can tell the signatures are correctly generated using this in > the local.conf: > > INHERIT += "sign_package_feed sign_ipk" > PACKAGE_FEED_GPG_NAME ?= "73CE8000" > PACKAGE_FEED_GPG_PASSPHRASE_FILE ?= "/var/lib/jenkins/.gnupg/passwd.txt" > IPK_GPG_NAME ?= "73CE8000" > IPK_GPG_PASSPHRASE_FILE ?= "/var/lib/jenkins/.gnupg/passwd.txt" > GPG_PATH ?= "/var/lib/jenkins/.gnupg" > > The public key is installed using opkg-keyrings and this config: > > OPKG_KEYRING_KEYS = "73CE8000" > > On the target I am able to verify that the public key is available: > > root@scb-anders05:~# opkg-key list > > /etc/opkg/trusted.gpg > > --------------------- > > pub rsa2048 2017-08-04 [SC] > B104E37136084E68203BB2CD5676B9F373CE8000 > uid [unknown] Company <m...@example.tld> > sub rsa2048 2017-08-04 [E]
Have you tried to sign using a key with non-default values? I can't see anything clearly off on your config, other than your key being " [unknown] Company <m...@example.tld>" > The opkg.conf contains: > > option check_signature 1 > #option check_pkg_signature 1 > option signature_type gpg-asc > > But when I try opkg update I get: > > root@scb-anders05:~# opkg update > Downloading http://internalhost:8000/puck/pyro-develop/ipk/all/Packages.gz. > Downloading http://internalhost:8000/puck/pyro-develop/ipk/all/Packages.asc. > Downloading > http://internalhost:8000/puck/pyro-develop/ipk/cortexa8hf-neon/Packages.gz. > Downloading > http://internalhost:8000/puck/pyro-develop/ipk/cortexa8hf-neon/Packages.asc. > Downloading http://internalhost:8000/puck/pyro-develop/ipk/scb/Packages.gz. > Downloading http://internalhost:8000/puck/pyro-develop/ipk/scb/Packages.asc. > Collected errors: > > * opkg_verify_gpg_signature: Signature status returned error: No public key > * pkg_src_verify: Signature verification failed for all. > * opkg_verify_gpg_signature: Signature status returned error: No public key > * pkg_src_verify: Signature verification failed for cortexa8hf-neon. > * opkg_verify_gpg_signature: Signature status returned error: No public key > * pkg_src_verify: Signature verification failed for scb. > > When manually loading the Packages and Packages.asc and verify the > signature on the target it seems to work: > > root@scb-anders05:~# opkg-key adv --verify Packages.asc Packages > > Executing: gpg --no-options --no-default-keyring --keyring > /etc/opkg/trusted.gpg --secret-keyring /etc/opkg/secring.gpg > --trustdb-name /etc/opkg/trustdb.gpg --verify Packages.asc Packages > > gpg: Signature made Fri Aug 4 17:00:52 2017 CEST > gpg: using RSA key 5676B9F373CE8000 > gpg: Good signature from "Company <m...@example.tld>" [unknown] > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > > Primary key fingerprint: B104 E371 3608 4E68 203B B2CD 5676 B9F3 73CE 8000 > > Even after changing the trust-level for the public key to 5 (ultimate), > opkg update does not accept the signature. > > Does anybody have an idea what’s going on and how I can fix this? -- Cheers, Alejandro -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto