summaryrefslogtreecommitdiffstats
path: root/documentation
diff options
context:
space:
mode:
authorScott Rifenbark <srifenbark@gmail.com>2017-03-16 11:27:25 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-03-24 23:44:02 +0000
commit2ad42e587ac24e69bdfb6b9c743b886116a0fe31 (patch)
tree17ea4130be5f00c70f9a3662805da04b6e5f774c /documentation
parent4c1432bd0b933d86620e0c735a8a697a341c4fdc (diff)
downloadpoky-2ad42e587ac24e69bdfb6b9c743b886116a0fe31.tar.gz
dev-manual: Add explanation for signing RPM packages and using signed packages
Fixes [YOCTO #11048] No documentation existed for telling the user how to create signed RPM packages or for how to use signed package feeds. I have created a new section on the topic to describe both scenarios. (From yocto-docs rev: cbdde75f06b1fc190b8e4f7f93f302dc238e3e7f) Signed-off-by: Scott Rifenbark <srifenbark@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'documentation')
-rw-r--r--documentation/dev-manual/dev-manual-common-tasks.xml121
1 files changed, 121 insertions, 0 deletions
diff --git a/documentation/dev-manual/dev-manual-common-tasks.xml b/documentation/dev-manual/dev-manual-common-tasks.xml
index 6cb0bcb5f1..e2746d101e 100644
--- a/documentation/dev-manual/dev-manual-common-tasks.xml
+++ b/documentation/dev-manual/dev-manual-common-tasks.xml
@@ -8372,6 +8372,127 @@
8372 </section> 8372 </section>
8373 </section> 8373 </section>
8374 8374
8375 <section id='generating-and-using-signed-packages'>
8376 <title>Generating and Using Signed Packages</title>
8377 <para>
8378 In order to add security to RPM packages used during a build,
8379 you can take steps to securely sign them.
8380 Once a signature is verified, the OpenEmbedded build system
8381 can use the package in the build.
8382 If security fails for a signed package, the build system
8383 aborts the build.
8384 </para>
8385
8386 <para>
8387 This section describes how to sign RPM packages during a build
8388 and how to use signed package feeds (repositories) when
8389 doing a build.
8390 </para>
8391
8392 <section id='signing-rpm-packages'>
8393 <title>Signing RPM Packages</title>
8394
8395 <para>
8396 To enable signing RPM packages, you must set up the
8397 following configurations in either your
8398 <filename>local.config</filename> or
8399 <filename>distro.config</filename> file:
8400 <literallayout class='monospaced'>
8401 # Inherit sign_rpm.bbclass to enable signing functionality
8402 INHERIT += " sign_rpm"
8403 # Define the GPG key that will be used for signing.
8404 RPM_GPG_NAME = "<replaceable>key_name</replaceable>"
8405 # Provide passphrase for the key
8406 RPM_GPG_PASSPHRASE = "<replaceable>passphrase</replaceable>"
8407 </literallayout>
8408 <note>
8409 Be sure to supply appropriate values for both
8410 <replaceable>key_name</replaceable> and
8411 <replaceable>passphrase</replaceable>
8412 </note>
8413 Aside from the
8414 <filename>RPM_GPG_NAME</filename> and
8415 <filename>RPM_GPG_PASSPHRASE</filename> variables in the
8416 previous example, two optional variables related to signing
8417 exist:
8418 <itemizedlist>
8419 <listitem><para>
8420 <emphasis><filename>GPG_BIN</filename>:</emphasis>
8421 Specifies a <filename>gpg</filename> binary/wrapper
8422 that is executed when the package is signed.
8423 </para></listitem>
8424 <listitem><para>
8425 <emphasis><filename>GPG_PATH</filename>:</emphasis>
8426 Specifies the <filename>gpg</filename> home
8427 directory used when the package is signed.
8428 </para></listitem>
8429 </itemizedlist>
8430 </para>
8431 </section>
8432
8433 <section id='processing-package-feeds'>
8434 <title>Processing Package Feeds</title>
8435
8436 <para>
8437 In addition to being able to sign RPM packages, you can
8438 also enable the OpenEmbedded build system to be able to
8439 handle previously signed package feeds for both RPM and IPK
8440 packages.
8441 <note>
8442 The OpenEmbedded build system does not currently
8443 support signed DPKG package feeds.
8444 </note>
8445 The steps you need to take to enable signed package feed
8446 use are similar to the steps used to sign RPM packages.
8447 You must define the following in your
8448 <filename>local.config</filename> or
8449 <filename>distro.config</filename> file:
8450 <literallayout class='monospaced'>
8451 INHERIT += "sign_package_feed"
8452 PACKAGE_FEED_GPG_NAME = "<replaceable>key_name</replaceable>"
8453 PACKAGE_FEED_GPG_PASSPHRASE_FILE = "<replaceable>path_to_file_containing_passphrase</replaceable>"
8454 </literallayout>
8455 For signed package feeds, the passphrase must exist in a
8456 separate file, which is pointed to by the
8457 <filename>PACKAGE_FEED_GPG_PASSPHRASE_FILE</filename>
8458 variable.
8459 Regarding security, keeping a plain text passphrase out of
8460 the configuration is more secure.
8461 </para>
8462
8463 <para>
8464 Aside from the
8465 <filename>PACKAGE_FEED_GPG_NAME</filename> and
8466 <filename>PACKAGE_FEED_GPG_PASSPHRASE_FILE</filename>
8467 variables, three optional variables related to signed
8468 package feeds exist:
8469 <itemizedlist>
8470 <listitem><para>
8471 <emphasis><filename>GPG_BIN</filename>:</emphasis>
8472 Specifies a <filename>gpg</filename> binary/wrapper
8473 that is executed when the package is signed.
8474 </para></listitem>
8475 <listitem><para>
8476 <emphasis><filename>GPG_PATH</filename>:</emphasis>
8477 Specifies the <filename>gpg</filename> home
8478 directory used when the package is signed.
8479 </para></listitem>
8480 <listitem><para>
8481 <emphasis><filename>PACKAGE_FEED_GPG_SIGNATURE_TYPE</filename>:</emphasis>
8482 Specifies the type of <filename>gpg</filename>
8483 signature.
8484 This variable applies only to RPM and IPK package
8485 feeds.
8486 Allowable values for the
8487 <filename>PACKAGE_FEED_GPG_SIGNATURE_TYPE</filename>
8488 are "ASC", which is the default and specifies ascii
8489 armored, and "BIN", which specifies binary.
8490 </para></listitem>
8491 </itemizedlist>
8492 </para>
8493 </section>
8494 </section>
8495
8375 <section id='testing-packages-with-ptest'> 8496 <section id='testing-packages-with-ptest'>
8376 <title>Testing Packages With ptest</title> 8497 <title>Testing Packages With ptest</title>
8377 8498