diff options
author | Scott Rifenbark <srifenbark@gmail.com> | 2017-03-16 11:27:25 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-03-24 23:44:02 +0000 |
commit | 2ad42e587ac24e69bdfb6b9c743b886116a0fe31 (patch) | |
tree | 17ea4130be5f00c70f9a3662805da04b6e5f774c /documentation | |
parent | 4c1432bd0b933d86620e0c735a8a697a341c4fdc (diff) | |
download | poky-2ad42e587ac24e69bdfb6b9c743b886116a0fe31.tar.gz |
dev-manual: Add explanation for signing RPM packages and using signed packages
Fixes [YOCTO #11048]
No documentation existed for telling the user how to create signed
RPM packages or for how to use signed package feeds. I have created
a new section on the topic to describe both scenarios.
(From yocto-docs rev: cbdde75f06b1fc190b8e4f7f93f302dc238e3e7f)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'documentation')
-rw-r--r-- | documentation/dev-manual/dev-manual-common-tasks.xml | 121 |
1 files changed, 121 insertions, 0 deletions
diff --git a/documentation/dev-manual/dev-manual-common-tasks.xml b/documentation/dev-manual/dev-manual-common-tasks.xml index 6cb0bcb5f1..e2746d101e 100644 --- a/documentation/dev-manual/dev-manual-common-tasks.xml +++ b/documentation/dev-manual/dev-manual-common-tasks.xml | |||
@@ -8372,6 +8372,127 @@ | |||
8372 | </section> | 8372 | </section> |
8373 | </section> | 8373 | </section> |
8374 | 8374 | ||
8375 | <section id='generating-and-using-signed-packages'> | ||
8376 | <title>Generating and Using Signed Packages</title> | ||
8377 | <para> | ||
8378 | In order to add security to RPM packages used during a build, | ||
8379 | you can take steps to securely sign them. | ||
8380 | Once a signature is verified, the OpenEmbedded build system | ||
8381 | can use the package in the build. | ||
8382 | If security fails for a signed package, the build system | ||
8383 | aborts the build. | ||
8384 | </para> | ||
8385 | |||
8386 | <para> | ||
8387 | This section describes how to sign RPM packages during a build | ||
8388 | and how to use signed package feeds (repositories) when | ||
8389 | doing a build. | ||
8390 | </para> | ||
8391 | |||
8392 | <section id='signing-rpm-packages'> | ||
8393 | <title>Signing RPM Packages</title> | ||
8394 | |||
8395 | <para> | ||
8396 | To enable signing RPM packages, you must set up the | ||
8397 | following configurations in either your | ||
8398 | <filename>local.config</filename> or | ||
8399 | <filename>distro.config</filename> file: | ||
8400 | <literallayout class='monospaced'> | ||
8401 | # Inherit sign_rpm.bbclass to enable signing functionality | ||
8402 | INHERIT += " sign_rpm" | ||
8403 | # Define the GPG key that will be used for signing. | ||
8404 | RPM_GPG_NAME = "<replaceable>key_name</replaceable>" | ||
8405 | # Provide passphrase for the key | ||
8406 | RPM_GPG_PASSPHRASE = "<replaceable>passphrase</replaceable>" | ||
8407 | </literallayout> | ||
8408 | <note> | ||
8409 | Be sure to supply appropriate values for both | ||
8410 | <replaceable>key_name</replaceable> and | ||
8411 | <replaceable>passphrase</replaceable> | ||
8412 | </note> | ||
8413 | Aside from the | ||
8414 | <filename>RPM_GPG_NAME</filename> and | ||
8415 | <filename>RPM_GPG_PASSPHRASE</filename> variables in the | ||
8416 | previous example, two optional variables related to signing | ||
8417 | exist: | ||
8418 | <itemizedlist> | ||
8419 | <listitem><para> | ||
8420 | <emphasis><filename>GPG_BIN</filename>:</emphasis> | ||
8421 | Specifies a <filename>gpg</filename> binary/wrapper | ||
8422 | that is executed when the package is signed. | ||
8423 | </para></listitem> | ||
8424 | <listitem><para> | ||
8425 | <emphasis><filename>GPG_PATH</filename>:</emphasis> | ||
8426 | Specifies the <filename>gpg</filename> home | ||
8427 | directory used when the package is signed. | ||
8428 | </para></listitem> | ||
8429 | </itemizedlist> | ||
8430 | </para> | ||
8431 | </section> | ||
8432 | |||
8433 | <section id='processing-package-feeds'> | ||
8434 | <title>Processing Package Feeds</title> | ||
8435 | |||
8436 | <para> | ||
8437 | In addition to being able to sign RPM packages, you can | ||
8438 | also enable the OpenEmbedded build system to be able to | ||
8439 | handle previously signed package feeds for both RPM and IPK | ||
8440 | packages. | ||
8441 | <note> | ||
8442 | The OpenEmbedded build system does not currently | ||
8443 | support signed DPKG package feeds. | ||
8444 | </note> | ||
8445 | The steps you need to take to enable signed package feed | ||
8446 | use are similar to the steps used to sign RPM packages. | ||
8447 | You must define the following in your | ||
8448 | <filename>local.config</filename> or | ||
8449 | <filename>distro.config</filename> file: | ||
8450 | <literallayout class='monospaced'> | ||
8451 | INHERIT += "sign_package_feed" | ||
8452 | PACKAGE_FEED_GPG_NAME = "<replaceable>key_name</replaceable>" | ||
8453 | PACKAGE_FEED_GPG_PASSPHRASE_FILE = "<replaceable>path_to_file_containing_passphrase</replaceable>" | ||
8454 | </literallayout> | ||
8455 | For signed package feeds, the passphrase must exist in a | ||
8456 | separate file, which is pointed to by the | ||
8457 | <filename>PACKAGE_FEED_GPG_PASSPHRASE_FILE</filename> | ||
8458 | variable. | ||
8459 | Regarding security, keeping a plain text passphrase out of | ||
8460 | the configuration is more secure. | ||
8461 | </para> | ||
8462 | |||
8463 | <para> | ||
8464 | Aside from the | ||
8465 | <filename>PACKAGE_FEED_GPG_NAME</filename> and | ||
8466 | <filename>PACKAGE_FEED_GPG_PASSPHRASE_FILE</filename> | ||
8467 | variables, three optional variables related to signed | ||
8468 | package feeds exist: | ||
8469 | <itemizedlist> | ||
8470 | <listitem><para> | ||
8471 | <emphasis><filename>GPG_BIN</filename>:</emphasis> | ||
8472 | Specifies a <filename>gpg</filename> binary/wrapper | ||
8473 | that is executed when the package is signed. | ||
8474 | </para></listitem> | ||
8475 | <listitem><para> | ||
8476 | <emphasis><filename>GPG_PATH</filename>:</emphasis> | ||
8477 | Specifies the <filename>gpg</filename> home | ||
8478 | directory used when the package is signed. | ||
8479 | </para></listitem> | ||
8480 | <listitem><para> | ||
8481 | <emphasis><filename>PACKAGE_FEED_GPG_SIGNATURE_TYPE</filename>:</emphasis> | ||
8482 | Specifies the type of <filename>gpg</filename> | ||
8483 | signature. | ||
8484 | This variable applies only to RPM and IPK package | ||
8485 | feeds. | ||
8486 | Allowable values for the | ||
8487 | <filename>PACKAGE_FEED_GPG_SIGNATURE_TYPE</filename> | ||
8488 | are "ASC", which is the default and specifies ascii | ||
8489 | armored, and "BIN", which specifies binary. | ||
8490 | </para></listitem> | ||
8491 | </itemizedlist> | ||
8492 | </para> | ||
8493 | </section> | ||
8494 | </section> | ||
8495 | |||
8375 | <section id='testing-packages-with-ptest'> | 8496 | <section id='testing-packages-with-ptest'> |
8376 | <title>Testing Packages With ptest</title> | 8497 | <title>Testing Packages With ptest</title> |
8377 | 8498 | ||