1 files changed, 121 insertions, 0 deletions
diff --git a/documentation/dev-manual/dev-manual-common-tasks.xml b/documentation/dev-manual/dev-manual-common-tasks.xml
index 6cb0bcb5f1..e2746d101e 100644
--- a/documentation/dev-manual/dev-manual-common-tasks.xml
+++ b/documentation/dev-manual/dev-manual-common-tasks.xml
@@ -8372,6 +8372,127 @@
            </section>
        </section>
+        <section id='generating-and-using-signed-packages'>
+            <title>Generating and Using Signed Packages</title>
+            <para>
+                In order to add security to RPM packages used during a build,
+                you can take steps to securely sign them.
+                Once a signature is verified, the OpenEmbedded build system
+                can use the package in the build.
+                If security fails for a signed package, the build system
+                aborts the build.
+            </para>
+            <para>
+                This section describes how to sign RPM packages during a build
+                and how to use signed package feeds (repositories) when
+                doing a build.
+            </para>
+            <section id='signing-rpm-packages'>
+                <title>Signing RPM Packages</title>
+                <para>
+                    To enable signing RPM packages, you must set up the
+                    following configurations in either your
+                    <filename>local.config</filename> or
+                    <filename>distro.config</filename> file:
+                    <literallayout class='monospaced'>
+     # Inherit sign_rpm.bbclass to enable signing functionality
+     INHERIT += " sign_rpm"
+     # Define the GPG key that will be used for signing.
+     RPM_GPG_NAME = "<replaceable>key_name</replaceable>"
+     # Provide passphrase for the key
+     RPM_GPG_PASSPHRASE = "<replaceable>passphrase</replaceable>"
+                    </literallayout>
+                    <note>
+                        Be sure to supply appropriate values for both
+                        <replaceable>key_name</replaceable> and
+                        <replaceable>passphrase</replaceable>
+                    </note>
+                    Aside from the
+                    <filename>RPM_GPG_NAME</filename> and
+                    <filename>RPM_GPG_PASSPHRASE</filename> variables in the
+                    previous example, two optional variables related to signing
+                    exist:
+                    <itemizedlist>
+                        <listitem><para>
+                            <emphasis><filename>GPG_BIN</filename>:</emphasis>
+                            Specifies a <filename>gpg</filename> binary/wrapper
+                            that is executed when the package is signed.
+                            </para></listitem>
+                        <listitem><para>
+                            <emphasis><filename>GPG_PATH</filename>:</emphasis>
+                            Specifies the <filename>gpg</filename> home
+                            directory used when the package is signed.
+                            </para></listitem>
+                    </itemizedlist>
+                </para>
+            </section>
+            <section id='processing-package-feeds'>
+                <title>Processing Package Feeds</title>
+                <para>
+                    In addition to being able to sign RPM packages, you can
+                    also enable the OpenEmbedded build system to be able to
+                    handle previously signed package feeds for both RPM and IPK
+                    packages.
+                    <note>
+                        The OpenEmbedded build system does not currently
+                        support signed DPKG package feeds.
+                    </note>
+                    The steps you need to take to enable signed package feed
+                    use are similar to the steps used to sign RPM packages.
+                    You must define the following in your
+                    <filename>local.config</filename> or
+                    <filename>distro.config</filename> file:
+                    <literallayout class='monospaced'>
+     INHERIT += "sign_package_feed"
+     PACKAGE_FEED_GPG_NAME = "<replaceable>key_name</replaceable>"
+     PACKAGE_FEED_GPG_PASSPHRASE_FILE = "<replaceable>path_to_file_containing_passphrase</replaceable>"
+                    </literallayout>
+                    For signed package feeds, the passphrase must exist in a
+                    separate file, which is pointed to by the
+                    <filename>PACKAGE_FEED_GPG_PASSPHRASE_FILE</filename>
+                    variable.
+                    Regarding security, keeping a plain text passphrase out of
+                    the configuration is more secure.
+                </para>
+                <para>
+                    Aside from the
+                    <filename>PACKAGE_FEED_GPG_NAME</filename> and
+                    <filename>PACKAGE_FEED_GPG_PASSPHRASE_FILE</filename>
+                    variables, three optional variables related to signed
+                    package feeds exist:
+                    <itemizedlist>
+                        <listitem><para>
+                            <emphasis><filename>GPG_BIN</filename>:</emphasis>
+                            Specifies a <filename>gpg</filename> binary/wrapper
+                            that is executed when the package is signed.
+                            </para></listitem>
+                        <listitem><para>
+                            <emphasis><filename>GPG_PATH</filename>:</emphasis>
+                            Specifies the <filename>gpg</filename> home
+                            directory used when the package is signed.
+                            </para></listitem>
+                        <listitem><para>
+                            <emphasis><filename>PACKAGE_FEED_GPG_SIGNATURE_TYPE</filename>:</emphasis>
+                            Specifies the type of <filename>gpg</filename>
+                            signature.
+                            This variable applies only to RPM and IPK package
+                            feeds.
+                            Allowable values for the
+                            <filename>PACKAGE_FEED_GPG_SIGNATURE_TYPE</filename>
+                            are "ASC", which is the default and specifies ascii
+                            armored, and "BIN", which specifies binary.
+                            </para></listitem>
+                    </itemizedlist>
+                </para>
+            </section>
+        </section>
        <section id='testing-packages-with-ptest'>
            <title>Testing Packages With ptest</title>

diff --git a/documentation/dev-manual/dev-manual-common-tasks.xml b/documentation/dev-manual/dev-manual-common-tasks.xml index 6cb0bcb5f1..e2746d101e 100644 --- a/documentation/dev-manual/dev-manual-common-tasks.xml +++ b/documentation/dev-manual/dev-manual-common-tasks.xml
@@ -8372,6 +8372,127 @@
8372	</section>	8372	</section>
8373	</section>	8373	</section>
8374		8374
		8375	<section id='generating-and-using-signed-packages'>
		8376	<title>Generating and Using Signed Packages</title>
		8377	<para>
		8378	In order to add security to RPM packages used during a build,
		8379	you can take steps to securely sign them.
		8380	Once a signature is verified, the OpenEmbedded build system
		8381	can use the package in the build.
		8382	If security fails for a signed package, the build system
		8383	aborts the build.
		8384	</para>
		8385
		8386	<para>
		8387	This section describes how to sign RPM packages during a build
		8388	and how to use signed package feeds (repositories) when
		8389	doing a build.
		8390	</para>
		8391
		8392	<section id='signing-rpm-packages'>
		8393	<title>Signing RPM Packages</title>
		8394
		8395	<para>
		8396	To enable signing RPM packages, you must set up the
		8397	following configurations in either your
		8398	<filename>local.config</filename> or
		8399	<filename>distro.config</filename> file:
		8400	<literallayout class='monospaced'>
		8401	# Inherit sign_rpm.bbclass to enable signing functionality
		8402	INHERIT += " sign_rpm"
		8403	# Define the GPG key that will be used for signing.
		8404	RPM_GPG_NAME = "<replaceable>key_name</replaceable>"
		8405	# Provide passphrase for the key
		8406	RPM_GPG_PASSPHRASE = "<replaceable>passphrase</replaceable>"
		8407	</literallayout>
		8408	<note>
		8409	Be sure to supply appropriate values for both
		8410	<replaceable>key_name</replaceable> and
		8411	<replaceable>passphrase</replaceable>
		8412	</note>
		8413	Aside from the
		8414	<filename>RPM_GPG_NAME</filename> and
		8415	<filename>RPM_GPG_PASSPHRASE</filename> variables in the
		8416	previous example, two optional variables related to signing
		8417	exist:
		8418	<itemizedlist>
		8419	<listitem><para>
		8420	<emphasis><filename>GPG_BIN</filename>:</emphasis>
		8421	Specifies a <filename>gpg</filename> binary/wrapper
		8422	that is executed when the package is signed.
		8423	</para></listitem>
		8424	<listitem><para>
		8425	<emphasis><filename>GPG_PATH</filename>:</emphasis>
		8426	Specifies the <filename>gpg</filename> home
		8427	directory used when the package is signed.
		8428	</para></listitem>
		8429	</itemizedlist>
		8430	</para>
		8431	</section>
		8432
		8433	<section id='processing-package-feeds'>
		8434	<title>Processing Package Feeds</title>
		8435
		8436	<para>
		8437	In addition to being able to sign RPM packages, you can
		8438	also enable the OpenEmbedded build system to be able to
		8439	handle previously signed package feeds for both RPM and IPK
		8440	packages.
		8441	<note>
		8442	The OpenEmbedded build system does not currently
		8443	support signed DPKG package feeds.
		8444	</note>
		8445	The steps you need to take to enable signed package feed
		8446	use are similar to the steps used to sign RPM packages.
		8447	You must define the following in your
		8448	<filename>local.config</filename> or
		8449	<filename>distro.config</filename> file:
		8450	<literallayout class='monospaced'>
		8451	INHERIT += "sign_package_feed"
		8452	PACKAGE_FEED_GPG_NAME = "<replaceable>key_name</replaceable>"
		8453	PACKAGE_FEED_GPG_PASSPHRASE_FILE = "<replaceable>path_to_file_containing_passphrase</replaceable>"
		8454	</literallayout>
		8455	For signed package feeds, the passphrase must exist in a
		8456	separate file, which is pointed to by the
		8457	<filename>PACKAGE_FEED_GPG_PASSPHRASE_FILE</filename>
		8458	variable.
		8459	Regarding security, keeping a plain text passphrase out of
		8460	the configuration is more secure.
		8461	</para>
		8462
		8463	<para>
		8464	Aside from the
		8465	<filename>PACKAGE_FEED_GPG_NAME</filename> and
		8466	<filename>PACKAGE_FEED_GPG_PASSPHRASE_FILE</filename>
		8467	variables, three optional variables related to signed
		8468	package feeds exist:
		8469	<itemizedlist>
		8470	<listitem><para>
		8471	<emphasis><filename>GPG_BIN</filename>:</emphasis>
		8472	Specifies a <filename>gpg</filename> binary/wrapper
		8473	that is executed when the package is signed.
		8474	</para></listitem>
		8475	<listitem><para>
		8476	<emphasis><filename>GPG_PATH</filename>:</emphasis>
		8477	Specifies the <filename>gpg</filename> home
		8478	directory used when the package is signed.
		8479	</para></listitem>
		8480	<listitem><para>
		8481	<emphasis><filename>PACKAGE_FEED_GPG_SIGNATURE_TYPE</filename>:</emphasis>
		8482	Specifies the type of <filename>gpg</filename>
		8483	signature.
		8484	This variable applies only to RPM and IPK package
		8485	feeds.
		8486	Allowable values for the
		8487	<filename>PACKAGE_FEED_GPG_SIGNATURE_TYPE</filename>
		8488	are "ASC", which is the default and specifies ascii
		8489	armored, and "BIN", which specifies binary.
		8490	</para></listitem>
		8491	</itemizedlist>
		8492	</para>
		8493	</section>
		8494	</section>
		8495
8375	<section id='testing-packages-with-ptest'>	8496	<section id='testing-packages-with-ptest'>
8376	<title>Testing Packages With ptest</title>	8497	<title>Testing Packages With ptest</title>
8377		8498