From 2ad42e587ac24e69bdfb6b9c743b886116a0fe31 Mon Sep 17 00:00:00 2001 From: Scott Rifenbark Date: Thu, 16 Mar 2017 11:27:25 -0700 Subject: dev-manual: Add explanation for signing RPM packages and using signed packages Fixes [YOCTO #11048] No documentation existed for telling the user how to create signed RPM packages or for how to use signed package feeds. I have created a new section on the topic to describe both scenarios. (From yocto-docs rev: cbdde75f06b1fc190b8e4f7f93f302dc238e3e7f) Signed-off-by: Scott Rifenbark Signed-off-by: Richard Purdie --- .../dev-manual/dev-manual-common-tasks.xml | 121 +++++++++++++++++++++ 1 file changed, 121 insertions(+) (limited to 'documentation') diff --git a/documentation/dev-manual/dev-manual-common-tasks.xml b/documentation/dev-manual/dev-manual-common-tasks.xml index 6cb0bcb5f1..e2746d101e 100644 --- a/documentation/dev-manual/dev-manual-common-tasks.xml +++ b/documentation/dev-manual/dev-manual-common-tasks.xml @@ -8372,6 +8372,127 @@ +
+ Generating and Using Signed Packages + + In order to add security to RPM packages used during a build, + you can take steps to securely sign them. + Once a signature is verified, the OpenEmbedded build system + can use the package in the build. + If security fails for a signed package, the build system + aborts the build. + + + + This section describes how to sign RPM packages during a build + and how to use signed package feeds (repositories) when + doing a build. + + +
+ Signing RPM Packages + + + To enable signing RPM packages, you must set up the + following configurations in either your + local.config or + distro.config file: + + # Inherit sign_rpm.bbclass to enable signing functionality + INHERIT += " sign_rpm" + # Define the GPG key that will be used for signing. + RPM_GPG_NAME = "key_name" + # Provide passphrase for the key + RPM_GPG_PASSPHRASE = "passphrase" + + + Be sure to supply appropriate values for both + key_name and + passphrase + + Aside from the + RPM_GPG_NAME and + RPM_GPG_PASSPHRASE variables in the + previous example, two optional variables related to signing + exist: + + + GPG_BIN: + Specifies a gpg binary/wrapper + that is executed when the package is signed. + + + GPG_PATH: + Specifies the gpg home + directory used when the package is signed. + + + +
+ +
+ Processing Package Feeds + + + In addition to being able to sign RPM packages, you can + also enable the OpenEmbedded build system to be able to + handle previously signed package feeds for both RPM and IPK + packages. + + The OpenEmbedded build system does not currently + support signed DPKG package feeds. + + The steps you need to take to enable signed package feed + use are similar to the steps used to sign RPM packages. + You must define the following in your + local.config or + distro.config file: + + INHERIT += "sign_package_feed" + PACKAGE_FEED_GPG_NAME = "key_name" + PACKAGE_FEED_GPG_PASSPHRASE_FILE = "path_to_file_containing_passphrase" + + For signed package feeds, the passphrase must exist in a + separate file, which is pointed to by the + PACKAGE_FEED_GPG_PASSPHRASE_FILE + variable. + Regarding security, keeping a plain text passphrase out of + the configuration is more secure. + + + + Aside from the + PACKAGE_FEED_GPG_NAME and + PACKAGE_FEED_GPG_PASSPHRASE_FILE + variables, three optional variables related to signed + package feeds exist: + + + GPG_BIN: + Specifies a gpg binary/wrapper + that is executed when the package is signed. + + + GPG_PATH: + Specifies the gpg home + directory used when the package is signed. + + + PACKAGE_FEED_GPG_SIGNATURE_TYPE: + Specifies the type of gpg + signature. + This variable applies only to RPM and IPK package + feeds. + Allowable values for the + PACKAGE_FEED_GPG_SIGNATURE_TYPE + are "ASC", which is the default and specifies ascii + armored, and "BIN", which specifies binary. + + + +
+
+
Testing Packages With ptest -- cgit v1.2.3-54-g00ecf