Home  >  Edison  >  Hacking

Creating a DEB repository

Setting up for signed DEB repositories

Currently Yocto does not support signed DEB repositories. However, since Gatesgarth apt (1.8.2) has become more strict and doesn’t allow unsigned repositories by default. It appears overriding this behavior in apt is more work then to enable signed DEB repositories.

With the patch “package_manager: deb: Add support for signed feeds” applied during setup, Poky is patched to allow signed DEB repositories.

To enable, to following is added to local.conf during setup:

PACKAGE_CLASSES += " package_deb sign_package_feed"
PACKAGE_FEED_GPG_NAME = "976A9A3F994268DB"
PACKAGE_FEED_GPG_PASSPHRASE_FILE="${top_repo_dir}/utils/key/passphrase"

This enables signing the repo with the supplied GPG key (found under utils/key/). The key itself is installed during setup using:

gpg --import meta-intel-edison_pub.gpg
gpg --allow-secret-key-import --passphrase-file passphrase --batch --import meta-intel-edison_secret.gpg

Generating you own GPG key

If you need to provide your own key:

gpg --generate-key  # note the generated key, f.i. 976A9A3F994268DB and passphrase

and put your passphrase in the file named passphrase.

gpg --output meta-intel-edison_pub.gpg --armor --export 976A9A3F994268DB
gpg --output meta-intel-edison_secret.gpg --armor --export-secret-key 976A9A3F994268DB

If you don’t want to create a signed repo remove sign_package_feed from PACKAGE_CLASSES in your local.conf (found under out/linux64/build/conf)

Extending an expired key

Thanks to @lukedais: You can extend the expiry date by running the following:

gpg --edit-key E78D3359A86650AE
key 1
expire
desired extension

You may need to repeat this exact process for the subkey.

Building the DEB repository

For more information, see the Yocto Mega Manual

First on the server generate the repository files and start a web server:

bitbake package-index
cd /home/ferry/tmp/edison-intel/my/edison-morty/out/linux64/build/tmp/deploy/deb/
python3 -m http.server

Using the DEB repository

First scp meta-intel-edison_pub.gpg edison: the public key to Edison.

On the Edison, install the key, add the server to the apt sources, update the apt database and upgrade all packages that are newer then the installed versions:

gpg --dearmor meta-intel-edison_pub.gpg
mkdir /etc/apt/keyrings
mv meta-intel-edison_pub.gpg.gpg /etc/apt/keyrings/meta-intel-edison.gpg

vi /etc/apt/sources.list.d/meta-intel-edison.sources

X-Repolib-Name: meta-intel-edison
Enabled: yes
Types: deb
URIs: http://delfion:8000/all http://delfion:8000/edison http://delfion:8000/corei7-64
Suites: ./
Signed-By: /etc/apt/keyrings/meta-intel-edison.gpg

(save and close, i.e. shift-ZZ)

apt-get update
apt-get upgrade

with delfion the name of the host.

The Edison image must have gnupg (for keyhandling) and diffutils installed (as cmp from Busybox throws an error).