Currently Yocto does not support signed DEB repositories. However, since Gatesgarth apt
(1.8.2) has become more strict and doesn’t allow unsigned repositories by default. It appears overriding this behavior in apt
is more work then to enable signed DEB repositories.
With the patch “package_manager: deb: Add support for signed feeds” applied during setup
, Poky is patched to allow signed DEB repositories.
To enable, to following is added to local.conf during setup
:
PACKAGE_CLASSES += " package_deb sign_package_feed"
PACKAGE_FEED_GPG_NAME = "976A9A3F994268DB"
PACKAGE_FEED_GPG_PASSPHRASE_FILE="${top_repo_dir}/utils/key/passphrase"
This enables signing the repo with the supplied GPG key (found under utils/key/
). The key itself is installed during setup
using:
gpg --import meta-intel-edison_pub.gpg
gpg --allow-secret-key-import --passphrase-file passphrase --batch --import meta-intel-edison_secret.gpg
If you need to provide your own key:
gpg --generate-key # note the generated key, f.i. 976A9A3F994268DB and passphrase
and put your passphrase in the file named passphrase
.
gpg --output meta-intel-edison_pub.gpg --armor --export 976A9A3F994268DB
gpg --output meta-intel-edison_secret.gpg --armor --export-secret-key 976A9A3F994268DB
If you don’t want to create a signed repo remove sign_package_feed
from PACKAGE_CLASSES
in your local.conf
(found under out/linux64/build/conf
)
Thanks to @lukedais: You can extend the expiry date by running the following:
gpg --edit-key E78D3359A86650AE
key 1
expire
desired extension
You may need to repeat this exact process for the subkey.
For more information, see the Yocto Mega Manual
First on the server generate the repository files and start a web server:
bitbake package-index
cd /home/ferry/tmp/edison-intel/my/edison-morty/out/linux64/build/tmp/deploy/deb/
python3 -m http.server
First scp meta-intel-edison_pub.gpg edison:
the public key to Edison.
apt-key
apt-key add meta-intel-edison_pub.gpg` is deprecated and
will no longer work, see the DEPRECATION section in apt-key(8) for details. Please use the new method below.On the Edison, install the key, add the server to the apt
sources, update the apt
database and upgrade all packages that are newer then the installed versions:
gpg --dearmor meta-intel-edison_pub.gpg
mkdir /etc/apt/keyrings
mv meta-intel-edison_pub.gpg.gpg /etc/apt/keyrings/meta-intel-edison.gpg
vi /etc/apt/sources.list.d/meta-intel-edison.sources
X-Repolib-Name: meta-intel-edison
Enabled: yes
Types: deb
URIs: http://delfion:8000/all http://delfion:8000/edison http://delfion:8000/corei7-64
Suites: ./
Signed-By: /etc/apt/keyrings/meta-intel-edison.gpg
(save and close, i.e. shift-ZZ)
apt-get update
apt-get upgrade
with delfion
the name of the host.
The Edison image must have gnupg
(for keyhandling) and diffutils
installed (as cmp
from Busybox throws an error).
© 2018 Ferry Toth