mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed
From: Michael Olbrich <m.olbrich@pengutronix.de>
To: ptxdist@pengutronix.de
Subject: Re: [ptxdist] setting up opkg with ptxdist 2015.12.0 (Was: [ANNOUNCE] PTXdist 2015.12.0 released)
Date: Tue, 12 Jan 2016 17:44:12 +0100	[thread overview]
Message-ID: <20160112164412.GD18044@pengutronix.de> (raw)
In-Reply-To: <fedb7062599c68ecc911c1a9f1b47880@localhost>

On Tue, Dec 22, 2015 at 12:42:50PM +0100, Alexander Dahl wrote:
> Am 2015-12-21 19:09, schrieb Alexander Dahl:
> > So, I guess I have to use openssl signatures now, because the gpg stuff
> > is marked broken, right? How do those work and do I find some
> > documentation on how to set it up?
> 
> This is what I tried this morning. 
> 
> * create a certificate and a key with tinyca2 (which I also use for
> other purposes)
> * export cert and key (without passphrase)
> * in platformconfig set PTXCONF_IMAGE_IPKG_SIGN_OPENSSL=y,
> PTXCONF_IMAGE_IPKG_SIGN_OPENSSL_SIGNER to the cert and
> PTXCONF_IMAGE_IPKG_SIGN_OPENSSL_KEY to the key
> * in menuconfig PTXCONF_OPKG_OPENSSL=y and
> PTXCONF_OPKG_OPKG_CONF_CHECKSIG=y
> * add a line 'option signature_type openssl' to /etc/opkg/opkg.conf on
> the target (this is maybe worth a patch? ;-) )

Indeed.

> All this yields:
> 
> $ opkg -V update
> opkg_conf_parse_file: Loading conf file /etc/opkg/opkg.conf.
> opkg_conf_parse_file: Supported arch armel priority (10)
> opkg_conf_parse_file: Supported arch all priority (1)
> opkg_conf_parse_file: Supported arch noarch priority (1)
> pkg_hash_load_feeds: 
> pkg_hash_load_status_files: 
> Downloading
> http://ada/ipkg-repository/***/dists/***-v2015.11.0-00175-gadfe207991cc-dirty/Packages.
> Downloading
> http://ada/ipkg-repository/***/dists/***-v2015.11.0-00175-gadfe207991cc-dirty/Packages.sig.
> Collected errors:
>  * opkg_verify_openssl_signature: Verification failure.
>  * pkg_src_verify: Signature verification failed for ptxdist.
> 
> So a signature is created, in `ptxdist images` this looks like:
> 
> signing Packages...
> openssl smime -sign \
>         -in
> "/var/www/ipkg-repository/***/dists/***-v2015.11.0-00175-gadfe207991cc-dirty/Packages"
> \
>         -text -binary \
>         -outform PEM \
>         -signer "/home/adahl/Work/admin/cert/ada@***-cert.pem" \
>         -inkey "/home/adahl/Work/admin/cert/ada@***-key.pem" \
>         -out
> "/var/www/ipkg-repository/***/dists/***-v2015.11.0-00175-gadfe207991cc-dirty/Packages.sig"
> WARNING: can't open config file: //ssl/openssl.cnf
> Packages.sig created
> 
> The file /etc/ssl/certs/opkg.crt on the target is identical to the cert
> above and looking at opkg_verify_openssl_signature() in opkg_openssl.c
> looks like opkg gets quite far and fails at the last step on
> PKCS7_verify() …

This stuff was contributed by others an I think I only tested this once, so
I don't realy know much about this.
One wild guess: Is your clock set correctly? OpenSSL does not like dates
that are in the future...

> > Or go back to opkg 0.2.x?
> 
> I copied the old rules and patches from 2015.10.0 to my BSP for now to
> get a usable opkg. Nevertheless, help on setting up opkg or fixing it,
> appreciated.
> 
> btw: if I did my research correctly upstream is now
> http://git.yoctoproject.org/cgit/cgit.cgi/opkg/ and version v0.3.1 is
> out, however the commits didn't look like they touch anything signature
> related.

Michael

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

  parent reply	other threads:[~2016-01-12 16:44 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-12-18 11:20 [ptxdist] [ANNOUNCE] PTXdist 2015.12.0 released Michael Olbrich
2015-12-21 18:09 ` Alexander Dahl
2015-12-22 11:42   ` [ptxdist] setting up opkg with ptxdist 2015.12.0 (Was: [ANNOUNCE] PTXdist 2015.12.0 released) Alexander Dahl
2016-01-11 12:10     ` [ptxdist] setting up opkg with ptxdist 2015.12.0 Alexander Dahl
2016-01-12 13:47       ` Tim Sander
2016-01-12 16:21       ` Michael Olbrich
2016-01-12 16:44     ` Michael Olbrich [this message]
2016-01-12 16:31   ` [ptxdist] [ANNOUNCE] PTXdist 2015.12.0 released Michael Olbrich
2016-08-02  8:44     ` Alexander Dahl

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160112164412.GD18044@pengutronix.de \
    --to=m.olbrich@pengutronix.de \
    --cc=ptxdist@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox