Re: [ptxdist] setting up opkg with ptxdist 2015.12.0 (Was: [ANNOUNCE] PTXdist 2015.12.0 released)

[Michael Olbrich <m.olbrich@pengutronix.de>]

On Tue, Dec 22, 2015 at 12:42:50PM +0100, Alexander Dahl wrote:
> Am 2015-12-21 19:09, schrieb Alexander Dahl:
> > So, I guess I have to use openssl signatures now, because the gpg stuff
> > is marked broken, right? How do those work and do I find some
> > documentation on how to set it up?
> 
> This is what I tried this morning. 
> 
> * create a certificate and a key with tinyca2 (which I also use for
> other purposes)
> * export cert and key (without passphrase)
> * in platformconfig set PTXCONF_IMAGE_IPKG_SIGN_OPENSSL=y,
> PTXCONF_IMAGE_IPKG_SIGN_OPENSSL_SIGNER to the cert and
> PTXCONF_IMAGE_IPKG_SIGN_OPENSSL_KEY to the key
> * in menuconfig PTXCONF_OPKG_OPENSSL=y and
> PTXCONF_OPKG_OPKG_CONF_CHECKSIG=y
> * add a line 'option signature_type openssl' to /etc/opkg/opkg.conf on
> the target (this is maybe worth a patch? ;-) )

Indeed.

> All this yields:
> 
> $ opkg -V update
> opkg_conf_parse_file: Loading conf file /etc/opkg/opkg.conf.
> opkg_conf_parse_file: Supported arch armel priority (10)
> opkg_conf_parse_file: Supported arch all priority (1)
> opkg_conf_parse_file: Supported arch noarch priority (1)
> pkg_hash_load_feeds: 
> pkg_hash_load_status_files: 
> Downloading
> http://ada/ipkg-repository/***/dists/***-v2015.11.0-00175-gadfe207991cc-dirty/Packages.
> Downloading
> http://ada/ipkg-repository/***/dists/***-v2015.11.0-00175-gadfe207991cc-dirty/Packages.sig.
> Collected errors:
>  * opkg_verify_openssl_signature: Verification failure.
>  * pkg_src_verify: Signature verification failed for ptxdist.
> 
> So a signature is created, in `ptxdist images` this looks like:
> 
> signing Packages...
> openssl smime -sign \
>         -in
> "/var/www/ipkg-repository/***/dists/***-v2015.11.0-00175-gadfe207991cc-dirty/Packages"
> \
>         -text -binary \
>         -outform PEM \
>         -signer "/home/adahl/Work/admin/cert/ada@***-cert.pem" \
>         -inkey "/home/adahl/Work/admin/cert/ada@***-key.pem" \
>         -out
> "/var/www/ipkg-repository/***/dists/***-v2015.11.0-00175-gadfe207991cc-dirty/Packages.sig"
> WARNING: can't open config file: //ssl/openssl.cnf
> Packages.sig created
> 
> The file /etc/ssl/certs/opkg.crt on the target is identical to the cert
> above and looking at opkg_verify_openssl_signature() in opkg_openssl.c
> looks like opkg gets quite far and fails at the last step on
> PKCS7_verify() …

This stuff was contributed by others an I think I only tested this once, so
I don't realy know much about this.
One wild guess: Is your clock set correctly? OpenSSL does not like dates
that are in the future...

> > Or go back to opkg 0.2.x?
> 
> I copied the old rules and patches from 2015.10.0 to my BSP for now to
> get a usable opkg. Nevertheless, help on setting up opkg or fixing it,
> appreciated.
> 
> btw: if I did my research correctly upstream is now
> http://git.yoctoproject.org/cgit/cgit.cgi/opkg/ and version v0.3.1 is
> out, however the commits didn't look like they touch anything signature
> related.

Michael

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de