[ptxdist] [ANNOUNCE] PTXdist 2015.12.0 released

[ptxdist] [ANNOUNCE] PTXdist 2015.12.0 released

[Michael Olbrich]

[-- Attachment #1.1: Type: text/plain, Size: 8671 bytes --]

Hi,

I'm happy to announce that I've just released ptxdist-2015.12.0.
It's been a while since the last release, so there is a lot of new stuff
this time.
The biggest change is the documentation. We've converted the old latex
documentation into RST (restructured text) and merged it into the PTXdist
git tree.
Other than that we have the usual mix of bugfixes and version bumps.

Thanks to all contributors and - as always - the shortlog below.

Enjoy,
Michael Olbrich


Alexander Aring (1):
      sysstat: version bump 9.0.3 -> 11.0.7

Alexander Dahl (3):
      add helper macro for simpler cmake options setting
      libxml2: update from 2.9.2 to 2.9.3
      lighttpd: update from 1.4.37 to 1.4.38

Bruno Thomsen (1):
      php5: version bump 5.5.27 -> 5.5.30

Christoph Fritz (1):
      strongswan: bump version to 5.3.5

Clemens Gruber (4):
      openssh: harden security options and host keys
      mpg123: bump version to 1.22.4 and add license hash
      ethtool: bump version to 4.2
      lldpd: update to 0.7.19 and add systemd support

Enrico Joerns (11):
      doc: fix lists in welcome.rst
      doc: fix figures in user's manual
      doc: remove escaping in code sections
      doc: fixes for user manual
      doc: Added ptx-theme
      doc: Apply ptx style colors
      doc: several fixes for dev manual
      doc: remove revision.rst as it is not required any more
      doc: remove non-working gup image references and thanks file
      doc: Fix rst substituions and more
      doc: fixed warnings

Juergen Borleis (24):
      Try to handle the version number to identify the PTXdist release
      Add documentation support
      Begin with the index
      The very first content. Its still WIP
      Content adapted and reworked for mainline
      With Sphinx-1.2.3 there is no 'classic' theme available
      environment.rst: adapt its content to the new document flavour
      Sphinx-Build: it makes no sense to build the docs parallel
      manual.rst: fix the fallout
      References: add install_copy reference
      References: add install_archive reference
      Developer's manual: patch and quilt are outdated.
      Developer's manual: add forgotten platform name
      Developer's manual: Just align the layout
      Developer's Manual: just beautifying
      Reference manual: emphasize where to use these variables and macros
      Reference manual: JFFS2 is outdated....
      Reference manual: spelling fixed
      Reference manual: make it more clear what's meant
      Reference manual: provide one more reference
      udev: fix visibility of the 'build options' menu entry
      udev-legacy: provide regular overwrite for project specific rules
      udev-legacy: install existing rules files
      weston: avoid linking failure with against libcairo

Ladislav Michl (2):
      NetworkManager: update to 1.0.8
      ModemManager: update to 1.4.12

Lucas Stach (1):
      libdrm: version bump 2.4.59 -> 2.4.65

Marc Kleine-Budde (17):
      owfs: remove obsolete owfs-2.8p6 patches
      bsdiff: new package
      mtd-utils: use upstream applied patches (3..7)
      host-mtd-utils: always build with xattr support
      host-ima-evm-utils: add missing dependencies
      ima-evm-utils: version bump to 1.0
      bash: is licensed under GPL-3.0
      hostapd: new package
      keyutils: don't create wrong link in $DESTDIR/usr/lib
      ecryptfs-utils: new package
      ecryptfs-utils: fix typo in ECRYPTFS_UTILS_ECRYPTFS_INSERT_WRAPPED_PASSPHRASE_INTO_KEYRING
      ecryptfs-utils: fix typo in PTXCONF_ECRYPTFS_UTILS_ECRYPTFS_REWRAP_PASSPHRASE
      pcsc-lite: add new pacakge
      openct: new package
      opensc: add new package
      pcsc-lite: disable libusb support - use libudev instead if needed
      pcsc-lite: add missing reader.conf config file

Markus Pargmann (1):
      NBD: Update to 3.12.1

Michael Grzeschik (7):
      docs: rst rework via pandoc
      doc: rework macro_reference to ref_manual
      doc: rework ref_manual
      ref_manual: fix escaping
      ref_manual: fix variables
      doc: rework ref_manual
      doc: rework daily_work

Michael Olbrich (74):
      dbus: don't create config dirs
      avahi: change /etc/dbus-1 do /usr/share/dbus-1
      bluez: change /etc/dbus-1 do /usr/share/dbus-1
      connman: change /etc/dbus-1 do /usr/share/dbus-1
      consolekit: change /etc/dbus-1 do /usr/share/dbus-1
      modemmanager: change /etc/dbus-1 do /usr/share/dbus-1
      networkmanager: change /etc/dbus-1 do /usr/share/dbus-1
      systemd: change /etc/dbus-1 do /usr/share/dbus-1
      wpa_supplicant: change /etc/dbus-1 do /usr/share/dbus-1
      os-release: move to /usr/lib
      host-qemu: version bump 2.3.0 -> 2.4.1
      ptxd_make_world_autogen: fail if autogen.sh is broken
      ptxd_make_world_patchin: don't complain about missing 'series' if there are no patches
      systemd: only install vconsole.conf if SYSTEMD_VCONSOLE is enabled
      cbenchsuite: use improved upstream patch
      dbus: version bump 1.10.0 -> 1.10.2
      lz4: version bump r127 -> r131
      sqlite: version bump 3080801 -> 3090200
      busybox: version bump 1.23.2 -> 1.24.1
      i2c-tools: add busybox dependencies
      rt-tests: version bump 0.94 -> 0.96
      nbd: add missing dependency
      host-python-setuptools: make sure the directories don't clash with host-python3-setuptools
      strongswan: fix dependencies
      ptxd_make_world_install_post: copy files with '--remove-destination'
      libcap: move forgotten patch
      radvd: remove old patch
      util-linux-ng: don't forget the patch
      ptx/oldconfig: also use <PKG>_MAKE_OPT
      busybox: cleanup
      busybox: don't add timestamp the the binary
      ipkg-push: also generate Packages.gz
      ncurses: fix building with gcc >= 5.1
      pulseaudio: version bump 6.0 -> 7.1
      libpng: version bump 1.2.50 -> 1.2.54
      host-zlib: cleanup
      libarchive: make bzip2 and lzma support optional
      libarchive: version bump 3.0.4 -> 3.1.2
      host-libarchive: new package
      host-ipkg: allow it to be called as 'ipkg'
      opkg: version bump 0.2.2 -> 0.3.0
      util-linux-ng: version bump 2.27 -> 2.27.1
      systemd: version bump 227 -> 228
      systemd: networkd: don't configure eth0 for nfsroot
      license: handle SPDX composite license expressions
      host-chrpath: add license info
      ptxd_make_world_license_flags: add 'nosource' for ignored packages
      ustr: add patch from Debian to build with gcc-5.x
      boost: version bump 1_55_0 -> 1_59_0
      libgpg-error: version bump 1.12 -> 1.20
      tiobench: fix building with gcc-5.x
      lsh: fix building with gcc-5.x
      libmemcache: fix building with gcc-5.x
      uttt: move to staging
      xawtv: move to staging
      doc: use classic theme
      docs: extract ptxdist version when building the documentation
      environment.rst: replace fixes & cleanups
      docs: use matching platform & toolchain examples
      docs: split parameter documentation into a separate file
      generate basic man-page
      docs: expand and improve the command documentation
      ptxdist: show man page for '--help'
      ptxdist: show short error message for unknown arguments
      doc: cleanup & expand variable reference
      openssl: version bump 1.0.2d -> 1.0.2e
      libgpg-error: fix building for x86
      boost: add patch to fix building on PPC
      mtd-utils: Add upstream patch to fix flashcp progress output
      cbenchsuite: version bump 1.0 -> 1.1
      wrapper: allow package specific LDFLAGS for host packages
      project-name: add option to check license information when building the packages
      ncurses: don't use generated file as license file
      Makefile.in: fix 'make dist'

Philipp Zabel (2):
      xorg: remove XORG_DEFAULT_DATA_DIR configuration option
      gstreamer1: version bump 1.6.0 -> 1.6.1

Rüdiger, Christoph (1):
      mtd-utils: Added ubiblock support

Ulrich Ölmann (1):
      alsa-lib: fix copy & paste bug in help text

Uwe Kleine-König (1):
      new package memtool

Wolfram Sang (2):
      i2c-tools: version bump & secondary url
      CREDITS: update my entry


-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

[-- Attachment #2: Type: text/plain, Size: 91 bytes --]

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [ANNOUNCE] PTXdist 2015.12.0 released

[Alexander Dahl]

Hei hei, 

Am 2015-12-18 12:20, schrieb Michael Olbrich:
>       opkg: version bump 0.2.2 -> 0.3.0

Tested ptxdist 2015.12.0 today and ran into problems with opkg. Firts
noticed this on executing opkg on the target:

$ opkg update
Downloading
http://ada/ipkg-repository/***/dists/***-v2015.11.0-00173-g29ec7212f51b-dirty/Packages.
Downloading
http://ada/ipkg-repository/***/dists/***-Lite-v2015.11.0-00173-g29ec7212f51b-dirty/Packages.sig.
wget: server returned error: HTTP/1.1 404 Not Found
Collected errors:
 * opkg_download_backend: Failed to download
http://ada/ipkg-repository/***/dists/***-v2015.11.0-00173-g29ec7212f51b-dirty/Packages.sig,
wget returned 1.
 * pkg_src_download_signature: Failed to download signature for ptxdist.

Then I went to ptxdist menuconfig and checked my opkg options which were
just migrated from v2015.10.0:

% grep -i opkg configs/ptxconfig
PTXCONF_HOST_PACKAGE_MANAGEMENT_OPKG=y
PTXCONF_HOST_PACKAGE_MANAGEMENT="opkg"
PTXCONF_HOST_OPKG_UTILS=y
PTXCONF_HOST_OPKG=y
PTXCONF_OPKG=y
# PTXCONF_OPKG_CURL is not set
# PTXCONF_OPKG_SHA256 is not set
# PTXCONF_OPKG_OPENSSL is not set
# PTXCONF_OPKG_SSL_CURL is not set
PTXCONF_OPKG_OPKG_CONF=y
PTXCONF_OPKG_OPKG_CONF_HOST="ada"
PTXCONF_OPKG_OPKG_CONF_URL="src ptxdist
http://${PTXCONF_OPKG_OPKG_CONF_HOST}/ipkg-repository/${PTXCONF_PROJECT}/dists/${PTXCONF_PROJECT}${PTXCONF_PROJECT_VERSION}"

This is what still worked with ptxdist 2015.10.0 and now does not
anymore. I checked the prepare stage:

./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
--libdir=/usr/lib --host=arm-v5te-linux-gnueabi
--build=x86_64-host-linux-gnu --enable-largefile --disable-static
--disable-libopkg-api --disable-pathfinder --disable-curl
--disable-sha256 --disable-openssl --disable-ssl-curl --disable-gpg

Then I poked around in the opkg source and it seems like verify is
mandatory and the only allowed options are gpg, gpg-asc, and openssl. My
/etc/opkg/opkg.conf is the one prepared by ptxdist:

option check_signature 0
#option signature_ca_path /etc/ssl/certs
#option signature_ca_file /etc/ssl/certs/opkg.crt

The check_signature 0 option does not work. Neither do these:

option signature_type none
option check_pkg_signature 0

So, I guess I have to use openssl signatures now, because the gpg stuff
is marked broken, right? How do those work and do I find some
documentation on how to set it up?

Or go back to opkg 0.2.x?

Greets
Alex

-- 
»With the first link, the chain is forged. The first speech censured,
the first thought forbidden, the first freedom denied, chains us all
irrevocably.« (Jean-Luc Picard, quoting Judge Aaron Satie)
*** GnuPG-FP: 02C8 A590 7FE5 CA5F 3601  D1D5 8FBA 7744 CC87 10D0 ***

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] setting up opkg with ptxdist 2015.12.0 (Was: [ANNOUNCE] PTXdist 2015.12.0 released)

[Alexander Dahl]

Hei hei, 

Am 2015-12-21 19:09, schrieb Alexander Dahl:
> So, I guess I have to use openssl signatures now, because the gpg stuff
> is marked broken, right? How do those work and do I find some
> documentation on how to set it up?

This is what I tried this morning. 

* create a certificate and a key with tinyca2 (which I also use for
other purposes)
* export cert and key (without passphrase)
* in platformconfig set PTXCONF_IMAGE_IPKG_SIGN_OPENSSL=y,
PTXCONF_IMAGE_IPKG_SIGN_OPENSSL_SIGNER to the cert and
PTXCONF_IMAGE_IPKG_SIGN_OPENSSL_KEY to the key
* in menuconfig PTXCONF_OPKG_OPENSSL=y and
PTXCONF_OPKG_OPKG_CONF_CHECKSIG=y
* add a line 'option signature_type openssl' to /etc/opkg/opkg.conf on
the target (this is maybe worth a patch? ;-) )

All this yields:

$ opkg -V update
opkg_conf_parse_file: Loading conf file /etc/opkg/opkg.conf.
opkg_conf_parse_file: Supported arch armel priority (10)
opkg_conf_parse_file: Supported arch all priority (1)
opkg_conf_parse_file: Supported arch noarch priority (1)
pkg_hash_load_feeds: 
pkg_hash_load_status_files: 
Downloading
http://ada/ipkg-repository/***/dists/***-v2015.11.0-00175-gadfe207991cc-dirty/Packages.
Downloading
http://ada/ipkg-repository/***/dists/***-v2015.11.0-00175-gadfe207991cc-dirty/Packages.sig.
Collected errors:
 * opkg_verify_openssl_signature: Verification failure.
 * pkg_src_verify: Signature verification failed for ptxdist.

So a signature is created, in `ptxdist images` this looks like:

signing Packages...
openssl smime -sign \
        -in
"/var/www/ipkg-repository/***/dists/***-v2015.11.0-00175-gadfe207991cc-dirty/Packages"
\
        -text -binary \
        -outform PEM \
        -signer "/home/adahl/Work/admin/cert/ada@***-cert.pem" \
        -inkey "/home/adahl/Work/admin/cert/ada@***-key.pem" \
        -out
"/var/www/ipkg-repository/***/dists/***-v2015.11.0-00175-gadfe207991cc-dirty/Packages.sig"
WARNING: can't open config file: //ssl/openssl.cnf
Packages.sig created

The file /etc/ssl/certs/opkg.crt on the target is identical to the cert
above and looking at opkg_verify_openssl_signature() in opkg_openssl.c
looks like opkg gets quite far and fails at the last step on
PKCS7_verify() …

> Or go back to opkg 0.2.x?

I copied the old rules and patches from 2015.10.0 to my BSP for now to
get a usable opkg. Nevertheless, help on setting up opkg or fixing it,
appreciated.

btw: if I did my research correctly upstream is now
http://git.yoctoproject.org/cgit/cgit.cgi/opkg/ and version v0.3.1 is
out, however the commits didn't look like they touch anything signature
related.

Greets
Alex

-- 
»With the first link, the chain is forged. The first speech censured,
the first thought forbidden, the first freedom denied, chains us all
irrevocably.« (Jean-Luc Picard, quoting Judge Aaron Satie)
*** GnuPG-FP: 02C8 A590 7FE5 CA5F 3601  D1D5 8FBA 7744 CC87 10D0 ***

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] setting up opkg with ptxdist 2015.12.0

[Alexander Dahl]

Hei hei, 

Am 2015-12-22 12:42, schrieb Alexander Dahl:
>> Or go back to opkg 0.2.x?
> 
> I copied the old rules and patches from 2015.10.0 to my BSP for now to
> get a usable opkg. Nevertheless, help on setting up opkg or fixing it,
> appreciated.

Well, after copying the old opkg.in, opkg.make, host-opkg.in, and
host-opkg.make to my BSP this seemed to work at first, but after a
`ptxdist clean` I get the following error when invoking `ptxdist
images`:


creating index.....: 
ipkg-repository updated
Creating ipkg index
'/home/adahl/Work/bsp/***/platform-***/packages/Packages'...
done.
/home/adahl/Work/bsp/***/platform-***/sysroot-host/bin/fakeroot: line
21: opkg: command not found
/usr/local/lib/ptxdist-2015.12.0/rules/post/ptxd_make_image_prepare_work_dir.make:20:
recipe for target
'/home/adahl/Work/bsp/***/platform-***/state/image_working_dir' failed
make: ***
[/home/adahl/Work/bsp/***/platform-***/state/image_working_dir] Error
127


This means I have to go back to ptxdist v2015.10.0 until someone helps
me with a solution. :-/

Greets
Alex

-- 
»With the first link, the chain is forged. The first speech censured,
the first thought forbidden, the first freedom denied, chains us all
irrevocably.« (Jean-Luc Picard, quoting Judge Aaron Satie)
*** GnuPG-FP: 02C8 A590 7FE5 CA5F 3601  D1D5 8FBA 7744 CC87 10D0 ***

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] setting up opkg with ptxdist 2015.12.0

[Tim Sander]

Hi Alex

Its not a nice patch but it helps with your problem i suppose.
I have no idea why check_signature is not disabled by the opkg.conf
settings.

Best regards
Tim

--- opkg-0.3.0/libopkg/pkg_src.c.orig   2016-01-12 14:28:14.144604800 +0100
+++ opkg-0.3.0/libopkg/pkg_src.c        2016-01-12 14:28:25.284378702 +0100
@@ -183,7 +183,7 @@
     if (err)
         return err;
 
-    if (opkg_config->check_signature) {
+    if (0) {
         err = pkg_src_download_signature(src);
         if (err)
             return err;

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] setting up opkg with ptxdist 2015.12.0

[Michael Olbrich]

On Mon, Jan 11, 2016 at 01:10:32PM +0100, Alexander Dahl wrote:
> Hei hei, 
> 
> Am 2015-12-22 12:42, schrieb Alexander Dahl:
> >> Or go back to opkg 0.2.x?
> > 
> > I copied the old rules and patches from 2015.10.0 to my BSP for now to
> > get a usable opkg. Nevertheless, help on setting up opkg or fixing it,
> > appreciated.
> 
> Well, after copying the old opkg.in, opkg.make, host-opkg.in, and
> host-opkg.make to my BSP this seemed to work at first, but after a
> `ptxdist clean` I get the following error when invoking `ptxdist
> images`:
> 
> 
> creating index.....: 
> ipkg-repository updated
> Creating ipkg index
> '/home/adahl/Work/bsp/***/platform-***/packages/Packages'...
> done.
> /home/adahl/Work/bsp/***/platform-***/sysroot-host/bin/fakeroot: line
> 21: opkg: command not found
> /usr/local/lib/ptxdist-2015.12.0/rules/post/ptxd_make_image_prepare_work_dir.make:20:
> recipe for target
> '/home/adahl/Work/bsp/***/platform-***/state/image_working_dir' failed
> make: ***
> [/home/adahl/Work/bsp/***/platform-***/state/image_working_dir] Error
> 127
> 
> 
> This means I have to go back to ptxdist v2015.10.0 until someone helps
> me with a solution. :-/

In the new opkg, the tool was renamed from 'opkg-cl' to 'opkg', so I
changed ptxdist accordingly. So you need to add a symlink for that in
host-opkg.install got the old opkg. Then you should be able to use the old
opkg with the latest ptxdist.

Michael

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [ANNOUNCE] PTXdist 2015.12.0 released

[Michael Olbrich]

Hi,

On Mon, Dec 21, 2015 at 07:09:08PM +0100, Alexander Dahl wrote:
> Am 2015-12-18 12:20, schrieb Michael Olbrich:
> >       opkg: version bump 0.2.2 -> 0.3.0
> 
> Tested ptxdist 2015.12.0 today and ran into problems with opkg. Firts
> noticed this on executing opkg on the target:
> 
> $ opkg update
> Downloading
> http://ada/ipkg-repository/***/dists/***-v2015.11.0-00173-g29ec7212f51b-dirty/Packages.
> Downloading
> http://ada/ipkg-repository/***/dists/***-Lite-v2015.11.0-00173-g29ec7212f51b-dirty/Packages.sig.
> wget: server returned error: HTTP/1.1 404 Not Found
> Collected errors:
>  * opkg_download_backend: Failed to download
> http://ada/ipkg-repository/***/dists/***-v2015.11.0-00173-g29ec7212f51b-dirty/Packages.sig,
> wget returned 1.
>  * pkg_src_download_signature: Failed to download signature for ptxdist.
> 
> Then I went to ptxdist menuconfig and checked my opkg options which were
> just migrated from v2015.10.0:
> 
> % grep -i opkg configs/ptxconfig
> PTXCONF_HOST_PACKAGE_MANAGEMENT_OPKG=y
> PTXCONF_HOST_PACKAGE_MANAGEMENT="opkg"
> PTXCONF_HOST_OPKG_UTILS=y
> PTXCONF_HOST_OPKG=y
> PTXCONF_OPKG=y
> # PTXCONF_OPKG_CURL is not set
> # PTXCONF_OPKG_SHA256 is not set
> # PTXCONF_OPKG_OPENSSL is not set
> # PTXCONF_OPKG_SSL_CURL is not set
> PTXCONF_OPKG_OPKG_CONF=y
> PTXCONF_OPKG_OPKG_CONF_HOST="ada"
> PTXCONF_OPKG_OPKG_CONF_URL="src ptxdist
> http://${PTXCONF_OPKG_OPKG_CONF_HOST}/ipkg-repository/${PTXCONF_PROJECT}/dists/${PTXCONF_PROJECT}${PTXCONF_PROJECT_VERSION}"
> 
> This is what still worked with ptxdist 2015.10.0 and now does not
> anymore. I checked the prepare stage:
> 
> ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
> --libdir=/usr/lib --host=arm-v5te-linux-gnueabi
> --build=x86_64-host-linux-gnu --enable-largefile --disable-static
> --disable-libopkg-api --disable-pathfinder --disable-curl
> --disable-sha256 --disable-openssl --disable-ssl-curl --disable-gpg
> 
> Then I poked around in the opkg source and it seems like verify is
> mandatory and the only allowed options are gpg, gpg-asc, and openssl. My
> /etc/opkg/opkg.conf is the one prepared by ptxdist:
> 
> option check_signature 0
> #option signature_ca_path /etc/ssl/certs
> #option signature_ca_file /etc/ssl/certs/opkg.crt
> 
> The check_signature 0 option does not work. Neither do these:
> 
> option signature_type none
> option check_pkg_signature 0

Can you remove the line? I cannot test this right now, but from reading the
code, it looks like nothing means 'false' and 'option signature_type' (with any
argument) mean 'true'.

Michael

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] setting up opkg with ptxdist 2015.12.0 (Was: [ANNOUNCE] PTXdist 2015.12.0 released)

[Michael Olbrich]

On Tue, Dec 22, 2015 at 12:42:50PM +0100, Alexander Dahl wrote:
> Am 2015-12-21 19:09, schrieb Alexander Dahl:
> > So, I guess I have to use openssl signatures now, because the gpg stuff
> > is marked broken, right? How do those work and do I find some
> > documentation on how to set it up?
> 
> This is what I tried this morning. 
> 
> * create a certificate and a key with tinyca2 (which I also use for
> other purposes)
> * export cert and key (without passphrase)
> * in platformconfig set PTXCONF_IMAGE_IPKG_SIGN_OPENSSL=y,
> PTXCONF_IMAGE_IPKG_SIGN_OPENSSL_SIGNER to the cert and
> PTXCONF_IMAGE_IPKG_SIGN_OPENSSL_KEY to the key
> * in menuconfig PTXCONF_OPKG_OPENSSL=y and
> PTXCONF_OPKG_OPKG_CONF_CHECKSIG=y
> * add a line 'option signature_type openssl' to /etc/opkg/opkg.conf on
> the target (this is maybe worth a patch? ;-) )

Indeed.

> All this yields:
> 
> $ opkg -V update
> opkg_conf_parse_file: Loading conf file /etc/opkg/opkg.conf.
> opkg_conf_parse_file: Supported arch armel priority (10)
> opkg_conf_parse_file: Supported arch all priority (1)
> opkg_conf_parse_file: Supported arch noarch priority (1)
> pkg_hash_load_feeds: 
> pkg_hash_load_status_files: 
> Downloading
> http://ada/ipkg-repository/***/dists/***-v2015.11.0-00175-gadfe207991cc-dirty/Packages.
> Downloading
> http://ada/ipkg-repository/***/dists/***-v2015.11.0-00175-gadfe207991cc-dirty/Packages.sig.
> Collected errors:
>  * opkg_verify_openssl_signature: Verification failure.
>  * pkg_src_verify: Signature verification failed for ptxdist.
> 
> So a signature is created, in `ptxdist images` this looks like:
> 
> signing Packages...
> openssl smime -sign \
>         -in
> "/var/www/ipkg-repository/***/dists/***-v2015.11.0-00175-gadfe207991cc-dirty/Packages"
> \
>         -text -binary \
>         -outform PEM \
>         -signer "/home/adahl/Work/admin/cert/ada@***-cert.pem" \
>         -inkey "/home/adahl/Work/admin/cert/ada@***-key.pem" \
>         -out
> "/var/www/ipkg-repository/***/dists/***-v2015.11.0-00175-gadfe207991cc-dirty/Packages.sig"
> WARNING: can't open config file: //ssl/openssl.cnf
> Packages.sig created
> 
> The file /etc/ssl/certs/opkg.crt on the target is identical to the cert
> above and looking at opkg_verify_openssl_signature() in opkg_openssl.c
> looks like opkg gets quite far and fails at the last step on
> PKCS7_verify() …

This stuff was contributed by others an I think I only tested this once, so
I don't realy know much about this.
One wild guess: Is your clock set correctly? OpenSSL does not like dates
that are in the future...

> > Or go back to opkg 0.2.x?
> 
> I copied the old rules and patches from 2015.10.0 to my BSP for now to
> get a usable opkg. Nevertheless, help on setting up opkg or fixing it,
> appreciated.
> 
> btw: if I did my research correctly upstream is now
> http://git.yoctoproject.org/cgit/cgit.cgi/opkg/ and version v0.3.1 is
> out, however the commits didn't look like they touch anything signature
> related.

Michael

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [ANNOUNCE] PTXdist 2015.12.0 released

[Alexander Dahl]

Hei hei,

I had another look into the opkg topic I brought up late last year.

Am 2016-01-12 17:31, schrieb Michael Olbrich:
>> Then I poked around in the opkg source and it seems like verify is
>> mandatory and the only allowed options are gpg, gpg-asc, and openssl. My
>> /etc/opkg/opkg.conf is the one prepared by ptxdist:
>>
>> option check_signature 0
>> #option signature_ca_path /etc/ssl/certs
>> #option signature_ca_file /etc/ssl/certs/opkg.crt
>>
>> The check_signature 0 option does not work. Neither do these:
>>
>> option signature_type none
>> option check_pkg_signature 0
> 
> Can you remove the line? I cannot test this right now, but from reading the
> code, it looks like nothing means 'false' and 'option signature_type' (with any
> argument) mean 'true'.

You're right. I already tested a fix in rules/opkg.make and will send a
patch.

Greets
Alex

-- 
»With the first link, the chain is forged. The first speech censured,
the first thought forbidden, the first freedom denied, chains us all
irrevocably.« (Jean-Luc Picard, quoting Judge Aaron Satie)
*** GnuPG-FP: C28E E6B9 0263 95CF 8FAF  08FA 34AD CD00 7221 5CC6 ***

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de