From: Alexander Dahl <post@lespocky.de>
To: ptxdist@pengutronix.de
Subject: [ptxdist] setting up opkg with ptxdist 2015.12.0 (Was: [ANNOUNCE] PTXdist 2015.12.0 released)
Date: Tue, 22 Dec 2015 12:42:50 +0100 [thread overview]
Message-ID: <fedb7062599c68ecc911c1a9f1b47880@localhost> (raw)
In-Reply-To: <5956ea45a4ca85ba2b41df84468f6cbf@localhost>
Hei hei,
Am 2015-12-21 19:09, schrieb Alexander Dahl:
> So, I guess I have to use openssl signatures now, because the gpg stuff
> is marked broken, right? How do those work and do I find some
> documentation on how to set it up?
This is what I tried this morning.
* create a certificate and a key with tinyca2 (which I also use for
other purposes)
* export cert and key (without passphrase)
* in platformconfig set PTXCONF_IMAGE_IPKG_SIGN_OPENSSL=y,
PTXCONF_IMAGE_IPKG_SIGN_OPENSSL_SIGNER to the cert and
PTXCONF_IMAGE_IPKG_SIGN_OPENSSL_KEY to the key
* in menuconfig PTXCONF_OPKG_OPENSSL=y and
PTXCONF_OPKG_OPKG_CONF_CHECKSIG=y
* add a line 'option signature_type openssl' to /etc/opkg/opkg.conf on
the target (this is maybe worth a patch? ;-) )
All this yields:
$ opkg -V update
opkg_conf_parse_file: Loading conf file /etc/opkg/opkg.conf.
opkg_conf_parse_file: Supported arch armel priority (10)
opkg_conf_parse_file: Supported arch all priority (1)
opkg_conf_parse_file: Supported arch noarch priority (1)
pkg_hash_load_feeds:
pkg_hash_load_status_files:
Downloading
http://ada/ipkg-repository/***/dists/***-v2015.11.0-00175-gadfe207991cc-dirty/Packages.
Downloading
http://ada/ipkg-repository/***/dists/***-v2015.11.0-00175-gadfe207991cc-dirty/Packages.sig.
Collected errors:
* opkg_verify_openssl_signature: Verification failure.
* pkg_src_verify: Signature verification failed for ptxdist.
So a signature is created, in `ptxdist images` this looks like:
signing Packages...
openssl smime -sign \
-in
"/var/www/ipkg-repository/***/dists/***-v2015.11.0-00175-gadfe207991cc-dirty/Packages"
\
-text -binary \
-outform PEM \
-signer "/home/adahl/Work/admin/cert/ada@***-cert.pem" \
-inkey "/home/adahl/Work/admin/cert/ada@***-key.pem" \
-out
"/var/www/ipkg-repository/***/dists/***-v2015.11.0-00175-gadfe207991cc-dirty/Packages.sig"
WARNING: can't open config file: //ssl/openssl.cnf
Packages.sig created
The file /etc/ssl/certs/opkg.crt on the target is identical to the cert
above and looking at opkg_verify_openssl_signature() in opkg_openssl.c
looks like opkg gets quite far and fails at the last step on
PKCS7_verify() …
> Or go back to opkg 0.2.x?
I copied the old rules and patches from 2015.10.0 to my BSP for now to
get a usable opkg. Nevertheless, help on setting up opkg or fixing it,
appreciated.
btw: if I did my research correctly upstream is now
http://git.yoctoproject.org/cgit/cgit.cgi/opkg/ and version v0.3.1 is
out, however the commits didn't look like they touch anything signature
related.
Greets
Alex
--
»With the first link, the chain is forged. The first speech censured,
the first thought forbidden, the first freedom denied, chains us all
irrevocably.« (Jean-Luc Picard, quoting Judge Aaron Satie)
*** GnuPG-FP: 02C8 A590 7FE5 CA5F 3601 D1D5 8FBA 7744 CC87 10D0 ***
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
next prev parent reply other threads:[~2015-12-22 11:43 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-18 11:20 [ptxdist] [ANNOUNCE] PTXdist 2015.12.0 released Michael Olbrich
2015-12-21 18:09 ` Alexander Dahl
2015-12-22 11:42 ` Alexander Dahl [this message]
2016-01-11 12:10 ` [ptxdist] setting up opkg with ptxdist 2015.12.0 Alexander Dahl
2016-01-12 13:47 ` Tim Sander
2016-01-12 16:21 ` Michael Olbrich
2016-01-12 16:44 ` [ptxdist] setting up opkg with ptxdist 2015.12.0 (Was: [ANNOUNCE] PTXdist 2015.12.0 released) Michael Olbrich
2016-01-12 16:31 ` [ptxdist] [ANNOUNCE] PTXdist 2015.12.0 released Michael Olbrich
2016-08-02 8:44 ` Alexander Dahl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fedb7062599c68ecc911c1a9f1b47880@localhost \
--to=post@lespocky.de \
--cc=ptxdist@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox