[ptxdist] setting up opkg with ptxdist 2015.12.0 (Was: [ANNOUNCE] PTXdist 2015.12.0 released)

[Alexander Dahl <post@lespocky.de>]

Hei hei, 

Am 2015-12-21 19:09, schrieb Alexander Dahl:
> So, I guess I have to use openssl signatures now, because the gpg stuff
> is marked broken, right? How do those work and do I find some
> documentation on how to set it up?

This is what I tried this morning. 

* create a certificate and a key with tinyca2 (which I also use for
other purposes)
* export cert and key (without passphrase)
* in platformconfig set PTXCONF_IMAGE_IPKG_SIGN_OPENSSL=y,
PTXCONF_IMAGE_IPKG_SIGN_OPENSSL_SIGNER to the cert and
PTXCONF_IMAGE_IPKG_SIGN_OPENSSL_KEY to the key
* in menuconfig PTXCONF_OPKG_OPENSSL=y and
PTXCONF_OPKG_OPKG_CONF_CHECKSIG=y
* add a line 'option signature_type openssl' to /etc/opkg/opkg.conf on
the target (this is maybe worth a patch? ;-) )

All this yields:

$ opkg -V update
opkg_conf_parse_file: Loading conf file /etc/opkg/opkg.conf.
opkg_conf_parse_file: Supported arch armel priority (10)
opkg_conf_parse_file: Supported arch all priority (1)
opkg_conf_parse_file: Supported arch noarch priority (1)
pkg_hash_load_feeds: 
pkg_hash_load_status_files: 
Downloading
http://ada/ipkg-repository/***/dists/***-v2015.11.0-00175-gadfe207991cc-dirty/Packages.
Downloading
http://ada/ipkg-repository/***/dists/***-v2015.11.0-00175-gadfe207991cc-dirty/Packages.sig.
Collected errors:
 * opkg_verify_openssl_signature: Verification failure.
 * pkg_src_verify: Signature verification failed for ptxdist.

So a signature is created, in `ptxdist images` this looks like:

signing Packages...
openssl smime -sign \
        -in
"/var/www/ipkg-repository/***/dists/***-v2015.11.0-00175-gadfe207991cc-dirty/Packages"
\
        -text -binary \
        -outform PEM \
        -signer "/home/adahl/Work/admin/cert/ada@***-cert.pem" \
        -inkey "/home/adahl/Work/admin/cert/ada@***-key.pem" \
        -out
"/var/www/ipkg-repository/***/dists/***-v2015.11.0-00175-gadfe207991cc-dirty/Packages.sig"
WARNING: can't open config file: //ssl/openssl.cnf
Packages.sig created

The file /etc/ssl/certs/opkg.crt on the target is identical to the cert
above and looking at opkg_verify_openssl_signature() in opkg_openssl.c
looks like opkg gets quite far and fails at the last step on
PKCS7_verify() …

> Or go back to opkg 0.2.x?

I copied the old rules and patches from 2015.10.0 to my BSP for now to
get a usable opkg. Nevertheless, help on setting up opkg or fixing it,
appreciated.

btw: if I did my research correctly upstream is now
http://git.yoctoproject.org/cgit/cgit.cgi/opkg/ and version v0.3.1 is
out, however the commits didn't look like they touch anything signature
related.

Greets
Alex

-- 
»With the first link, the chain is forged. The first speech censured,
the first thought forbidden, the first freedom denied, chains us all
irrevocably.« (Jean-Luc Picard, quoting Judge Aaron Satie)
*** GnuPG-FP: 02C8 A590 7FE5 CA5F 3601  D1D5 8FBA 7744 CC87 10D0 ***

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de