yocto를 사용해 ipk package를 gpg signing
- yocto로 빌드해 만든 ipk package를 gpg key를 이용해 signing할 수 있다.
local.conf에 생성할 패키지 종류에 따라, 변수를INHERIT한다.
- 패키지가 rpm인 경우
INHERIT += "sign_rpm" - 패키지가 ipk인 경우
INHERIT += "sign_ipk"
- Signing을 위해,
GPG key가 필요하다.
- 패키지가 rpm인 경우
RPM_GPG_NAME = "<key ID>"
RPM_GPG_PASSPHRASE = "<key passphrase>"- 패키지가 ipk인 경우
IPK_GPG_NAME = "<key ID>"
IPK_GPG_PASSPHRASE_FILE = "<path/to/passphrase/file">- yocto build system이 Host의 private GPG Key를 사용하고 이를 Signing 하여, 패키지들을 생성한다.
troubleshooting
1. Yocto and the generation of images when using repository of signed rpm packages
I have two questions related with Yocto and the generation of images when the distro is configured to use a repository of rpm packages signed with gpg.
First question: after running the $ bitbake my-image.bb command, the build process stops with this message of error:
ERROR: myimage-1.0-r0 do_rootfs: [log_check] myimage: found 1 error message in the logfile:
[log_check] Failed to synchronize cache for repo 'yocto-rpm', disabling.Surprisingly, this error is only raised when the http server used to serve rpm packages for the running distro generated (i.e. nginx) is stopped (not listening). If the http server is started (listening), then the error message doesn't appear and the generation of the yocto image works fine.
According to my understanding, the final image generated by yocto uses the local rpms generated by the build process (located inside the build/ dir). Those packages are available locally (you don't need the remote server where rpms are published for updating/installing on running distros at all). So, I don't understand why the build process needs syncronizing with the remote server to build the image locally.
Second question: I setup my image to use dnf client to manage rpm packages. To configure the remote repo used to serve rpm packages, I create a dnf_%.bbappend file to copy this configuration file to destination directory ${D}/etc/yum.repos.d/
$ cat yocto-rpm.repo
[yocto-rpm]
name=Rocko Yocto Repo
baseurl=http://<HTTP_SERVER_IP>/rpm
enabled=1
gpgcheck=1When the 'gpgcheck' variable is set with value 0, the image is build fine even if the http server (nginx) is stopped. However, if gpgcheck is set with value 1, then the image is not built fine if the http server (nginx) is stopped.
How is that possible? Is yocto analyzing contents of a file installed on the final image to customize the build process?
Just to provide all the information related with this issue, yocto knows about public gpg key because it is defined inside distro.conf in this way:
INHERIT += "sign_rpm"
RPM_GPG_NAME = "gpgyocto"
RPM_GPG_PASSPHRASE = "XYZ"
INHERIT += "sign_package_feed"
PACKAGE_FEED_GPG_NAME = "gpgyocto"
PACKAGE_FEED_GPG_PASSPHRASE_FILE = "/etc/yocto.d/gpgyocto"
The "gpgyocto" key is available on the gpg keys ring:
$ gpg --list-keys
/home/<myuser>/.gnupg/pubring.kbx
----------------------------------
pub rsa2048 2018-04-27 [SC] [expires: 2020-04-26]
9112FBBF2073012C1463B8686235C65BD7C1F0D8
uid [ultimate] gpgyocto <yocto@<mydomain.com>
sub rsa2048 2018-04-27 [E] [expires: 2020-04-26]Re first question: generating an image requires downloading other packages: if the server isn't available, then other alternative choices (like local cache) are undertaken, an the (arguably) obscure message is an attempt to notify you.
Re second question: gpg check requires a public key to verify package signature which needs to be downloaded. I f the public key is unavailable, rpm applies crypto logically weake checks (I.e. digest verification) and proceeds "best effort" for historical reasons. The correct "fix" would be to fail to build an image from packages whose signature has not been verified (because the public key needed could not be found because the "server" was "stopped" or otherwise unavailable).
Share
Improve this answer
Follow
answered Apr 29, 2018 at 2:03
user avatar
Jeff Johnson
2,2101212 silver badges2323 bronze badges
I appreciate a lot your response Mr. Jeff Johnson but I'm not sure if you understand my issue. Related with first answer, yocto fetcher is downloading sources to build rpm packages fine. Related with second answer, gpg public key is available for yocto (at least, I think so). I have edited my initial question to provide more information. Hope that helps to understand better my issue. –
criptobadia
May 2, 2018 at 7:45
gpgcheck=1 is an rpm directive, and rpm needs the public key to verify signatures: the gpg key ring isn't used, rather the public key needs to be imported by rpm. You can verify the rpm import by doing "rpm -qa | grep gpg" –
Jeff Johnson
May 4, 2018 at 18:02
- Solution
I have finally fixed my issue. Adding a custom dnf_%.bbappend was a bad idea. All problems were generated because of that.
The best way to solve this issue is removing that dnf_%.bbappend completely, and then defining a custom PACKAGE_FEED_URIS in your local.conf pointing to your rpm server .
Yocto build process generates automatically a configuration file inside ${D}/etc/yum.repos.d/ with all it needs to use that remote repo from the target device. Thats all. Hope this helps somebody else and thank you for all your support.
