* GPG signed package feeds and packages: opkg update fails with "No public key"
@ 2017-08-07 9:51 Andersen, Christian
2017-08-11 23:27 ` Alejandro del Castillo
0 siblings, 1 reply; 2+ messages in thread
From: Andersen, Christian @ 2017-08-07 9:51 UTC (permalink / raw)
To: yocto
[-- Attachment #1: Type: text/plain, Size: 3401 bytes --]
Hello,
I am trying to sign our ipk-packages and the package feed using GPG. As far as I can tell the signatures are correctly generated using this in the local.conf:
INHERIT += "sign_package_feed sign_ipk"
PACKAGE_FEED_GPG_NAME ?= "73CE8000"
PACKAGE_FEED_GPG_PASSPHRASE_FILE ?= "/var/lib/jenkins/.gnupg/passwd.txt"
IPK_GPG_NAME ?= "73CE8000"
IPK_GPG_PASSPHRASE_FILE ?= "/var/lib/jenkins/.gnupg/passwd.txt"
GPG_PATH ?= "/var/lib/jenkins/.gnupg"
The public key is installed using opkg-keyrings and this config:
OPKG_KEYRING_KEYS = "73CE8000"
On the target I am able to verify that the public key is available:
root@scb-anders05:~# opkg-key list
/etc/opkg/trusted.gpg
---------------------
pub rsa2048 2017-08-04 [SC]
B104E37136084E68203BB2CD5676B9F373CE8000
uid [unknown] Company <mail@example.tld>
sub rsa2048 2017-08-04 [E]
The opkg.conf contains:
option check_signature 1
#option check_pkg_signature 1
option signature_type gpg-asc
But when I try opkg update I get:
root@scb-anders05:~# opkg update
Downloading http://internalhost:8000/puck/pyro-develop/ipk/all/Packages.gz.
Downloading http://internalhost:8000/puck/pyro-develop/ipk/all/Packages.asc.
Downloading http://internalhost:8000/puck/pyro-develop/ipk/cortexa8hf-neon/Packages.gz.
Downloading http://internalhost:8000/puck/pyro-develop/ipk/cortexa8hf-neon/Packages.asc.
Downloading http://internalhost:8000/puck/pyro-develop/ipk/scb/Packages.gz.
Downloading http://internalhost:8000/puck/pyro-develop/ipk/scb/Packages.asc.
Collected errors:
* opkg_verify_gpg_signature: Signature status returned error: No public key
* pkg_src_verify: Signature verification failed for all.
* opkg_verify_gpg_signature: Signature status returned error: No public key
* pkg_src_verify: Signature verification failed for cortexa8hf-neon.
* opkg_verify_gpg_signature: Signature status returned error: No public key
* pkg_src_verify: Signature verification failed for scb.
When manually loading the Packages and Packages.asc and verify the signature on the target it seems to work:
root@scb-anders05:~# opkg-key adv --verify Packages.asc Packages
Executing: gpg --no-options --no-default-keyring --keyring /etc/opkg/trusted.gpg --secret-keyring /etc/opkg/secring.gpg --trustdb-name /etc/opkg/trustdb.gpg --verify Packages.asc Packages
gpg: Signature made Fri Aug 4 17:00:52 2017 CEST
gpg: using RSA key 5676B9F373CE8000
gpg: Good signature from "Company <mail@example.tld>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B104 E371 3608 4E68 203B B2CD 5676 B9F3 73CE 8000
Even after changing the trust-level for the public key to 5 (ultimate), opkg update does not accept the signature.
Does anybody have an idea what's going on and how I can fix this?
Regards
Christian
KOSTAL Industrie Elektrik GmbH - Sitz Lüdenscheid, Registergericht Iserlohn HRB 3924 - USt-Id-Nr./Vat No.: DE 813742170
Postanschrift: An der Bellmerei 10, D-58513 Lüdenscheid * Telefon: +49 2351 16-0 * Telefax: +49 2351 16-2400
Werksanschrift: Lange Eck 11, D-58099 Hagen * Tel. +49 2331 8040-601 * Fax +49 2331 8040-602
Geschäftsführung: Dr.-Ing. Dipl.-Wirt.Ing. Manfred Gerhard, Dipl.-Ing. Marwin Kinzl, Dipl.-Oec. Andreas Kostal
[-- Attachment #2: Type: text/html, Size: 14311 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: GPG signed package feeds and packages: opkg update fails with "No public key"
2017-08-07 9:51 GPG signed package feeds and packages: opkg update fails with "No public key" Andersen, Christian
@ 2017-08-11 23:27 ` Alejandro del Castillo
0 siblings, 0 replies; 2+ messages in thread
From: Alejandro del Castillo @ 2017-08-11 23:27 UTC (permalink / raw)
To: Andersen, Christian, yocto
On 08/07/2017 04:51 AM, Andersen, Christian wrote:
> Hello,
>
> I am trying to sign our ipk-packages and the package feed using GPG. As
> far as I can tell the signatures are correctly generated using this in
> the local.conf:
>
> INHERIT += "sign_package_feed sign_ipk"
> PACKAGE_FEED_GPG_NAME ?= "73CE8000"
> PACKAGE_FEED_GPG_PASSPHRASE_FILE ?= "/var/lib/jenkins/.gnupg/passwd.txt"
> IPK_GPG_NAME ?= "73CE8000"
> IPK_GPG_PASSPHRASE_FILE ?= "/var/lib/jenkins/.gnupg/passwd.txt"
> GPG_PATH ?= "/var/lib/jenkins/.gnupg"
>
> The public key is installed using opkg-keyrings and this config:
>
> OPKG_KEYRING_KEYS = "73CE8000"
>
> On the target I am able to verify that the public key is available:
>
> root@scb-anders05:~# opkg-key list
>
> /etc/opkg/trusted.gpg
>
> ---------------------
>
> pub rsa2048 2017-08-04 [SC]
> B104E37136084E68203BB2CD5676B9F373CE8000
> uid [unknown] Company <mail@example.tld>
> sub rsa2048 2017-08-04 [E]
Have you tried to sign using a key with non-default values? I can't see anything clearly off on your config, other than your key being " [unknown] Company <mail@example.tld>"
> The opkg.conf contains:
>
> option check_signature 1
> #option check_pkg_signature 1
> option signature_type gpg-asc
>
> But when I try opkg update I get:
>
> root@scb-anders05:~# opkg update
> Downloading http://internalhost:8000/puck/pyro-develop/ipk/all/Packages.gz.
> Downloading http://internalhost:8000/puck/pyro-develop/ipk/all/Packages.asc.
> Downloading
> http://internalhost:8000/puck/pyro-develop/ipk/cortexa8hf-neon/Packages.gz.
> Downloading
> http://internalhost:8000/puck/pyro-develop/ipk/cortexa8hf-neon/Packages.asc.
> Downloading http://internalhost:8000/puck/pyro-develop/ipk/scb/Packages.gz.
> Downloading http://internalhost:8000/puck/pyro-develop/ipk/scb/Packages.asc.
> Collected errors:
>
> * opkg_verify_gpg_signature: Signature status returned error: No public key
> * pkg_src_verify: Signature verification failed for all.
> * opkg_verify_gpg_signature: Signature status returned error: No public key
> * pkg_src_verify: Signature verification failed for cortexa8hf-neon.
> * opkg_verify_gpg_signature: Signature status returned error: No public key
> * pkg_src_verify: Signature verification failed for scb.
>
> When manually loading the Packages and Packages.asc and verify the
> signature on the target it seems to work:
>
> root@scb-anders05:~# opkg-key adv --verify Packages.asc Packages
>
> Executing: gpg --no-options --no-default-keyring --keyring
> /etc/opkg/trusted.gpg --secret-keyring /etc/opkg/secring.gpg
> --trustdb-name /etc/opkg/trustdb.gpg --verify Packages.asc Packages
>
> gpg: Signature made Fri Aug 4 17:00:52 2017 CEST
> gpg: using RSA key 5676B9F373CE8000
> gpg: Good signature from "Company <mail@example.tld>" [unknown]
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner.
>
> Primary key fingerprint: B104 E371 3608 4E68 203B B2CD 5676 B9F3 73CE 8000
>
> Even after changing the trust-level for the public key to 5 (ultimate),
> opkg update does not accept the signature.
>
> Does anybody have an idea what’s going on and how I can fix this?
--
Cheers,
Alejandro
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-08-11 23:51 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-08-07 9:51 GPG signed package feeds and packages: opkg update fails with "No public key" Andersen, Christian
2017-08-11 23:27 ` Alejandro del Castillo
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.