In addition to being able to sign RPM packages, you can also enable the OpenEmbedded build system to be able to handle previously signed package feeds for IPK packages.
The steps you need to take to enable signed package feed
use are similar to the steps used to sign RPM packages.
You must define the following in your
local.config
or
distro.config
file:
INHERIT += "sign_package_feed" PACKAGE_FEED_GPG_NAME = "key_name
" PACKAGE_FEED_GPG_PASSPHRASE_FILE = "path_to_file_containing_passphrase
"
For signed package feeds, the passphrase must exist in a
separate file, which is pointed to by the
PACKAGE_FEED_GPG_PASSPHRASE_FILE
variable.
Regarding security, keeping a plain text passphrase out of
the configuration is more secure.
Aside from the
PACKAGE_FEED_GPG_NAME
and
PACKAGE_FEED_GPG_PASSPHRASE_FILE
variables, three optional variables related to signed
package feeds exist:
GPG_BIN
:
Specifies a gpg
binary/wrapper
that is executed when the package is signed.
GPG_PATH
:
Specifies the gpg
home
directory used when the package is signed.
PACKAGE_FEED_GPG_SIGNATURE_TYPE
:
Specifies the type of gpg
signature.
This variable applies only to RPM and IPK package
feeds.
Allowable values for the
PACKAGE_FEED_GPG_SIGNATURE_TYPE
are "ASC", which is the default and specifies ascii
armored, and "BIN", which specifies binary.