Yocto的配方,用于安全APT存储库
我有一个配置GPG密钥和自签名证书的私有APT存储库。我想从带有YOCTO生成的OS的设备访问存储库。我正在尝试创建一个将设备与远程存储库通信的食谱。到目前为止,这是食谱 myrepo_1.0.0.bb :
SUMMARY = "Install files for APT secure repository"
DESCRIPTION = "Copy security configuration files for enable secure APT communication with remote repository"
LICENSE = "CLOSED"
DEPENDS = "package-index ca-certificates-native"
FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
SRC_URI += "\
file://myrepo.gpg \
file://myrepo.crt \
"
do_install_append() {
install -d ${D}${sysconfdir}/${PN}
install -m 0644 ${WORKDIR}/myrepo.gpg ${D}${sysconfdir}/${PN}/
install -m 0644 ${WORKDIR}/myrepo.crt ${D}${sysconfdir}/${PN}/
install -d ${D}usr/local/share/ca-certificates
ln -s ${sysconfdir}/${PN}/myrepo.crt ${D}usr/local/share/ca-certificates/
}
在食谱中,我正在尝试复制gpg键(myrepo.gpg)和自签名证书(myrepo.crt)。
关于CRT键:我遵循了这些指令要手动添加证书,但是当我这样做时,证书在设备上不起作用。
关于GPG密钥:我成功地复制了设备中的密钥,但我无法使用它。为了使用它,文件 /etc/apt/sources.list 必须包含签名 - by 指令,以指定GPG密钥的路径。例如:deb [signed-by =/etc/myrepo/myrepo.gpg] https://myrepo.com/all ./ code>,但是如果我在我的 local.conf中添加了指令这样:
PACKAGE_CLASSES ?= "package_deb"
PACKAGE_FEED_URIS = "[signed-by=/etc/myrepo/myrepo.gpg] https://myrepo.com"
结果是被视为新存储库的指令:
deb [signed-by=/etc/myrepo/myrepo.gpg] ./
deb https://myrepo.com/all ./
有人可以帮助我使用食谱以自动配置存储库吗?
I have a private APT repository configured with a GPG key and a self-signed certificate. I want to access the repository from a device with a yocto generated OS. I am trying to create a recipe for communicating the device with the remote repository. This is, until now, the recipe myrepo_1.0.0.bb:
SUMMARY = "Install files for APT secure repository"
DESCRIPTION = "Copy security configuration files for enable secure APT communication with remote repository"
LICENSE = "CLOSED"
DEPENDS = "package-index ca-certificates-native"
FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
SRC_URI += "\
file://myrepo.gpg \
file://myrepo.crt \
"
do_install_append() {
install -d ${D}${sysconfdir}/${PN}
install -m 0644 ${WORKDIR}/myrepo.gpg ${D}${sysconfdir}/${PN}/
install -m 0644 ${WORKDIR}/myrepo.crt ${D}${sysconfdir}/${PN}/
install -d ${D}usr/local/share/ca-certificates
ln -s ${sysconfdir}/${PN}/myrepo.crt ${D}usr/local/share/ca-certificates/
}
In the recipe, I am trying to copy the GPG key (myrepo.gpg) and the self-signed certificate (myrepo.crt).
Regarding the CRT key: I have followed these instructions to manually add the certificate, but when I do it, the certificate is not working on the device.
Regarding the GPG key: I successfully copy the key in the device, but I am not able to use it. For using it, the file /etc/apt/sources.list must contain the signed-by directive specifying the path to the gpg key. Ex: deb [signed-by=/etc/myrepo/myrepo.gpg] https://myrepo.com/all ./, but if I add the directive in my local.conf like this:
PACKAGE_CLASSES ?= "package_deb"
PACKAGE_FEED_URIS = "[signed-by=/etc/myrepo/myrepo.gpg] https://myrepo.com"
The result is the directive treated as a new repository:
deb [signed-by=/etc/myrepo/myrepo.gpg] ./
deb https://myrepo.com/all ./
Could anyone help me with the recipe to automatically configure the repository?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我终于找到了添加HTTPS证书并添加GPG签名的方法。
我使用 do_install_append 函数在构建时间上添加了证书和密钥文件,并且我必须使用函数 pkg_postinst_ontarget _ $ {pn} (请参阅 mega-manual )以更改运行时(仅第一次运行)上的APT存储库配置。找不到一种更改 sources.list的方法。
I finally found a way to add the https certificate and to add the GPG signature.
I added the certificate and key files on build time using do_install_append function, and I have to use the function pkg_postinst_ontarget_${PN} (see mega-manual) to change the apt repository configuration on runtime (only the first run). Could not find a way to change the sources.list on build time which could be a more elegant way, but this works perfectly: