3

OpenWRT uses opkg to manage packages. By default, it will download file Packages and Packages.sig when run opkg update, then it will verify the signature file Packages.sig against the file Packages. It seems this a signature mechanism for whole repository. I want to know if there is a method to sign singleton ipk?

Hardik Sanghvi
  • 416
  • 4
  • 12
Chris Feng
  • 189
  • 5
  • 19

2 Answers2

6

Yes, opkg (v0.3.0-rc0 onwards) verifies individual package signature file.

Enable package signature option in opkg.conf.

option check_pkg_signature 1

You can create the signature file using gpg or openssl and keep the signature file and package together from where opkg is configured to download package. The signature file should be created in the format: .ipk.sig

You can download the latest source by cloning git://git.yoctoproject.org/opkg or downloading from http://git.yoctoproject.org/cgit/cgit.cgi/opkg/

Hardik Sanghvi
  • 416
  • 4
  • 12
0

You can obviously sign a package (using openssl sign utility for example), but opkg tool will not check the signature and will install the package anyway.

If you want such a mechanism, you can write a wrapper around opkg install like this: if openssl verify ...; then opkg install ...

Vasily G
  • 859
  • 8
  • 16
  • Thanks! I want to know if there is a existing solution for this requirement by using openssl but not implement it by myself? – Chris Feng Dec 25 '15 at 01:37