Home > Edison > Hacking

Creating a DEB repository

Setting up for signed DEB repositories
Generating you own GPG key
Extending an expired key
Building the DEB repository
Using the DEB repository

Setting up for signed DEB repositories

Currently Yocto does not support signed DEB repositories. However, since Gatesgarth apt (1.8.2) has become more strict and doesn’t allow unsigned repositories by default. It appears overriding this behavior in apt is more work then to enable signed DEB repositories.

With the patch “package_manager: deb: Add support for signed feeds” applied during setup, Poky is patched to allow signed DEB repositories.

To enable, to following is added to local.conf during setup:

PACKAGE_CLASSES += " package_deb sign_package_feed"
PACKAGE_FEED_GPG_NAME = "976A9A3F994268DB"
PACKAGE_FEED_GPG_PASSPHRASE_FILE="${top_repo_dir}/utils/key/passphrase"

This enables signing the repo with the supplied GPG key (found under utils/key/). The key itself is installed during setup using:

gpg --import meta-intel-edison_pub.gpg
gpg --allow-secret-key-import --passphrase-file passphrase --batch --import meta-intel-edison_secret.gpg

Warning: Because we included the private key in the layer and published it on Github, you must consider it as unsafe. That means anybody could have created a virus invested DEB repo and trick you into installing packages from there. If you believe that is impossible, for instance because you own the host serving the repo and the host is on your local network same as your Edison, then continue to Building the deb repository. In all other cases, generate your own key.

Generating you own GPG key

If you need to provide your own key:

gpg --generate-key  # note the generated key, f.i. 976A9A3F994268DB and passphrase

and put your passphrase in the file named passphrase.

gpg --output meta-intel-edison_pub.gpg --armor --export 976A9A3F994268DB
gpg --output meta-intel-edison_secret.gpg --armor --export-secret-key 976A9A3F994268DB

If you don’t want to create a signed repo remove sign_package_feed from PACKAGE_CLASSES in your local.conf (found under out/linux64/build/conf)

Extending an expired key

Thanks to @lukedais: You can extend the expiry date by running the following:

gpg --edit-key E78D3359A86650AE
key 1
expire
desired extension

You may need to repeat this exact process for the subkey.

Building the DEB repository

For more information, see the Yocto Mega Manual

First on the server generate the repository files and start a web server:

bitbake package-index
cd /home/ferry/tmp/edison-intel/my/edison-morty/out/linux64/build/tmp/deploy/deb/
python3 -m http.server

Using the DEB repository

First scp meta-intel-edison_pub.gpg edison: the public key to Edison.

Warning: Installing the key by using apt-keyapt-key add meta-intel-edison_pub.gpg` is deprecated and will no longer work, see the DEPRECATION section in apt-key(8) for details. Please use the new method below.

On the Edison, install the key, add the server to the apt sources, update the apt database and upgrade all packages that are newer then the installed versions:

gpg --dearmor meta-intel-edison_pub.gpg
mkdir /etc/apt/keyrings
mv meta-intel-edison_pub.gpg.gpg /etc/apt/keyrings/meta-intel-edison.gpg

vi /etc/apt/sources.list.d/meta-intel-edison.sources

X-Repolib-Name: meta-intel-edison
Enabled: yes
Types: deb
URIs: http://delfion:8000/
Suites: all/ corei7-64/ edison/
Signed-By: /etc/apt/keyrings/meta-intel-edison.gpg

(save and close, i.e. shift-ZZ)

apt-get update
apt-get upgrade

with delfion the name of the host.

The Edison image must have gnupg (for keyhandling) and diffutils installed (as cmp from Busybox throws an error).