Re: [yocto] deploy GPG keys into images
Thanks for the tip Rudolf!
I found out that gpg has a --homedir flag to do the obvious. Since gpg
builds a database, I cannot simply copy the key.
Knowing that now, I can just create the gpg database via a standard recipe
using the native utility package and install the files.
-Damien
On Tue, May 19, 2020 at 7:01 PM Rudolf J Streif
wrote:
> Hi Damien,
> On 5/19/20 7:05 AM, Damien LEFEVRE wrote:
>
> Hi,
>
> I've put GnuPG in my image, and I'd like to deploy a set to public and
> private keys into the system images.
>
> How can I do that from recipes?
>
> You do this with a shell function that is added to
> ROOTFS_POSTPROCESS_COMMAND. Here is a script that I use to create SSH keys:
>
> # Image post-processing to configure sshd
>
> # Setup ssh key login for these users
> SSH_USERS ??= ""
> SSH_DISALLOW_PWAUTH ??= "1"
>
> configure_sshd() {
># disallow password authentication
>if [ "${SSH_DIALLOW_PWAUTH}" == "1" ]; then
> echo "PasswordAuthentication no" >>
> ${IMAGE_ROOTFS}/etc/ssh/sshd_config
>fi
>
># keys will be stored tmp/deploy/keys
>mkdir -p ${DEPLOY_DIR}/keys
>
># create the keys for the users
>for user in ${SSH_USERS}; do
> if [ ! -f ${DEPLOY_DIR}/keys/${user}-sshkey ]; then
> /usr/bin/ssh-keygen -t rsa -N '' \
> -f ${DEPLOY_DIR}/keys/${user}-sshkey
> fi
>
> # add public key to authorized_keys for the user
> mkdir -p ${IMAGE_ROOTFS}/home/${user}/.ssh
> cat ${DEPLOY_DIR}/keys/${user}-sshkey.pub \
> >> ${IMAGE_ROOTFS}/home/${user}/.ssh/authorized_keys
>done
> }
> ROOTFS_POSTPROCESS_COMMAND += "configure_sshd;"
>
> I have this script as an include file that I included into my image
> recipes.
>
> :rjs
>
>
> Thanks,
> -Damien
>
>
>
> --
> -
> Rudolf J Streif
> CEO/CTO ibeeto
> +1.855.442.3386 x700
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#49451): https://lists.yoctoproject.org/g/yocto/message/49451
Mute This Topic: https://lists.yoctoproject.org/mt/74325514/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [yocto] deploy GPG keys into images
Hi Damien,
On 5/19/20 7:05 AM, Damien LEFEVRE wrote:
> Hi,
>
> I've put GnuPG in my image, and I'd like to deploy a set to public and
> private keys into the system images.
>
> How can I do that from recipes?
>
You do this with a shell function that is added to
ROOTFS_POSTPROCESS_COMMAND. Here is a script that I use to create SSH keys:
# Image post-processing to configure sshd
# Setup ssh key login for these users
SSH_USERS ??= ""
SSH_DISALLOW_PWAUTH ??= "1"
configure_sshd() {
# disallow password authentication
if [ "${SSH_DIALLOW_PWAUTH}" == "1" ]; then
echo "PasswordAuthentication no" >>
${IMAGE_ROOTFS}/etc/ssh/sshd_config
fi
# keys will be stored tmp/deploy/keys
mkdir -p ${DEPLOY_DIR}/keys
# create the keys for the users
for user in ${SSH_USERS}; do
if [ ! -f ${DEPLOY_DIR}/keys/${user}-sshkey ]; then
/usr/bin/ssh-keygen -t rsa -N '' \
-f ${DEPLOY_DIR}/keys/${user}-sshkey
fi
# add public key to authorized_keys for the user
mkdir -p ${IMAGE_ROOTFS}/home/${user}/.ssh
cat ${DEPLOY_DIR}/keys/${user}-sshkey.pub \
>> ${IMAGE_ROOTFS}/home/${user}/.ssh/authorized_keys
done
}
ROOTFS_POSTPROCESS_COMMAND += "configure_sshd;"
I have this script as an include file that I included into my image recipes.
:rjs
> Thanks,
> -Damien
>
>
--
-
Rudolf J Streif
CEO/CTO ibeeto
+1.855.442.3386 x700
signature.asc
Description: OpenPGP digital signature
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#49444): https://lists.yoctoproject.org/g/yocto/message/49444
Mute This Topic: https://lists.yoctoproject.org/mt/74325514/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[yocto] deploy GPG keys into images
Hi, I've put GnuPG in my image, and I'd like to deploy a set to public and private keys into the system images. How can I do that from recipes? Thanks, -Damien -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#49442): https://lists.yoctoproject.org/g/yocto/message/49442 Mute This Topic: https://lists.yoctoproject.org/mt/74325514/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
