On Fri, May 08, 2015 at 02:26:26PM +0000, Sona Sarmadi wrote: > Thanks Paul for your quick feedback . > > > opkg 0.2.x only has support for checking the package feed signature. To use > > this, add the line 'option check_signature 1' to your opkg.conf file and > > place a > > Packages.sig file next to the Packages file in your package feed. ASCII- > > armoured signatures are not supported. > > Ok, even if we can't sign the individual .ipk files, by signing the Packages > file we can achieve some > Level of authentication, e.g. if someone tampers with the .ipk files they > can't change the matching > checksum in the Packages.sig. The checksumming algorithm used for packages is > MD5 now which is > not really secure. Is it possible to use another algorithm. I guess if we > use a better checksum for > packages, there is no need for Signing each individual .ipk patches, signing > package feed (Packages) > would be enough. Right? >
SHA256 is also supported. In OpenEmbedded, use the PACKAGECONFIG 'sha256' then ensure that your Packages file contains a 'SHA256sum: ...' line for each package. Again, these instructions are fairly rough as I haven't used them for a while. Thanks, -- Paul Barker Email: p...@paulbarker.me.uk http://www.paulbarker.me.uk
signature.asc
Description: Digital signature
-- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
