From: Erich T. <eri...@th...> - 2019-01-17 13:43:19
|
Hi Am 17.01.2019 um 06:03 schrieb Andrew: > I didn't work earlier with PGP, can you pls write quick cheatsheet how > to add key to keyring and how to sign packets on build? Just to hide > annoying warnings at boot of custom image. > Off the top of my head..... The steps are actually quite straightforward, I had to look them up as I don't have access to my development system. First be reminded that the gpg installation on your development system will probably be gpg2 with quite an extended command set. The gpg version used in initerd is gpg1, but for our purposes they are compatible. 1) generate a gpg keypair, it will probably be placed somewhere in ~yourname/.gnupg. https://www.gnupg.org/gph/en/manual/c14.html#AEN25 2) use the generated key to inline sign the affected or all packages, be careful just to sign unsigned packages. https://www.gnupg.org/gph/en/manual/x135.html 3) export the public key from your keyring and add it to the keyring which is used to build initrd, you may need to use gpg1 for this purpose. https://www.gnupg.org/gph/en/manual/x56.html I sent the details to KP some time ago. 4) use the newly built initrd to boot your system with the packages signed with your new key. 5) if you want to make this permanent, save the extended keyring to git. I guess we will have to define a policy who will add keys to our git repository but I guess KP is the key person. regards ET |