Adding gpg keys to a yocto image

Let say I have a secret and a public key I want deploy in /home/root, respectively:

  • secret.gpg
  • public.pub

It is not enough to just copy the keys to the image. Using gpg utility to build the database is required.

After browsing gpg man page (man gpg) I found a lot of command lines options not listed in gpg –help.

–homedir is the option we are going to use to make gpg point to the bitbake package’s build directory.

Here I use the gnupg package which also provides gnupg-native. gnupg-native package will contain the host utility (x64_86) which we’ll use to build the database. Then we’ll just install that database to the image.

This recipe imports both secret and public keys, set their trust, generates the gnupg database and install the files

DESCRIPTION = "Deploys gpg keys and build the database"
LICENSE = "CLOSED"
FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}_${PV}:"

SRC_URI += " \
    file://secret.gpg \
    file://public.pub \
"

DEPENDS += "gnupg-native"
RDEPENDS_${PN} += "gnupg"

do_configure[noexec] = "1"

do_compile(){
    mkdir -p ${WORKDIR}/build
    # Import the secret key
    gpg --homedir ${WORKDIR}/build --batch --import ${WORKDIR}/secret.gpg
    
    # Set the trust or the encryption function will report the key as unusable
    (echo 5; echo y; echo save) | gpg --homedir ${WORKDIR}/build --command-fd 0 --no-tty --no-greeting -q --edit-key "$(gpg --list-packets ${WORKDIR}/secret.gpg | awk '$1=="keyid:"{print$2;exit}')" trust

    # Import the public key
    gpg --homedir ${WORKDIR}/build --batch --import ${WORKDIR}/public.pub
    
    # Set the trust or the encryption function will report the key as unusable
    (echo 5; echo y; echo save) | gpg --homedir ${WORKDIR}/build --command-fd 0 --no-tty --no-greeting -q --edit-key "$(gpg --list-packets ${WORKDIR}/public.pub | awk '$1=="keyid:"{print$2;exit}')" trust
}

do_install(){
    install -d ${D}/home/    
    install -d ${D}/home/root/
    install -d -m 0700 ${D}/home/root/.gnupg/
    install -d -m 0700 ${D}/home/root/.gnupg/private-keys-v1.d/
    cp --no-dereference --preserve=mode,link ${WORKDIR}/build/private-keys-v1.d/*.key ${D}/home/root/.gnupg/private-keys-v1.d/
    install -m 0644 ${WORKDIR}/build/pubring.kbx ${D}/home/root/.gnupg/
    install -m 0600 ${WORKDIR}/build/trustdb.gpg ${D}/home/root/.gnupg/
}

FILES_${PN} += " \
    /home/root/.gnupg/* \
"Code language: Python (python)

Leave a Reply

Your email address will not be published. Required fields are marked *