Sign Opkg Package Indexes

JFrog Artifactory Documentation

JFrog Artifactory
Content Type
User Guide

Artifactory uses your GPG public and private keys to sign and verify Opkg package indexes (note that Artifactory signs repository metadata, not packages).

To learn how to generate a GPG key pair and upload it to Artifactory, see Managing Signing Keys.Manage Signing Keys

Once you have GPG key pair, to have Opkg verify signatures created with the private key you uploaded to Artifactory, you need to import the corresponding public key into Opkg's keychain (requires gnupg).

Importing gpg keys to Opkg's keychain in 0.3 versions

opkg-key add

Importing gpg keys to Opkg's keychain in 0.4 versions

mkdir -p /usr/etc/opkg/gpg
opkg-key add
cp -R /etc/opkg/gpg/* /usr/etc/opkg/gpg

After the key is imported you need to add the check_signature option in your opkg.conf file by adding the following entry:

Opkg signature verification

option check_signature true

Resolving Failed

If resolving fails with the following errors:
"opkg_verify_gpg_signature: No sufficiently trusted public keys found."
"pkg_src_verify: Signature verification failed for <repoName>."

One of the possible reasons can be that the trust level of the is not high enough, and should be upgraded.