Artifactory uses your GPG public and private keys to sign and verify Opkg package indexes (note that Artifactory signs repository metadata, not packages).
To learn how to generate a GPG key pair and upload it to Artifactory, see Managing Signing Keys.
Once you have GPG key pair, to have Opkg verify signatures created with the private key you uploaded to Artifactory, you need to import the corresponding public key into Opkg's keychain (requires gnupg).
Importing gpg keys to Opkg's keychain in 0.3 versions
opkg-key add key.pub
Importing gpg keys to Opkg's keychain in 0.4 versions
mkdir -p /usr/etc/opkg/gpg opkg-key add key.pub cp -R /etc/opkg/gpg/* /usr/etc/opkg/gpg
After the key is imported you need to add the check_signature
option in your opkg.conf
file by adding the following entry:
Opkg signature verification
option check_signature true
Resolving Failed
If resolving fails with the following errors: "opkg_verify_gpg_signature: No sufficiently trusted public keys found." "pkg_src_verify: Signature verification failed for <repoName>." One of the possible reasons can be that the trust level of the key.pub is not high enough, and should be upgraded.