Yocto recipe for secure APT repository

Question

I have a private APT repository configured with a GPG key and a self-signed certificate. I want to access the repository from a device with a yocto generated OS. I am trying to create a recipe for communicating the device with the remote repository. This is, until now, the recipe myrepo_1.0.0.bb:

SUMMARY = "Install files for APT secure repository"
DESCRIPTION = "Copy security configuration files for enable secure APT communication with remote repository"
LICENSE = "CLOSED"

DEPENDS = "package-index ca-certificates-native"

FILESEXTRAPATHS_prepend := "${THISDIR}/files:"

SRC_URI += "\
  file://myrepo.gpg \
  file://myrepo.crt \
"

do_install_append() {
  install -d ${D}${sysconfdir}/${PN}
  install -m 0644 ${WORKDIR}/myrepo.gpg ${D}${sysconfdir}/${PN}/
  install -m 0644 ${WORKDIR}/myrepo.crt ${D}${sysconfdir}/${PN}/
  install -d ${D}usr/local/share/ca-certificates
  ln -s ${sysconfdir}/${PN}/myrepo.crt ${D}usr/local/share/ca-certificates/
}

In the recipe, I am trying to copy the GPG key (myrepo.gpg) and the self-signed certificate (myrepo.crt).

Regarding the CRT key: I have followed these instructions to manually add the certificate, but when I do it, the certificate is not working on the device.

Regarding the GPG key: I successfully copy the key in the device, but I am not able to use it. For using it, the file /etc/apt/sources.list must contain the signed-by directive specifying the path to the gpg key. Ex: deb [signed-by=/etc/myrepo/myrepo.gpg] https://myrepo.com/all ./, but if I add the directive in my local.conf like this:

PACKAGE_CLASSES ?= "package_deb"
PACKAGE_FEED_URIS = "[signed-by=/etc/myrepo/myrepo.gpg] https://myrepo.com"

The result is the directive treated as a new repository:

deb [signed-by=/etc/myrepo/myrepo.gpg] ./
deb https://myrepo.com/all ./

Could anyone help me with the recipe to automatically configure the repository?

Answer 1

I finally found a way to add the https certificate and to add the GPG signature.

I added the certificate and key files on build time using do_install_append function, and I have to use the function pkg_postinst_ontarget_${PN} (see mega-manual) to change the apt repository configuration on runtime (only the first run). Could not find a way to change the sources.list on build time which could be a more elegant way, but this works perfectly:

;; This buffer is for text that is not saved, and for Lisp evaluation.
;; To create a file, visit it with C-x C-f and enter text in its buffer.

SUMMARY = "Install files for APT myrepository repository"
DESCRIPTION = "Copy security configuration files for enable secure APT communication with myrepository repository"
LICENSE = "CLOSED"

DEPENDS = "ca-certificates-native"
RDEPENDS_{PN} = "apt"

FILESEXTRAPATHS_prepend := "${THISDIR}/files:"

SRC_URI += "\
  file://myrepo.gpg \
  file://myrepo.crt \
"

do_install_append() {
  install -d ${D}${sysconfdir}/${PN}
  install -m 0644 ${WORKDIR}/myrepo.gpg ${D}${sysconfdir}/${PN}/
  install -m 0644 ${WORKDIR}/myrepo.crt ${D}${sysconfdir}/${PN}/
}

pkg_postinst_${PN}() {
  echo "192.168.200.6 myrepo.com" >> $D/etc/hosts
  cat $D/etc/myrepo/myrepo.crt >> $D/etc/ssl/certs/ca-certificates.crt
}

pkg_postinst_ontarget_${PN}() {
   sed -i 's/https/[signed-by=\/etc\/myrepo\/myrepo.gpg] https/g' $D/etc/apt/sources.list
}