NI Linux Real-Time and opkg-keyrings: Upgrading keyrings

Introduction

The opkg-keyrings package is a critical component in systems using opkg for package management. It contains a collection of public signing keys used to verify the authenticity and integrity of the package feeds.

The opkg-keyrings package is updated periodically to add new keys or remove expired keys. It is important to keep the keyrings up-to-date to ensure that packages can be verified and installed correctly.

This document provides instructions on how to upgrade the opkg-keyrings package on NI Linux Real-Time systems.

Opkg Signing

The package feeds are signed with a private key and the corresponding public key is included in the opkg-keyrings package. When the feed is updated, opkg checks the feed signature against the public key to verify its authenticity and integrity.

  1. Generate and Sign the Package Index

    • A pair of private and public keys is created using a tool like gpg.

    • The private key is used to sign the package index (package index, the Packages and Packages.gz files in the case of NILRT).

    • A detached signature (Packages.asc) is generated and placed alongside the

      Packages file.

    • The public key is distributed to the target systems.

  2. Verify Signature When a Feed is Updated

    • When opkg updates a package feed, it verifies the signature of the Packages file using the public key.

  3. Trust Management

    • The public key is preloaded or added to the system’s trusted keyring, such as opkg-key (see How keys are added to the opkg-keyrings for more details on how this is accomplished).

    • While updating the feed (running opkg udpate), opkg verifies the signature.

How keys are added to the opkg-keyrings

The Base System Image includes the signing keys, typically located at /usr/share/opkg/keyrings, preloaded into the keyring.

However, if the signing keys used by the feeds are rotated, the target system requires an update to add the new key and remove any obsolete keys no longer in use.

The latest version of the opkg-keyrings package, available on the distribution feed (https://download.ni.com/#ni-linux-rt/feeds/dist/), is built with the updated signing keys. Upgrading this package on the target system installs the new signing key to /usr/share/opkg/keyrings, updates the keyring by adding the new key, and removes any deprecated keys no longer used to sign the feeds.