Signing Yocto APT Packages for a Local ARM64 Server

1. Generate and Configure GPG Key

gpg --full-generate-key
# Choose RSA 4096, set expiry, enter name/email

gpg --list-secret-keys --keyid-format LONG
# Note the fingerprint (e.g., ABCD1234EF567890)

echo "default-key ABCD1234EF567890" >> ~/.gnupg/gpg.conf

2. Prepare APT Repository Directory

mkdir -p /var/www/html/repositories/wandboard/binary-armhf
cp build/tmp/deploy/deb/wandboard/*.deb /var/www/html/repositories/wandboard/binary-armhf/

3. Generate and Sign APT Metadata

cd /var/www/html/repositories/wandboard/binary-armhf

dpkg-scanpackages . /dev/null | gzip -9c > Packages.gz

cat > Release <> Release
echo "MD5Sum:" >> Release
md5sum Packages.gz | awk '{printf " %s %16d %s\n", $1, $2, "Packages.gz"}' >> Release
echo "SHA256:" >> Release
sha256sum Packages.gz | awk '{printf " %s %16d %s\n", $1, $2, "Packages.gz"}' >> Release

gpg --armor --detach-sign --output Release.gpg Release

4. Configure APT Client

echo "deb [signed-by=/etc/apt/trusted.gpg.d/yocto.gpg] http://<server-ip>/repositories/wandboard/ binary-armhf/" > /etc/apt/sources.list.d/yocto.list

gpg --export --armor ABCD1234EF567890 > yocto.gpg
sudo mv yocto.gpg /etc/apt/trusted.gpg.d/yocto.gpg

5. Yocto Meta Layer: meta-localapt

Create Class: classes/localapt-sign.bbclass

do_deploy_apt_repository() {
  DEST_DIR="/var/www/html/repositories/${MACHINE}/binary-${DPKG_ARCH}"
  mkdir -p ${DEST_DIR}
  cp -v ${DEPLOY_DIR_DEB}/${MACHINE}/*.deb ${DEST_DIR}/

  cd ${DEST_DIR}
  dpkg-scanpackages . /dev/null | gzip -9c > Packages.gz

  cat > Release <> Release
  echo "MD5Sum:" >> Release
  md5sum Packages.gz | awk '{printf " %s %16d %s\n", $1, $2, "Packages.gz"}' >> Release
  echo "SHA256:" >> Release
  sha256sum Packages.gz | awk '{printf " %s %16d %s\n", $1, $2, "Packages.gz"}' >> Release

  gpg --armor --detach-sign --output Release.gpg Release
}
addtask do_deploy_apt_repository after do_package_write_deb

Layer Configuration

BBPATH .= ":${LAYERDIR}"
BBFILES += "${LAYERDIR}/recipes-*/*/*.bb"
BBFILE_COLLECTIONS += "localapt"
BBFILE_PATTERN_localapt := "^${LAYERDIR}/"
BBFILE_PRIORITY_localapt = "6"

BBCLASS_EXTEND = "localapt-sign"

Summary

• GPG Key – For metadata signing
• Packages.gz / Release.gpg – Required by APT
• Client setup – Trusted key and sources
• Yocto Layer – Automates deployment