GPG Support in Opkg

Thomas Wood thomas at
Thu May 15 13:19:22 CEST 2008

I've just made some important changes to the GPG support in Opkg, which
means it should now be quite usable.

A repository is signed by creating a detached signature on the Packages
file, to create Packages.sig. This is downloaded by opkg and used to
verify the Packages file.


This is a utility taken straight from Debian (apt-key) which can be used
to install and remove public keys from the keychain. Keys are stored
in /etc/opkg, but I have also added an offline root option to opkg-key
to allow managing keys in an offline root. This should be useful when
building file system images.


Currently, when opkg imports the keys from /etc/opkg/trusted.gpg it
stores them in ~/.gnupg. I haven't found a way in gpgme to just import
the keys temporarily into the keychain.



OpenedHand Ltd.

Unit R Homesdale Business Center / 216-218 Homesdale Road /
Bromley / BR1 2QZ / UK             Tel: +44 (0)20 8819 6559

Expert Open Source For Consumer Devices -

More information about the opkg-devel mailing list