Sign Package (only for DSM6.X)

Signing mechanism is deprecated after DSM7.0, you don't need this if you are developing package for DSM7.0

Between DSM5.1 and DSM6.X, we have a built-in code sign mechanism to ensure the package's publisher integrity. The toolkit has a CodeSign.php script to sign the package with GnuPG keys. If you do not have a GPG key, you will need to generate one.

Setup existing GPG key

If you have your own GPG key (without a passphrase) already, you will need to put the private key under /root/.gnupg of each platform (e.g., /toolkit/build_env/ds.${platform}-6.2/root/.gnupg/).

The package signing scripts now only support keys generated by GPG 2.1. If you don't have your own GPG key or you are using GPG keys in GPG 2.2 format, you need to prepare GPG tool and generate one.

Setup GPG tool provided by dist

If your dist provides GPG 2.1, install gpg with your package management tool in your dist. For ubuntu developers, you may run apt-get install gpg gpg-agent to setup GPG tool.

Make sure you are using GPG 2.1. If your dist does not provides GPG 2.1, Follow the instructions in the next section to prepare your GPG tool.

Setup GPG tool with docker

Assume you're developing on avoton platform with DSM version 6.2, and /tmp/gpgkey is the temporary folder saving the GPG key generated.

mkdir /tmp/gpgkey
docker run --rm -it -v /tmp/gpgkey:/root/.gnupg -e GPG_TTY=/dev/console vladgh/gpg:0.2.3 --gen-key
mv /tmp/gpgkey /path/to/build_env/ds.avoton-6.2/root/.gnupg

Generate GPG key with gpg

gpg --gen-key

> Please select what kind of key you want:
   (1) RSA and RSA (default)
> choose key size and enter your name, email
> enter a passphrase: just press Enter without typing any character

WARNING: Please make sure that you do not type any characters in the passphrase field, otherwise the build process will FAIL.

After completing the steps above, the key will be generated under ~/.gnupg. You need to move them into the chroot environment.

cp ~/.gnupg/* /toolkit/build_env/ds.${platform}-6.2/root/.gnupg/

You can also use the following commands to verify whether the key has successfully imported or not.

cd /toolkit/build_env/ds.${platform}-6.2/
chroot .
gpg -K

The output may produce the following message:

/root/.gnupg/secring.gpg
------------------------
sec   2048R/145E0AFD 2015-12-21
uid                  Synology Inc. <synology_inc@synology.com>
ssb   2048R/E0C20F11 2015-12-21

Sign the package

If you want PkgCreate.py to sign the package automatically, you can use the PkgCreate.py without the --no-sign option. For example, the following command indicates PkgCreate.py to build and install your project without a signature.

PkgCreate.py -i ${project}

In addition, if you want to sign the package on your own, you can use the following command to sign your package manually.

chroot /toolkit/build_env/ds.${platform}-${version}
php /pkgscripts-ng/CodeSign.php [option] --sign=package-path

Options:
--keydir=keyrings directory (default is /root/.gnupg)
--keyfpr=key's fingerprint (default is "". Under this circumstances, we will using the first key in the key directory to sign the package)

Examples:
php /pkgscripts-ng/CodeSign.php --sign=phpBB-3.0.12-0031.spk
php /pkgscripts-ng/CodeSign.php --keydir=/root/.gpg --keyfpr=C1BF63CD --sign=phpBB-3.0.12-0031.spk