As part of the RDK-8 release, there is a requirement to bundle browser runtime and UI components as factory applications in the image. However, several challenges exist:
- Package Distribution Flexibility: The community does not have access to RDKCentral Artifactory, requiring a flexible solution for package sourcing
- Pre-built Uncertainty: There is ongoing uncertainty about whether pre-built packages can be released publicly
- Build Integration: Need a seamless mechanism to bundle bolt packages during image assembly
- Source Diversity: Packages may come from different sources (artifactory, local files, private servers)
Requirements
- Support multiple package sources (HTTP/HTTPS, FTP, local files)
- Enable SHA256 verification for package integrity
- Integrate cleanly with Yocto's rootfs postprocessing
- Provide clear manifest-based configuration
- Support both public and private package repositories
Solution Overview
A BitBake class (factory_apps_installer.bbclass) that reads a JSON manifest and installs factory applications into the rootfs during image creation. The solution leverages Yocto's native bb.fetch2 fetcher for robust download handling.
Architecture
JSON File Format
[
{
"packagename": "string", // Required: Final filename in rootfs
"srcuri": "string", // Required: Source URL or file path
"sha256sum": "string" // Optional: SHA256 hash for verification
}
]
Example
[
{
"packagename": "refui-5.0.20.bolt",
"srcuri": "https://github.com/rdkcentral/rdke-refui/releases/download/5.0.20/refui-5.0.20.bolt",
"sha256sum": "b0f3d00e1deb505a8f95e1ae9e4f88314a68665edccbb1a87ce0867a235e2a6b"
},
{
"packagename": "wpe-webkit-browser.bolt",
"srcuri": "https://artifactory.example.com/wpe-browser/latest.bolt",
"sha256sum": "5d6c176b0c95f637da79e125f704aa5d2d8903663761f277e6674a0121cdaec5"
},
{
"packagename": "lightning-ui.bolt",
"srcuri": "file:///home/jenkins/workspace/builds/lightning-ui.bolt",
"sha256sum": "a1b2c3d4e5f6789012345678901234567890123456789012345678901234567890"
},
{
"packagename": "experimental-app.bolt",
"srcuri": "https://nightly.example.com/latest/app.bolt",
"sha256sum": "a1b2c3d4e5f6789012345678901234567890123456789012345678901234567890"
}
]
Field Description
| Field | Type | Required | Description |
|---|---|---|---|
| packagename | string | Yes | Final filename when installed in rootfs. Must not contain directory traversal characters (., /, \) |
| srcuri | string | Yes | Supports: http://, https://, ftp://, ftps://, file://, or absolute paths |
| sha256sum | string | No | SHA256 hash for integrity verification. If empty, verification is skipped (warning issued) |
BitBake Class Implementation
Required Configurations
Set these in image recipe or local.conf:
# Path to JSON manifest
FACTORY_APPS_JSON_FILE = "${TOPDIR}/../factoryapps.json"
# Installation path in rootfs (without leading /) set in https://github.com/rdkcentral/rdke-common-config/blob/develop/conf/rdke-rdkm-config.inc
FACTORY_APPS_PATH ??= "/usr/share/factory"
Usage in image recipe
# In image recipe (e.g., rdk-fullstack-image.bb)
inherit factory_apps_installer
Benefits
- Transparent: JSON file shows exactly what's being installed
- Verifiable: SHA256 ensures package integrity
- Flexible: Easy to swap package sources
- Simple Updates: Change JSON without modifying recipes
- Testing: Easy to test different package versions
Security Considerations
- SHA256 Verification
• Mandatory for production: Always provide SHA256 hashes for production builds
• Development flexibility: Can omit SHA for development (warning issued)
• Tamper detection: Build fails if downloaded file doesn't match hash - Directory Traversal Protection
• Package names validated to prevent ../ attacks
• Cannot install outside designated directory - File Permissions
• Files installed with 0644 permissions (rw-r--r--)
• No execute permissions by default
Overview
Community Forums
Content Tools
Tasks