I found the required documentation here and a sample here. I did adapt that sample to:

• not require a passphrase as mentioned in the Synology documentation. This would break the build process.
• to generate some entropy without the rng-tools (not available out-of-the-box for Synology)

Obviously, you need gpg. I am using gpg2 made available by installing the package gpgme via ipkg as explained here.

Create keys in your personal key rings

First, put the parameters to be used by gpg into a file named 'gpgKey' (don't forget that it must be linux compliant => not CRLF (/r/n) but only LF (/n)*). Here under, I am using RSA 2048. Use your own name, comment and email address.

Next, save the following script in a file named 'createGpgKey.sh' (don't forget about CRLF ;) )

Then, move those two files into a public shared folder of your Synology. Ex.: '\\<Your Nas>\temp'

And open a ssh console as explained here (no need to enter the root mode) to go into the shared folder: cd /var/services/temp

Finally, here is the output you should see when running your script: sh createGpgKey.sh

The keys are now stored into your home's gpg folder: ls ~/.gnupg/

You can check that the key id displayed above are stored using:

• gpg2 --list-keys

• gpg2 --list-secret-keys

*: the trick to replace all CRLF by LF is to edit the file with notepad++, use the menu Encoding > Convert to UTF-8, and next do CTRL-H to search and replace /r/n with /n using the search mode = Extended. You can finally check that there is no more CRLF by using the menu View > Show Symbol > Show End of Line.

NB.: the script could be a bit slow if there is not enough entropy (up to 45sec on my NAS)... (to download a big file within the download station can help ;)

You can now export your public key using either your name, your email or the key id (from illustration here above, the key id is 1418FFE0): gpg2 --armor --export 1418FFE0 > gpgkey.asc

This file 'gpgkey.asc' must be copied in the root folder of your SSPKS server, so it will automatically be added as a trusted publisher for anyone who is adding your SSPKS url in his list of "Package Sources".

Now, assume that you have the package to be signed (a spk file) and the 'CodeSign.php' script from Synology's toolkit (it can be downloaded from github) in the same shared folder 'temp' used previously... Then, you can sign this package using: php CodeSign.php --sign=YourPackage.spk --keydir=~/.gnupg --keyfpr=1418FFE0

Create keys in specific key rings

Instead of using your personal key rings, you could prefer to store your keys in a dedicated folder... To do so, you can use the following parameters in your gpgKey file:

Once the script createGpgKey.sh executed, you will find two files pubring.gpg and secring.gpg in the folder gpg (created by the script that run in /var/services/temp/).

You can now sign your package using: php CodeSign.php --sign=YourPackage.spk --keydir=/var/services/temp/gpg --keyfpr=F93A0789

You can also check your keys using:

• gpg2 --no-default-keyring --secret-keyring ./gpg/secring.gpg --keyring ./gpg/pubring.gpg --list-secret-keys
• gpg2 --no-default-keyring --secret-keyring ./gpg/secring.gpg --keyring ./gpg/pubring.gpg --list-keys

And you can export your public key to be used in your SSPKS using:

• gpg2 --no-default-keyring --keyring ./gpg/pubring.gpg --armor --export F93A0789 > gpgkey.asc

Create keys with a passphrase

In order to provide a passphrase, replace '%no-protection' in the parameters file with:

Initial installations

1. First, install IPKG as explained here.
2. Next, install the official Synology package "python3"
   1. Alternative: install python3 using the command: ipkg install python3
3. Then, create a symlink into /usr: ln -s /usr/local/bin/python3 /usr/bin/python3
   1. if using python installed with ipkg, create a symlink into /usr: ln -s /opt/bin/python3 /usr/bin/python3
4. install gpg using the command: ipkg install gpgme
   1. This was needed as gpg was installed on my NAS without gpg-agent (? to be investigated later)...
5. Now, install GIT as explained here.
6. Finally run:
   1. cd /volume1/
      1. There was not enough free space in the system partition to install the toolkit!!
   2. mkdir -p toolkit
   3. cd toolkit/
   4. git clone https://github.com/SynologyOpenSource/pkgscripts-ng pkgscripts
   5. cd pkgscripts/

If you want to use the toolkit for other purpose than signing

You can check the available platform for your DSM version in the toolkit (e.g. here for 6.1). Run : ./EnvDeploy -v 6.1 --list

It should display a list like this one:

• N.B.: The major and minor version (E.g. 6.1 for major=6 and minor =1) of your DSM can be found using: cat /etc.defaults/VERSION
• N.B.: the platform of your Synology can be found in this list based on your model (See the column "Package Arch"). The model of your Synology can be found running the command:  cat /etc.defaults/synoinfo.conf | grep -m 1 'upnpmodelname' | cut -d "=" -f 2
• N.B.: You can also check the CPU of your Synology using: cat /proc/cpuinfo | grep -m 1 'model name' | cut -d ":" -f 2 | cut -d "@" -f 1

And you can configure the toolkit by running the following command with your DSM version (E.g.: 6.1) and platform (E.g.: avoton) as parameter: ./EnvDeploy -v 6.1 -p avoton

• NB: the platform must be in lower case !!!

In order to sign packages

You have to create a GPG key. Type: /opt/bin/gpg2 --gen-key

Once prompted, choose:

• RSA and RSA (default)
• key size 1024, 2048 or 4096
• key does not expire
• And do not type any passphrase. Just press 'Enter' without typing any character until it accepts to not make your key secure.

You can now:

• view public keys using: gpg2 --list-keys
• view private keys using: gpg2 --list-secret-keys
• delete a private key: gpg2 --delete-secret-key <user name> (you can also use the <email> or <key id>, displayed after pub xxxxR/ where xxxx is the keysize, e.g.: 1024)
  • Ex.: gpg2 --delete-secret-key vletroye
  • Ex.: gpg2 --delete-secret-key 9C293482
• delete a public key: gpg2 --delete-key <user name>
• You can also use specific rings (Ex.: if you did copy them somewhere else than the default user's home folder : ~/.gnupg)
  • gpg2 --no-default-keyring --secret-keyring /root/.gnupg/secring.gpg --list-keys
  • gpg2 --no-default-keyring --secret-keyring /root/.gnupg/secring.gpg --list-secret-keys
  • gpg2 --no-default-keyring --keyring /root/.gnupg/secring.gpg --list-keys
  • gpg2 --no-default-keyring --keyring /root/.gnupg/secring.gpg --list-secret-keys

And last but not least... you can finally sign a package located e.g. under /web/packages, using: php CodeSign.php --sign=/volume1/web/packages/YourPackage.spk --keydir=/root/.gnupg --keyfpr=9C293482

Now that this package is signed, add your certificate into the list of trusted publishers within your Synology's Package Center.

1. First, run: gpg2 --armor --export <user name> > YourCertificate.asc
2. Next copy this one into a public shared folder. E.g.: cp YourCertificate.asc /volume1/web/packages/
3. Finally:
   1. import it: Package Center > Settings > Certificate > Import > Browse >
   2. and only trust Synology Inc. and trusted publishers: Package Center > Settings > General

Import Certificate

Trusted Publishers

Instead of manually importing your certificate as illustrated above, if you are using SSPKS to distribute your packages, you can copy it there: cp YourCertificate.asc /var/services/web/sspks/gpgkey.asc

Doing so, it will automatically be added as a trusted publisher for anyone who is adding your SSPKS url in his list of "Package Sources".