diff --git a/documentation/dev-manual/dev-manual-common-tasks.xml b/documentation/dev-manual/dev-manual-common-tasks.xml
index 6cb0bcb5f1..e2746d101e 100644
--- a/documentation/dev-manual/dev-manual-common-tasks.xml
+++ b/documentation/dev-manual/dev-manual-common-tasks.xml
@@ -8372,6 +8372,127 @@
+
+ Generating and Using Signed Packages
+
+ In order to add security to RPM packages used during a build,
+ you can take steps to securely sign them.
+ Once a signature is verified, the OpenEmbedded build system
+ can use the package in the build.
+ If security fails for a signed package, the build system
+ aborts the build.
+
+
+
+ This section describes how to sign RPM packages during a build
+ and how to use signed package feeds (repositories) when
+ doing a build.
+
+
+
+ Signing RPM Packages
+
+
+ To enable signing RPM packages, you must set up the
+ following configurations in either your
+ local.config or
+ distro.config file:
+
+ # Inherit sign_rpm.bbclass to enable signing functionality
+ INHERIT += " sign_rpm"
+ # Define the GPG key that will be used for signing.
+ RPM_GPG_NAME = "key_name"
+ # Provide passphrase for the key
+ RPM_GPG_PASSPHRASE = "passphrase"
+
+
+ Be sure to supply appropriate values for both
+ key_name and
+ passphrase
+
+ Aside from the
+ RPM_GPG_NAME and
+ RPM_GPG_PASSPHRASE variables in the
+ previous example, two optional variables related to signing
+ exist:
+
+
+ GPG_BIN:
+ Specifies a gpg binary/wrapper
+ that is executed when the package is signed.
+
+
+ GPG_PATH:
+ Specifies the gpg home
+ directory used when the package is signed.
+
+
+
+
+
+
+ Processing Package Feeds
+
+
+ In addition to being able to sign RPM packages, you can
+ also enable the OpenEmbedded build system to be able to
+ handle previously signed package feeds for both RPM and IPK
+ packages.
+
+ The OpenEmbedded build system does not currently
+ support signed DPKG package feeds.
+
+ The steps you need to take to enable signed package feed
+ use are similar to the steps used to sign RPM packages.
+ You must define the following in your
+ local.config or
+ distro.config file:
+
+ INHERIT += "sign_package_feed"
+ PACKAGE_FEED_GPG_NAME = "key_name"
+ PACKAGE_FEED_GPG_PASSPHRASE_FILE = "path_to_file_containing_passphrase"
+
+ For signed package feeds, the passphrase must exist in a
+ separate file, which is pointed to by the
+ PACKAGE_FEED_GPG_PASSPHRASE_FILE
+ variable.
+ Regarding security, keeping a plain text passphrase out of
+ the configuration is more secure.
+
+
+
+ Aside from the
+ PACKAGE_FEED_GPG_NAME and
+ PACKAGE_FEED_GPG_PASSPHRASE_FILE
+ variables, three optional variables related to signed
+ package feeds exist:
+
+
+ GPG_BIN:
+ Specifies a gpg binary/wrapper
+ that is executed when the package is signed.
+
+
+ GPG_PATH:
+ Specifies the gpg home
+ directory used when the package is signed.
+
+
+ PACKAGE_FEED_GPG_SIGNATURE_TYPE:
+ Specifies the type of gpg
+ signature.
+ This variable applies only to RPM and IPK package
+ feeds.
+ Allowable values for the
+ PACKAGE_FEED_GPG_SIGNATURE_TYPE
+ are "ASC", which is the default and specifies ascii
+ armored, and "BIN", which specifies binary.
+
+
+
+
+
+
Testing Packages With ptest