Commit beca028b authored by Felix Fietkau's avatar Felix Fietkau
Browse files

build: add integration for managing opkg package feed keys


Signed-off-by: default avatarFelix Fietkau <nbd@openwrt.org>

SVN-Revision: 45286
parent dde8214d
...@@ -15,6 +15,7 @@ ...@@ -15,6 +15,7 @@
/files /files
/package/feeds /package/feeds
/package/openwrt-packages /package/openwrt-packages
key-build*
*.orig *.orig
*.rej *.rej
*~ *~
......
...@@ -14,6 +14,9 @@ menu "Global build settings" ...@@ -14,6 +14,9 @@ menu "Global build settings"
bool "Select all userspace packages by default" bool "Select all userspace packages by default"
default n default n
config SIGNED_PACKAGES
bool "Cryptographically signed package lists"
comment "General build options" comment "General build options"
config DISPLAY_SUPPORT config DISPLAY_SUPPORT
......
...@@ -143,6 +143,14 @@ $(curdir)/index: FORCE ...@@ -143,6 +143,14 @@ $(curdir)/index: FORCE
$(SCRIPT_DIR)/ipkg-make-index.sh . 2>&1 > Packages && \ $(SCRIPT_DIR)/ipkg-make-index.sh . 2>&1 > Packages && \
gzip -9c Packages > Packages.gz; \ gzip -9c Packages > Packages.gz; \
); done ); done
ifdef CONFIG_SIGNED_PACKAGES
@echo Signing package index...
@for d in $(PACKAGE_SUBDIRS); do ( \
[ -d $(PACKAGE_DIR)/$$d ] && \
cd $(PACKAGE_DIR)/$$d || continue; \
$(STAGING_DIR_HOST)/bin/usign -S -m Packages -s $(BUILD_KEY); \
); done
else
ifeq ($(call qstrip,$(CONFIG_OPKGSMIME_KEY)),) ifeq ($(call qstrip,$(CONFIG_OPKGSMIME_KEY)),)
@echo Signing key has not been configured @echo Signing key has not been configured
else else
...@@ -161,6 +169,7 @@ else ...@@ -161,6 +169,7 @@ else
); done ); done
endif endif
endif endif
endif
$(curdir)/preconfig: $(curdir)/preconfig:
......
...@@ -14,9 +14,11 @@ PKG_NAME:=base-files ...@@ -14,9 +14,11 @@ PKG_NAME:=base-files
PKG_RELEASE:=157 PKG_RELEASE:=157
PKG_FILE_DEPENDS:=$(PLATFORM_DIR)/ $(GENERIC_PLATFORM_DIR)/base-files/ PKG_FILE_DEPENDS:=$(PLATFORM_DIR)/ $(GENERIC_PLATFORM_DIR)/base-files/
PKG_BUILD_DEPENDS:=opkg/host PKG_BUILD_DEPENDS:=opkg/host usign/host
PKG_LICENSE:=GPL-2.0 PKG_LICENSE:=GPL-2.0
PKG_CONFIG_DEPENDS := CONFIG_SIGNED_PACKAGES
include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/package.mk
ifneq ($(DUMP),1) ifneq ($(DUMP),1)
...@@ -29,7 +31,7 @@ endif ...@@ -29,7 +31,7 @@ endif
define Package/base-files define Package/base-files
SECTION:=base SECTION:=base
CATEGORY:=Base system CATEGORY:=Base system
DEPENDS:=+netifd +libc +procd +jsonfilter DEPENDS:=+netifd +libc +procd +jsonfilter +SIGNED_PACKAGES:usign
TITLE:=Base filesystem for OpenWrt TITLE:=Base filesystem for OpenWrt
URL:=http://openwrt.org/ URL:=http://openwrt.org/
VERSION:=$(PKG_RELEASE)-$(REVISION) VERSION:=$(PKG_RELEASE)-$(REVISION)
...@@ -87,8 +89,23 @@ define Build/Compile/Default ...@@ -87,8 +89,23 @@ define Build/Compile/Default
endef endef
Build/Compile = $(Build/Compile/Default) Build/Compile = $(Build/Compile/Default)
ifdef CONFIG_SIGNED_PACKAGES
define Build/Configure
[ -s $(BUILD_KEY) -a -s $(BUILD_KEY).pub ] || \
$(STAGING_DIR_HOST)/bin/usign -G -s $(BUILD_KEY) -p $(BUILD_KEY).pub -c "Local build key"
endef
define Package/base-files/install-key
mkdir -p $(1)/etc/opkg/keys
$(CP) $(BUILD_KEY).pub $(1)/etc/opkg/keys/`$(STAGING_DIR_HOST)/bin/usign -F -p $(BUILD_KEY).pub`
endef
endif
define Package/base-files/install define Package/base-files/install
$(CP) ./files/* $(1)/ $(CP) ./files/* $(1)/
$(Package/base-files/install-key)
if [ -d $(GENERIC_PLATFORM_DIR)/base-files/. ]; then \ if [ -d $(GENERIC_PLATFORM_DIR)/base-files/. ]; then \
$(CP) $(GENERIC_PLATFORM_DIR)/base-files/* $(1)/; \ $(CP) $(GENERIC_PLATFORM_DIR)/base-files/* $(1)/; \
fi fi
......
...@@ -26,6 +26,8 @@ PKG_REMOVE_FILES = autogen.sh aclocal.m4 ...@@ -26,6 +26,8 @@ PKG_REMOVE_FILES = autogen.sh aclocal.m4
PKG_LICENSE:=GPL-2.0 PKG_LICENSE:=GPL-2.0
PKG_LICENSE_FILES:=COPYING PKG_LICENSE_FILES:=COPYING
PKG_CONFIG_DEPENDS := CONFIG_SIGNED_PACKAGES
PKG_BUILD_PARALLEL:=1 PKG_BUILD_PARALLEL:=1
HOST_BUILD_PARALLEL:=1 HOST_BUILD_PARALLEL:=1
PKG_INSTALL:=1 PKG_INSTALL:=1
...@@ -91,7 +93,11 @@ CONFIGURE_ARGS += \ ...@@ -91,7 +93,11 @@ CONFIGURE_ARGS += \
--with-opkglockfile=/var/lock/opkg.lock --with-opkglockfile=/var/lock/opkg.lock
ifeq ($(BUILD_VARIANT),smime) ifeq ($(BUILD_VARIANT),smime)
CONFIGURE_ARGS += --enable-openssl --enable-sha256 CONFIGURE_ARGS += --enable-openssl --enable-sha256 --disable-usign
else
ifndef CONFIG_SIGNED_PACKAGES
CONFIGURE_ARGS += --disable-usign
endif
endif endif
MAKE_FLAGS = \ MAKE_FLAGS = \
...@@ -105,6 +111,9 @@ define Package/opkg/Default/install ...@@ -105,6 +111,9 @@ define Package/opkg/Default/install
$(INSTALL_DIR) $(1)/bin $(INSTALL_DIR) $(1)/bin
$(INSTALL_DIR) $(1)/etc $(INSTALL_DIR) $(1)/etc
$(INSTALL_DATA) ./files/opkg$(2).conf $(1)/etc/opkg.conf $(INSTALL_DATA) ./files/opkg$(2).conf $(1)/etc/opkg.conf
ifneq ($(CONFIG_SIGNED_PACKAGES),)
echo "option check_signature 1" >> $(1)/etc/opkg.conf
endif
ifeq ($(CONFIG_PER_FEED_REPO),) ifeq ($(CONFIG_PER_FEED_REPO),)
echo "src/gz %n %U" >> $(1)/etc/opkg.conf echo "src/gz %n %U" >> $(1)/etc/opkg.conf
else else
...@@ -121,7 +130,11 @@ define Package/opkg/Default/install ...@@ -121,7 +130,11 @@ define Package/opkg/Default/install
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/opkg-cl $(1)/bin/opkg $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/opkg-cl $(1)/bin/opkg
endef endef
Package/opkg/install = $(call Package/opkg/Default/install,$(1),) define Package/opkg/install
$(call Package/opkg/Default/install,$(1),)
mkdir $(1)/usr/sbin
$(INSTALL_BIN) ./files/opkg-key $(1)/usr/sbin/
endef
define Package/opkg-smime/install define Package/opkg-smime/install
$(call Package/opkg/Default/install,$(1),-smime) $(call Package/opkg/Default/install,$(1),-smime)
......
#!/bin/sh
usage() {
cat <<EOF
Usage: $0 <command> <arguments...>
Commands:
add <file>: Add keyfile <file> to opkg trusted keys
remove <file>: Remove keyfile matching <file> from opkg trusted keys
verify <sigfile> <list>: Check list file <list> against signature file <sigfile>
EOF
exit 1
}
opkg_key_verify() {
local sigfile="$1"
local msgfile="$2"
(
zcat "$msgfile" 2>/dev/null ||
cat "$msgfile" 2>/dev/null
) | usign -V -P /etc/opkg/keys -q -x "$sigfile" -m -
}
opkg_key_add() {
local key="$1"
[ -n "$key" ] || usage
[ -f "$key" ] || echo "Cannot open file $1"
local fingerprint="$(usign -F -p "$key")"
mkdir -p "/etc/opkg/keys"
cp "$key" "/etc/opkg/keys/$fingerprint"
}
opkg_key_remove() {
local key="$1"
[ -n "$key" ] || usage
[ -f "$key" ] || echo "Cannot open file $1"
local fingerprint="$(usign -F -p "$key")"
rm -f "/etc/opkg/keys/$fingerprint"
}
case "$1" in
add)
shift
opkg_key_add "$@"
;;
remove)
shift
opkg_key_remove "$@"
;;
verify)
shift
opkg_key_verify "$@"
;;
*) usage ;;
esac
...@@ -207,6 +207,8 @@ else ...@@ -207,6 +207,8 @@ else
TARGET_NM:=$(TARGET_CROSS)nm TARGET_NM:=$(TARGET_CROSS)nm
endif endif
BUILD_KEY=$(TOPDIR)/key-build
TARGET_CC:=$(TARGET_CROSS)gcc TARGET_CC:=$(TARGET_CROSS)gcc
TARGET_CXX:=$(TARGET_CROSS)g++ TARGET_CXX:=$(TARGET_CROSS)g++
KPATCH:=$(SCRIPT_DIR)/patch-kernel.sh KPATCH:=$(SCRIPT_DIR)/patch-kernel.sh
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment