From 2ae5100d707057c29ed2ebdd0ae31b50a333f95b Mon Sep 17 00:00:00 2001 From: Paul Spooren Date: Tue, 24 Sep 2019 12:32:56 -1000 Subject: [PATCH] build: add script to sign packages This script allows image signing indipendend of the actual build process, to run on a master server after receiving freshly backed images. Idea is to avoid storying private keys on third party builders while still beeing to be able to sign packages. Run ./scripts/sign_images.sh with the following env vars: * TOP_DIR where to search for sysupgrade.bin images * BUILD_KEY place of key-build{,.pub,.ucert} * REMOVE_OTHER_SIGNATURES removes signatures added by e.g. buildbots Only sysupgrade.bin files are touched as factory.bin signatures wouldn't be evaluated on stock from. Signed-off-by: Paul Spooren --- scripts/sign_images.sh | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100755 scripts/sign_images.sh diff --git a/scripts/sign_images.sh b/scripts/sign_images.sh new file mode 100755 index 0000000000..c41b21e091 --- /dev/null +++ b/scripts/sign_images.sh @@ -0,0 +1,27 @@ +#!/bin/sh + +# directory where search for images +TOP_DIR="${TOP_DIR:-./bin/targets}" +# key to sign images +BUILD_KEY="${BUILD_KEY:-key-build}" # TODO unifiy naming? +# remove other signatures (added e.g. by buildbot) +REMOVE_OTER_SIGNATURES="${REMOVE_OTER_SIGNATURES:-1}" + +# find all sysupgrade images in TOP_DIR +# factory images don't need signatures as non OpenWrt system doen't check them anyway +for image in $(find $TOP_DIR -type f -name "*-sysupgrade.bin"); do + # check if image actually support metadata + if fwtool -i /dev/null "$image"; then + # remove all previous signatures + if [ -n "$REMOVE_OTER_SIGNATURES" ]; then + while [ "$?" = 0 ]; do + fwtool -t -s /dev/null "$image" + done + fi + # run same operation as build root does for signing + cp "$BUILD_KEY.ucert" "$image.ucert" + usign -S -m "$image" -s "$BUILD_KEY" -x "$image.sig" + ucert -A -c "$image.ucert" -x "$image.sig" + fwtool -S "$image.ucert" "$image" + fi +done