build: add script to sign packages
This script allows image signing indipendend of the actual build
process, to run on a master server after receiving freshly backed
images. Idea is to avoid storying private keys on third party builders
while still beeing to be able to sign packages.
Run ./scripts/sign_images.sh with the following env vars:
* TOP_DIR where to search for sysupgrade.bin images
* BUILD_KEY place of key-build{,.pub,.ucert}
* REMOVE_OTHER_SIGNATURES removes signatures added by e.g. buildbots
Only sysupgrade.bin files are touched as factory.bin signatures wouldn't
be evaluated on stock from.
Signed-off-by: Paul Spooren <mail@aparcar.org>
This commit is contained in:
Paul Spooren
John Crispin
parent
4a45e69d19
commit
2ae5100d70
|
|
@ -0,0 +1,27 @@
|
|||
#!/bin/sh
|
||||
|
||||
# directory where search for images
|
||||
TOP_DIR="${TOP_DIR:-./bin/targets}"
|
||||
# key to sign images
|
||||
BUILD_KEY="${BUILD_KEY:-key-build}" # TODO unifiy naming?
|
||||
# remove other signatures (added e.g. by buildbot)
|
||||
REMOVE_OTER_SIGNATURES="${REMOVE_OTER_SIGNATURES:-1}"
|
||||
|
||||
# find all sysupgrade images in TOP_DIR
|
||||
# factory images don't need signatures as non OpenWrt system doen't check them anyway
|
||||
for image in $(find $TOP_DIR -type f -name "*-sysupgrade.bin"); do
|
||||
# check if image actually support metadata
|
||||
if fwtool -i /dev/null "$image"; then
|
||||
# remove all previous signatures
|
||||
if [ -n "$REMOVE_OTER_SIGNATURES" ]; then
|
||||
while [ "$?" = 0 ]; do
|
||||
fwtool -t -s /dev/null "$image"
|
||||
done
|
||||
fi
|
||||
# run same operation as build root does for signing
|
||||
cp "$BUILD_KEY.ucert" "$image.ucert"
|
||||
usign -S -m "$image" -s "$BUILD_KEY" -x "$image.sig"
|
||||
ucert -A -c "$image.ucert" -x "$image.sig"
|
||||
fwtool -S "$image.ucert" "$image"
|
||||
fi
|
||||
done
|
||||
Loading…
Reference in New Issue