mirror of
git://git.openwrt.org/openwrt/openwrt.git
synced 2024-12-25 08:02:32 +00:00
imagebuilder: complete support for local signing keys
Complete support for local signing keys for APK. A local key will be always generated, mkndx is always called with --allow-untrusted as it needs to replace the sign key with the new local one. With CONFIG_SIGNATURE_CHECK the local index is signed with the local key. Local public key is added with the ADD_LOCAL_KEY option. Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
This commit is contained in:
parent
a8d17c21e4
commit
578f266ad7
@ -47,7 +47,7 @@ apk = \
|
|||||||
IPKG_INSTROOT=$(1) \
|
IPKG_INSTROOT=$(1) \
|
||||||
$(FAKEROOT) $(STAGING_DIR_HOST)/bin/apk \
|
$(FAKEROOT) $(STAGING_DIR_HOST)/bin/apk \
|
||||||
--root $(1) \
|
--root $(1) \
|
||||||
--keys-dir $(TOPDIR) \
|
--keys-dir $(if $(APK_KEYS),$(APK_KEYS),$(TOPDIR)) \
|
||||||
--no-cache \
|
--no-cache \
|
||||||
--no-logfile \
|
--no-logfile \
|
||||||
--preserve-env
|
--preserve-env
|
||||||
|
@ -83,6 +83,8 @@ help: FORCE
|
|||||||
|
|
||||||
|
|
||||||
# override variables from rules.mk
|
# override variables from rules.mk
|
||||||
|
BUILD_KEY_APK_SEC=$(TOPDIR)/keys/local-private-key.pem
|
||||||
|
BUILD_KEY_APK_PUB=$(TOPDIR)/keys/local-public-key.pem
|
||||||
export PACKAGE_DIR:=$(TOPDIR)/packages
|
export PACKAGE_DIR:=$(TOPDIR)/packages
|
||||||
LISTS_DIR:=$(subst $(space),/,$(patsubst %,..,$(subst /,$(space),$(TARGET_DIR))))$(DL_DIR)
|
LISTS_DIR:=$(subst $(space),/,$(patsubst %,..,$(subst /,$(space),$(TARGET_DIR))))$(DL_DIR)
|
||||||
export PACKAGE_DIR_ALL:=$(TOPDIR)/packages
|
export PACKAGE_DIR_ALL:=$(TOPDIR)/packages
|
||||||
@ -94,6 +96,7 @@ OPKG:=$(call opkg,$(TARGET_DIR)) \
|
|||||||
--cache $(DL_DIR) \
|
--cache $(DL_DIR) \
|
||||||
--lists-dir $(LISTS_DIR)
|
--lists-dir $(LISTS_DIR)
|
||||||
|
|
||||||
|
export APK_KEYS:=$(TOPDIR)/keys
|
||||||
APK:=$(call apk,$(TARGET_DIR)) \
|
APK:=$(call apk,$(TARGET_DIR)) \
|
||||||
--repositories-file $(TOPDIR)/repositories \
|
--repositories-file $(TOPDIR)/repositories \
|
||||||
$(if $(CONFIG_SIGNATURE_CHECK),,--allow-untrusted) \
|
$(if $(CONFIG_SIGNATURE_CHECK),,--allow-untrusted) \
|
||||||
@ -180,6 +183,7 @@ ifeq ($(CONFIG_USE_APK),)
|
|||||||
else
|
else
|
||||||
$(APK) add --initdb
|
$(APK) add --initdb
|
||||||
(cd $(PACKAGE_DIR); $(APK) mkndx \
|
(cd $(PACKAGE_DIR); $(APK) mkndx \
|
||||||
|
$(if $(CONFIG_SIGNATURE_CHECK), --keys-dir $(APK_KEYS) --sign $(BUILD_KEY_APK_SEC)) \
|
||||||
--allow-untrusted --output packages.adb *.apk) >/dev/null 2>/dev/null || true
|
--allow-untrusted --output packages.adb *.apk) >/dev/null 2>/dev/null || true
|
||||||
$(APK) update >&2 || true
|
$(APK) update >&2 || true
|
||||||
endif
|
endif
|
||||||
@ -241,6 +245,13 @@ ifeq ($(CONFIG_USE_APK),)
|
|||||||
$(SCRIPT_DIR)/opkg-key add $(BUILD_KEY).pub \
|
$(SCRIPT_DIR)/opkg-key add $(BUILD_KEY).pub \
|
||||||
) \
|
) \
|
||||||
)
|
)
|
||||||
|
else
|
||||||
|
$(if $(CONFIG_SIGNATURE_CHECK), \
|
||||||
|
$(if $(ADD_LOCAL_KEY), \
|
||||||
|
mkdir -p $(TARGET_DIR)/etc/opkg/keys/; \
|
||||||
|
cp $(BUILD_KEY_APK_PUB) $(TARGET_DIR)/etc/apk/keys/; \
|
||||||
|
) \
|
||||||
|
)
|
||||||
endif
|
endif
|
||||||
$(call prepare_rootfs,$(TARGET_DIR),$(USER_FILES),$(DISABLED_SERVICES))
|
$(call prepare_rootfs,$(TARGET_DIR),$(USER_FILES),$(DISABLED_SERVICES))
|
||||||
|
|
||||||
@ -288,8 +299,8 @@ ifneq ($(PROFILE),)
|
|||||||
endif
|
endif
|
||||||
|
|
||||||
_check_keys: FORCE
|
_check_keys: FORCE
|
||||||
ifeq ($(CONFIG_USE_APK),)
|
|
||||||
ifneq ($(CONFIG_SIGNATURE_CHECK),)
|
ifneq ($(CONFIG_SIGNATURE_CHECK),)
|
||||||
|
ifeq ($(CONFIG_USE_APK),)
|
||||||
@if [ ! -s $(BUILD_KEY) -o ! -s $(BUILD_KEY).pub ]; then \
|
@if [ ! -s $(BUILD_KEY) -o ! -s $(BUILD_KEY).pub ]; then \
|
||||||
echo Generate local signing keys... >&2; \
|
echo Generate local signing keys... >&2; \
|
||||||
$(STAGING_DIR_HOST)/bin/usign -G \
|
$(STAGING_DIR_HOST)/bin/usign -G \
|
||||||
@ -303,9 +314,15 @@ ifneq ($(CONFIG_SIGNATURE_CHECK),)
|
|||||||
-p $(BUILD_KEY).pub \
|
-p $(BUILD_KEY).pub \
|
||||||
-s $(BUILD_KEY); \
|
-s $(BUILD_KEY); \
|
||||||
fi
|
fi
|
||||||
endif
|
|
||||||
else
|
else
|
||||||
# TODO
|
@if [ ! -s $(BUILD_KEY_APK_SEC) -o ! -s $(BUILD_KEY_APK_PUB) ]; then \
|
||||||
|
echo Generate local signing keys... >&2; \
|
||||||
|
$(STAGING_DIR_HOST)/bin/openssl ecparam -name prime256v1 -genkey -noout -out $(BUILD_KEY_APK_SEC); \
|
||||||
|
sed -i '1s/^/untrusted comment: Local build key\n/' $(BUILD_KEY_APK_SEC); \
|
||||||
|
$(STAGING_DIR_HOST)/bin/openssl ec -in $(BUILD_KEY_APK_SEC) -pubout > $(BUILD_KEY_APK_PUB); \
|
||||||
|
sed -i '1s/^/untrusted comment: Local build key\n/' $(BUILD_KEY_APK_PUB); \
|
||||||
|
fi
|
||||||
|
endif
|
||||||
endif
|
endif
|
||||||
|
|
||||||
image:
|
image:
|
||||||
|
Loading…
Reference in New Issue
Block a user