imagebuilder: complete support for local signing keys

Complete support for local signing keys for APK.

A local key will be always generated, mkndx is always called with
--allow-untrusted as it needs to replace the sign key with the new local
one.

With CONFIG_SIGNATURE_CHECK the local index is signed with the local
key. Local public key is added with the ADD_LOCAL_KEY option.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
This commit is contained in:
Christian Marangi 2024-10-24 20:45:01 +02:00
parent a8d17c21e4
commit 578f266ad7
No known key found for this signature in database
GPG Key ID: AC001D09ADBFEAD7
2 changed files with 21 additions and 4 deletions

View File

@ -47,7 +47,7 @@ apk = \
IPKG_INSTROOT=$(1) \ IPKG_INSTROOT=$(1) \
$(FAKEROOT) $(STAGING_DIR_HOST)/bin/apk \ $(FAKEROOT) $(STAGING_DIR_HOST)/bin/apk \
--root $(1) \ --root $(1) \
--keys-dir $(TOPDIR) \ --keys-dir $(if $(APK_KEYS),$(APK_KEYS),$(TOPDIR)) \
--no-cache \ --no-cache \
--no-logfile \ --no-logfile \
--preserve-env --preserve-env

View File

@ -83,6 +83,8 @@ help: FORCE
# override variables from rules.mk # override variables from rules.mk
BUILD_KEY_APK_SEC=$(TOPDIR)/keys/local-private-key.pem
BUILD_KEY_APK_PUB=$(TOPDIR)/keys/local-public-key.pem
export PACKAGE_DIR:=$(TOPDIR)/packages export PACKAGE_DIR:=$(TOPDIR)/packages
LISTS_DIR:=$(subst $(space),/,$(patsubst %,..,$(subst /,$(space),$(TARGET_DIR))))$(DL_DIR) LISTS_DIR:=$(subst $(space),/,$(patsubst %,..,$(subst /,$(space),$(TARGET_DIR))))$(DL_DIR)
export PACKAGE_DIR_ALL:=$(TOPDIR)/packages export PACKAGE_DIR_ALL:=$(TOPDIR)/packages
@ -94,6 +96,7 @@ OPKG:=$(call opkg,$(TARGET_DIR)) \
--cache $(DL_DIR) \ --cache $(DL_DIR) \
--lists-dir $(LISTS_DIR) --lists-dir $(LISTS_DIR)
export APK_KEYS:=$(TOPDIR)/keys
APK:=$(call apk,$(TARGET_DIR)) \ APK:=$(call apk,$(TARGET_DIR)) \
--repositories-file $(TOPDIR)/repositories \ --repositories-file $(TOPDIR)/repositories \
$(if $(CONFIG_SIGNATURE_CHECK),,--allow-untrusted) \ $(if $(CONFIG_SIGNATURE_CHECK),,--allow-untrusted) \
@ -180,6 +183,7 @@ ifeq ($(CONFIG_USE_APK),)
else else
$(APK) add --initdb $(APK) add --initdb
(cd $(PACKAGE_DIR); $(APK) mkndx \ (cd $(PACKAGE_DIR); $(APK) mkndx \
$(if $(CONFIG_SIGNATURE_CHECK), --keys-dir $(APK_KEYS) --sign $(BUILD_KEY_APK_SEC)) \
--allow-untrusted --output packages.adb *.apk) >/dev/null 2>/dev/null || true --allow-untrusted --output packages.adb *.apk) >/dev/null 2>/dev/null || true
$(APK) update >&2 || true $(APK) update >&2 || true
endif endif
@ -241,6 +245,13 @@ ifeq ($(CONFIG_USE_APK),)
$(SCRIPT_DIR)/opkg-key add $(BUILD_KEY).pub \ $(SCRIPT_DIR)/opkg-key add $(BUILD_KEY).pub \
) \ ) \
) )
else
$(if $(CONFIG_SIGNATURE_CHECK), \
$(if $(ADD_LOCAL_KEY), \
mkdir -p $(TARGET_DIR)/etc/opkg/keys/; \
cp $(BUILD_KEY_APK_PUB) $(TARGET_DIR)/etc/apk/keys/; \
) \
)
endif endif
$(call prepare_rootfs,$(TARGET_DIR),$(USER_FILES),$(DISABLED_SERVICES)) $(call prepare_rootfs,$(TARGET_DIR),$(USER_FILES),$(DISABLED_SERVICES))
@ -288,8 +299,8 @@ ifneq ($(PROFILE),)
endif endif
_check_keys: FORCE _check_keys: FORCE
ifeq ($(CONFIG_USE_APK),)
ifneq ($(CONFIG_SIGNATURE_CHECK),) ifneq ($(CONFIG_SIGNATURE_CHECK),)
ifeq ($(CONFIG_USE_APK),)
@if [ ! -s $(BUILD_KEY) -o ! -s $(BUILD_KEY).pub ]; then \ @if [ ! -s $(BUILD_KEY) -o ! -s $(BUILD_KEY).pub ]; then \
echo Generate local signing keys... >&2; \ echo Generate local signing keys... >&2; \
$(STAGING_DIR_HOST)/bin/usign -G \ $(STAGING_DIR_HOST)/bin/usign -G \
@ -303,9 +314,15 @@ ifneq ($(CONFIG_SIGNATURE_CHECK),)
-p $(BUILD_KEY).pub \ -p $(BUILD_KEY).pub \
-s $(BUILD_KEY); \ -s $(BUILD_KEY); \
fi fi
endif
else else
# TODO @if [ ! -s $(BUILD_KEY_APK_SEC) -o ! -s $(BUILD_KEY_APK_PUB) ]; then \
echo Generate local signing keys... >&2; \
$(STAGING_DIR_HOST)/bin/openssl ecparam -name prime256v1 -genkey -noout -out $(BUILD_KEY_APK_SEC); \
sed -i '1s/^/untrusted comment: Local build key\n/' $(BUILD_KEY_APK_SEC); \
$(STAGING_DIR_HOST)/bin/openssl ec -in $(BUILD_KEY_APK_SEC) -pubout > $(BUILD_KEY_APK_PUB); \
sed -i '1s/^/untrusted comment: Local build key\n/' $(BUILD_KEY_APK_PUB); \
fi
endif
endif endif
image: image: