mirror of
git://git.openwrt.org/openwrt/openwrt.git
synced 2025-01-02 20:32:22 +00:00
build: add integration for managing opkg package feed keys
Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 45286
This commit is contained in:
parent
dde8214d16
commit
beca028bd6
1
.gitignore
vendored
1
.gitignore
vendored
@ -15,6 +15,7 @@
|
||||
/files
|
||||
/package/feeds
|
||||
/package/openwrt-packages
|
||||
key-build*
|
||||
*.orig
|
||||
*.rej
|
||||
*~
|
||||
|
@ -14,6 +14,9 @@ menu "Global build settings"
|
||||
bool "Select all userspace packages by default"
|
||||
default n
|
||||
|
||||
config SIGNED_PACKAGES
|
||||
bool "Cryptographically signed package lists"
|
||||
|
||||
comment "General build options"
|
||||
|
||||
config DISPLAY_SUPPORT
|
||||
|
@ -143,6 +143,14 @@ $(curdir)/index: FORCE
|
||||
$(SCRIPT_DIR)/ipkg-make-index.sh . 2>&1 > Packages && \
|
||||
gzip -9c Packages > Packages.gz; \
|
||||
); done
|
||||
ifdef CONFIG_SIGNED_PACKAGES
|
||||
@echo Signing package index...
|
||||
@for d in $(PACKAGE_SUBDIRS); do ( \
|
||||
[ -d $(PACKAGE_DIR)/$$d ] && \
|
||||
cd $(PACKAGE_DIR)/$$d || continue; \
|
||||
$(STAGING_DIR_HOST)/bin/usign -S -m Packages -s $(BUILD_KEY); \
|
||||
); done
|
||||
else
|
||||
ifeq ($(call qstrip,$(CONFIG_OPKGSMIME_KEY)),)
|
||||
@echo Signing key has not been configured
|
||||
else
|
||||
@ -161,6 +169,7 @@ else
|
||||
); done
|
||||
endif
|
||||
endif
|
||||
endif
|
||||
|
||||
$(curdir)/preconfig:
|
||||
|
||||
|
@ -14,9 +14,11 @@ PKG_NAME:=base-files
|
||||
PKG_RELEASE:=157
|
||||
|
||||
PKG_FILE_DEPENDS:=$(PLATFORM_DIR)/ $(GENERIC_PLATFORM_DIR)/base-files/
|
||||
PKG_BUILD_DEPENDS:=opkg/host
|
||||
PKG_BUILD_DEPENDS:=opkg/host usign/host
|
||||
PKG_LICENSE:=GPL-2.0
|
||||
|
||||
PKG_CONFIG_DEPENDS := CONFIG_SIGNED_PACKAGES
|
||||
|
||||
include $(INCLUDE_DIR)/package.mk
|
||||
|
||||
ifneq ($(DUMP),1)
|
||||
@ -29,7 +31,7 @@ endif
|
||||
define Package/base-files
|
||||
SECTION:=base
|
||||
CATEGORY:=Base system
|
||||
DEPENDS:=+netifd +libc +procd +jsonfilter
|
||||
DEPENDS:=+netifd +libc +procd +jsonfilter +SIGNED_PACKAGES:usign
|
||||
TITLE:=Base filesystem for OpenWrt
|
||||
URL:=http://openwrt.org/
|
||||
VERSION:=$(PKG_RELEASE)-$(REVISION)
|
||||
@ -87,8 +89,23 @@ define Build/Compile/Default
|
||||
endef
|
||||
Build/Compile = $(Build/Compile/Default)
|
||||
|
||||
ifdef CONFIG_SIGNED_PACKAGES
|
||||
define Build/Configure
|
||||
[ -s $(BUILD_KEY) -a -s $(BUILD_KEY).pub ] || \
|
||||
$(STAGING_DIR_HOST)/bin/usign -G -s $(BUILD_KEY) -p $(BUILD_KEY).pub -c "Local build key"
|
||||
|
||||
endef
|
||||
|
||||
define Package/base-files/install-key
|
||||
mkdir -p $(1)/etc/opkg/keys
|
||||
$(CP) $(BUILD_KEY).pub $(1)/etc/opkg/keys/`$(STAGING_DIR_HOST)/bin/usign -F -p $(BUILD_KEY).pub`
|
||||
|
||||
endef
|
||||
endif
|
||||
|
||||
define Package/base-files/install
|
||||
$(CP) ./files/* $(1)/
|
||||
$(Package/base-files/install-key)
|
||||
if [ -d $(GENERIC_PLATFORM_DIR)/base-files/. ]; then \
|
||||
$(CP) $(GENERIC_PLATFORM_DIR)/base-files/* $(1)/; \
|
||||
fi
|
||||
|
@ -26,6 +26,8 @@ PKG_REMOVE_FILES = autogen.sh aclocal.m4
|
||||
PKG_LICENSE:=GPL-2.0
|
||||
PKG_LICENSE_FILES:=COPYING
|
||||
|
||||
PKG_CONFIG_DEPENDS := CONFIG_SIGNED_PACKAGES
|
||||
|
||||
PKG_BUILD_PARALLEL:=1
|
||||
HOST_BUILD_PARALLEL:=1
|
||||
PKG_INSTALL:=1
|
||||
@ -91,7 +93,11 @@ CONFIGURE_ARGS += \
|
||||
--with-opkglockfile=/var/lock/opkg.lock
|
||||
|
||||
ifeq ($(BUILD_VARIANT),smime)
|
||||
CONFIGURE_ARGS += --enable-openssl --enable-sha256
|
||||
CONFIGURE_ARGS += --enable-openssl --enable-sha256 --disable-usign
|
||||
else
|
||||
ifndef CONFIG_SIGNED_PACKAGES
|
||||
CONFIGURE_ARGS += --disable-usign
|
||||
endif
|
||||
endif
|
||||
|
||||
MAKE_FLAGS = \
|
||||
@ -105,6 +111,9 @@ define Package/opkg/Default/install
|
||||
$(INSTALL_DIR) $(1)/bin
|
||||
$(INSTALL_DIR) $(1)/etc
|
||||
$(INSTALL_DATA) ./files/opkg$(2).conf $(1)/etc/opkg.conf
|
||||
ifneq ($(CONFIG_SIGNED_PACKAGES),)
|
||||
echo "option check_signature 1" >> $(1)/etc/opkg.conf
|
||||
endif
|
||||
ifeq ($(CONFIG_PER_FEED_REPO),)
|
||||
echo "src/gz %n %U" >> $(1)/etc/opkg.conf
|
||||
else
|
||||
@ -121,7 +130,11 @@ define Package/opkg/Default/install
|
||||
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/opkg-cl $(1)/bin/opkg
|
||||
endef
|
||||
|
||||
Package/opkg/install = $(call Package/opkg/Default/install,$(1),)
|
||||
define Package/opkg/install
|
||||
$(call Package/opkg/Default/install,$(1),)
|
||||
mkdir $(1)/usr/sbin
|
||||
$(INSTALL_BIN) ./files/opkg-key $(1)/usr/sbin/
|
||||
endef
|
||||
|
||||
define Package/opkg-smime/install
|
||||
$(call Package/opkg/Default/install,$(1),-smime)
|
||||
|
56
package/system/opkg/files/opkg-key
Executable file
56
package/system/opkg/files/opkg-key
Executable file
@ -0,0 +1,56 @@
|
||||
#!/bin/sh
|
||||
|
||||
usage() {
|
||||
cat <<EOF
|
||||
Usage: $0 <command> <arguments...>
|
||||
Commands:
|
||||
add <file>: Add keyfile <file> to opkg trusted keys
|
||||
remove <file>: Remove keyfile matching <file> from opkg trusted keys
|
||||
verify <sigfile> <list>: Check list file <list> against signature file <sigfile>
|
||||
|
||||
EOF
|
||||
exit 1
|
||||
}
|
||||
|
||||
opkg_key_verify() {
|
||||
local sigfile="$1"
|
||||
local msgfile="$2"
|
||||
|
||||
(
|
||||
zcat "$msgfile" 2>/dev/null ||
|
||||
cat "$msgfile" 2>/dev/null
|
||||
) | usign -V -P /etc/opkg/keys -q -x "$sigfile" -m -
|
||||
}
|
||||
|
||||
opkg_key_add() {
|
||||
local key="$1"
|
||||
[ -n "$key" ] || usage
|
||||
[ -f "$key" ] || echo "Cannot open file $1"
|
||||
local fingerprint="$(usign -F -p "$key")"
|
||||
mkdir -p "/etc/opkg/keys"
|
||||
cp "$key" "/etc/opkg/keys/$fingerprint"
|
||||
}
|
||||
|
||||
opkg_key_remove() {
|
||||
local key="$1"
|
||||
[ -n "$key" ] || usage
|
||||
[ -f "$key" ] || echo "Cannot open file $1"
|
||||
local fingerprint="$(usign -F -p "$key")"
|
||||
rm -f "/etc/opkg/keys/$fingerprint"
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
add)
|
||||
shift
|
||||
opkg_key_add "$@"
|
||||
;;
|
||||
remove)
|
||||
shift
|
||||
opkg_key_remove "$@"
|
||||
;;
|
||||
verify)
|
||||
shift
|
||||
opkg_key_verify "$@"
|
||||
;;
|
||||
*) usage ;;
|
||||
esac
|
Loading…
Reference in New Issue
Block a user