opkg: allow to configure the path to the signature verification script
authorBaptiste Jonglez <git@bitsofnetworks.org>
Mon, 24 Aug 2020 15:07:40 +0000 (17:07 +0200)
committerDaniel Golle <daniel@makrotopia.org>
Mon, 31 Aug 2020 09:47:25 +0000 (10:47 +0100)
Currently, package index signatures are only checked when opkg runs on the
OpenWrt device.  The verification script is hard-coded to a path in
/usr/sbin/.

Making this path configurable is a first step to implement signature
verification in host builds of opkg (e.g. in the imagebuilder).

Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
Acked-by: Paul Spooren <mail@aparcar.org>
libopkg/opkg_conf.c
libopkg/opkg_conf.h
libopkg/opkg_download.c
src/opkg-cl.c

index 08855ebcd3d8a7bfbc2c64d61b8e059ab5b22417..38703ee587abed2b2ae4494a28eba3b942d04092 100644 (file)
@@ -72,6 +72,7 @@ opkg_option_t options[] = {
        {"size", OPKG_OPT_TYPE_BOOL, &_conf.size},
        {"tmp_dir", OPKG_OPT_TYPE_STRING, &_conf.tmp_dir},
        {"verbosity", OPKG_OPT_TYPE_INT, &_conf.verbosity},
+       {"verify_program", OPKG_OPT_TYPE_STRING, &_conf.verify_program},
        {NULL, 0, NULL}
 };
 
@@ -572,6 +573,9 @@ int opkg_conf_load(void)
        if (conf->lists_dir == NULL)
                conf->lists_dir = xstrdup(OPKG_CONF_LISTS_DIR);
 
+       if (conf->verify_program == NULL)
+               conf->verify_program = xstrdup(OPKG_CONF_DEFAULT_VERIFY_PROGRAM);
+
        if (conf->offline_root) {
                sprintf_alloc(&tmp, "%s/%s", conf->offline_root,
                              conf->lists_dir);
index 37f95a1a9935d673cbba5f786d58c150a74e2fa7..91190b37d3fd319e20334ad37ee119a614b8b198 100644 (file)
@@ -35,6 +35,8 @@ extern opkg_conf_t *conf;
 
 #define OPKG_CONF_DEFAULT_CONF_FILE_DIR OPKGETCDIR"/opkg"
 
+#define OPKG_CONF_DEFAULT_VERIFY_PROGRAM "/usr/sbin/opkg-key"
+
 /* In case the config file defines no dest */
 #define OPKG_CONF_DEFAULT_DEST_NAME "root"
 #define OPKG_CONF_DEFAULT_DEST_ROOT_DIR "/"
@@ -85,6 +87,7 @@ struct opkg_conf {
        char *overlay_root;
        int query_all;
        int verbosity;
+       char *verify_program;
        int noaction;
        int size;
        int download_only;
index e9705065aa76e85c63f7c6eef3223638ce313415..7bbf34b9a4def7a2262cd8f0c6649480d6b4704e 100644 (file)
@@ -298,7 +298,7 @@ int opkg_prepare_url_for_install(const char *url, char **namep)
 int opkg_verify_file(char *text_file, char *sig_file)
 {
 #if defined HAVE_USIGN
-       const char *argv[] = { "/usr/sbin/opkg-key", "verify", sig_file,
+       const char *argv[] = { conf->verify_program, "verify", sig_file,
                               text_file, NULL };
 
        return xsystem(argv) ? -1 : 0;
index 40a75027e49308995d743daa4b57bd6e25baac93..01c6e94627af927a59bd63542b9f65e670d64ed5 100644 (file)
@@ -53,6 +53,7 @@ enum {
        ARGS_OPT_CACHE,
        ARGS_OPT_FORCE_SIGNATURE,
        ARGS_OPT_NO_CHECK_CERTIFICATE,
+       ARGS_OPT_VERIFY_PROGRAM,
        ARGS_OPT_SIZE,
 };
 
@@ -109,6 +110,8 @@ static struct option long_options[] = {
        {"lists-dir", 1, 0, 'l'},
        {"lists_dir", 1, 0, 'l'},
        {"verbosity", 2, 0, 'V'},
+       {"verify-program", 1, 0, ARGS_OPT_VERIFY_PROGRAM},
+       {"verify_program", 1, 0, ARGS_OPT_VERIFY_PROGRAM},
        {"version", 0, 0, 'v'},
        {0, 0, 0, 0}
 };
@@ -232,6 +235,9 @@ static int args_parse(int argc, char *argv[])
                case ARGS_OPT_NO_CHECK_CERTIFICATE:
                        conf->no_check_certificate = 1;
                        break;
+               case ARGS_OPT_VERIFY_PROGRAM:
+                       conf->verify_program = xstrdup(optarg);
+                       break;
                case ':':
                        parse_err = -1;
                        break;
@@ -322,6 +328,8 @@ static void usage()
        printf("                                directory name in a pinch).\n");
        printf("\t-o <dir>              Use <dir> as the root directory for\n");
        printf("\t--offline-root <dir>  offline installation of packages.\n");
+       printf
+           ("\t--verify-program <path> Use the given program to verify usign signatures\n");
        printf
            ("\t--add-arch <arch>:<prio>        Register architecture with given priority\n");
        printf