imagebuilder: complete support for local signing keys

Complete support for local signing keys for APK.

A local key will be always generated, mkndx is always called with
--allow-untrusted as it needs to replace the sign key with the new local
one.

With CONFIG_SIGNATURE_CHECK the local index is signed with the local
key. Local public key is added with the ADD_LOCAL_KEY option.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>

diff --git a/include/rootfs.mk b/include/rootfs.mk
index c409e442b51d187a3ff7db9d48341c3f4cf19143..e6cadc531df75429f8114c83984f0be8726efbda 100644 (file)
--- a/include/rootfs.mk
+++ b/include/rootfs.mk
@@ -47,7 +47,7 @@ apk = \
   IPKG_INSTROOT=$(1) \
   $(FAKEROOT) $(STAGING_DIR_HOST)/bin/apk \
        --root $(1) \
-       --keys-dir $(TOPDIR) \
+       --keys-dir $(if $(APK_KEYS),$(APK_KEYS),$(TOPDIR)) \
        --no-cache \
        --no-logfile \
        --preserve-env

diff --git a/target/imagebuilder/files/Makefile b/target/imagebuilder/files/Makefile
index 3b1502cf57b1865e0ab3b217d98befb550ba7a65..24de26c7712786af6234efaec5ecdb6c13a040de 100644 (file)
--- a/target/imagebuilder/files/Makefile
+++ b/target/imagebuilder/files/Makefile
@@ -83,6 +83,8 @@ help: FORCE
 
 
 # override variables from rules.mk
+BUILD_KEY_APK_SEC=$(TOPDIR)/keys/local-private-key.pem
+BUILD_KEY_APK_PUB=$(TOPDIR)/keys/local-public-key.pem
 export PACKAGE_DIR:=$(TOPDIR)/packages
 LISTS_DIR:=$(subst $(space),/,$(patsubst %,..,$(subst /,$(space),$(TARGET_DIR))))$(DL_DIR)
 export PACKAGE_DIR_ALL:=$(TOPDIR)/packages
@@ -94,6 +96,7 @@ OPKG:=$(call opkg,$(TARGET_DIR)) \
        --cache $(DL_DIR) \
        --lists-dir $(LISTS_DIR)
 
+export APK_KEYS:=$(TOPDIR)/keys
 APK:=$(call apk,$(TARGET_DIR)) \
        --repositories-file $(TOPDIR)/repositories \
        $(if $(CONFIG_SIGNATURE_CHECK),,--allow-untrusted) \
@@ -180,6 +183,7 @@ ifeq ($(CONFIG_USE_APK),)
 else
        $(APK) add --initdb
        (cd $(PACKAGE_DIR); $(APK) mkndx \
+               $(if $(CONFIG_SIGNATURE_CHECK), --keys-dir $(APK_KEYS) --sign $(BUILD_KEY_APK_SEC)) \
                --allow-untrusted --output packages.adb *.apk) >/dev/null 2>/dev/null || true
        $(APK) update >&2 || true
 endif
@@ -241,6 +245,13 @@ ifeq ($(CONFIG_USE_APK),)
                        $(SCRIPT_DIR)/opkg-key add $(BUILD_KEY).pub \
                ) \
        )
+else
+       $(if $(CONFIG_SIGNATURE_CHECK), \
+               $(if $(ADD_LOCAL_KEY), \
+                       mkdir -p $(TARGET_DIR)/etc/opkg/keys/; \
+                       cp $(BUILD_KEY_APK_PUB) $(TARGET_DIR)/etc/apk/keys/; \
+               ) \
+       )
 endif
        $(call prepare_rootfs,$(TARGET_DIR),$(USER_FILES),$(DISABLED_SERVICES))
 
@@ -288,8 +299,8 @@ ifneq ($(PROFILE),)
 endif
 
 _check_keys: FORCE
-ifeq ($(CONFIG_USE_APK),)
 ifneq ($(CONFIG_SIGNATURE_CHECK),)
+ifeq ($(CONFIG_USE_APK),)
        @if [ ! -s $(BUILD_KEY) -o ! -s $(BUILD_KEY).pub ]; then \
                echo Generate local signing keys... >&2; \
                $(STAGING_DIR_HOST)/bin/usign -G \
@@ -303,9 +314,15 @@ ifneq ($(CONFIG_SIGNATURE_CHECK),)
                        -p $(BUILD_KEY).pub \
                        -s $(BUILD_KEY); \
        fi
-endif
 else
-       # TODO
+       @if [ ! -s $(BUILD_KEY_APK_SEC) -o ! -s $(BUILD_KEY_APK_PUB) ]; then \
+               echo Generate local signing keys... >&2; \
+               $(STAGING_DIR_HOST)/bin/openssl ecparam -name prime256v1 -genkey -noout -out $(BUILD_KEY_APK_SEC); \
+               sed -i '1s/^/untrusted comment: Local build key\n/' $(BUILD_KEY_APK_SEC); \
+               $(STAGING_DIR_HOST)/bin/openssl ec -in $(BUILD_KEY_APK_SEC) -pubout > $(BUILD_KEY_APK_PUB); \
+               sed -i '1s/^/untrusted comment: Local build key\n/' $(BUILD_KEY_APK_PUB); \
+       fi
+endif
 endif
 
 image: