add APK signing logic

With this commit it's possible to sign APK package indexes
(packages.adb) via the `signall.sh` script, which is run on the
buildmaster. As a consequence `apk` must be available on the
buildmaster. This is the final step to replace OPKG with APK.

Signed-off-by: Paul Spooren <mail@aparcar.org>

diff --git a/docker/config.ini b/docker/config.ini
index 6278d3decbc098a2c841faf9d616d33dfa183f89..9da83eb3580ab36189ce107f6cfbc02f450ff60a 100644 (file)
--- a/docker/config.ini
+++ b/docker/config.ini
@@ -131,6 +131,12 @@ comment = Example GPG key
 key = RWRCSwAAAADUvtjCkFEF4bWWxpPBo9o8R5FK6Rz5aPUsaZONLu8kxIjud9Fd+Mgu7J2fFJDVyKFAXNH6pKS+AuBW3v+TQT5m1J0W/JYTjqzIrgAZhRtm5v3vSKRl3HUD2zEEbG5j3tg=
 comment = Example usign key
 
+[apk]
+key = -----BEGIN EC PRIVATE KEY-----
+       MHcCAQEEIIP54p1G0UgCleLObh07Gxq0S0Iz22OQpkUj8S1AzXB9oAoGCCqGSM49
+       ...
+       -----END EC PRIVATE KEY-----
+
 [worker 1]
 phase = 1
 name = buildworker-phase1

diff --git a/phase1/config.ini.example b/phase1/config.ini.example
index ced5ccb9dae2e2875622b14565abc2072810e6de..455507e50fc2d4970e1567d4a910c8acdfea4f80 100644 (file)
--- a/phase1/config.ini.example
+++ b/phase1/config.ini.example
@@ -36,6 +36,10 @@ gpg_passphrase = secret password
 gpg_comment = Unattended build signature
 usign_key = RWRCSwAAA...OihABfuLvGRVfVaJ6wLf0=
 usign_comment = Unattended build signature
+apk_key = -----BEGIN EC PRIVATE KEY-----
+       MHcCAQEEIIP54p1G0UgCleLObh07Gxq0S0Iz22OQpkUj8S1AzXB9oAoGCCqGSM49
+       ...
+       -----END EC PRIVATE KEY-----
 binary_url = user@example.org::upload-binary
 binary_password = example
 source_url = user@example.org::upload-sources

diff --git a/phase1/master.cfg b/phase1/master.cfg
index cefeaf0e44d1f20e89a037874a16d9802ec55214..3203d9da8fc75606737db4e66234c9326094c5ea 100644 (file)
--- a/phase1/master.cfg
+++ b/phase1/master.cfg
@@ -1370,7 +1370,8 @@ def prepareFactory(target):
                 "find bin/targets/%(kw:target)s/%(kw:subtarget)s%(prop:libc)s/ "
                 "bin/targets/%(kw:target)s/%(kw:subtarget)s%(prop:libc)s/kmods/ "
                 "-mindepth 1 -maxdepth 2 -type f -name sha256sums -print0 -or "
-                "-name Packages -print0 | xargs -0 tar -czf sign.tar.gz",
+                "-name Packages -print0 -or -name packages.adb -print0 "
+                "| xargs -0 tar -czf sign.tar.gz",
                 target=target,
                 subtarget=subtarget,
             ),

diff --git a/phase2/config.ini.example b/phase2/config.ini.example
index ec0e6dbfc355cec938cc05867d4ac490de261fa4..eda9763530ed30a6df6f10b20d9b449b9220f094 100644 (file)
--- a/phase2/config.ini.example
+++ b/phase2/config.ini.example
@@ -46,6 +46,12 @@ comment = Unattended build signature
 key = RWRCSwAAA...OihABfuLvGRVfVaJ6wLf0=
 comment = Unattended build signature
 
+[apk]
+key = -----BEGIN EC PRIVATE KEY-----
+       MHcCAQEEIIP54p1G0UgCleLObh07Gxq0S0Iz22OQpkUj8S1AzXB9oAoGCCqGSM49
+       ...
+       -----END EC PRIVATE KEY-----
+
 [worker 1]
 phase = 2
 name = worker-example-1
@@ -57,4 +63,3 @@ phase = 2
 name = worker-example-2
 password = example2
 builds = 3
-

diff --git a/phase2/master.cfg b/phase2/master.cfg
index c399c66eb0fc9467e250e85d6b2652d99388abab..940831b0ce5a633dfbb0dc2a534f301bb778ff97 100644 (file)
--- a/phase2/master.cfg
+++ b/phase2/master.cfg
@@ -591,7 +591,7 @@ for arch in arches:
                        name = "signpack",
                        description = "Packing files to sign",
                        workdir = "build/sdk",
-                       command = "find bin/packages/%s/ -mindepth 2 -maxdepth 2 -type f -name Packages -print0 | xargs -0 tar -czf sign.tar.gz" %(arch[0]),
+                       command = "find bin/packages/%s/ -mindepth 2 -maxdepth 2 -type f -name Packages -print0 -or -name packages.adb -print0 | xargs -0 tar -czf sign.tar.gz" %(arch[0]),
                        haltOnFailure = True
                ))
 

diff --git a/scripts/signall.sh b/scripts/signall.sh
index b06844d9c4a78678951838da387bfcb8adcd73b3..c15c9f25951969ef67badefb3e3de06c8e5e4d43 100755 (executable)
--- a/scripts/signall.sh
+++ b/scripts/signall.sh
@@ -58,6 +58,8 @@ GPGCOMMENT="$(iniget "${CONFIG_INI:-config.ini}" gpg comment)"
 
 USIGNKEY="$(iniget "${CONFIG_INI:-config.ini}" usign key)"
 USIGNCOMMENT="$(iniget "${CONFIG_INI:-config.ini}" usign comment)"
+
+APKSIGNKEY="$(iniget "${CONFIG_INI:-config.ini}" apk key)"
 else
 GPGKEY="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "gpg_key")"
 GPGPASS="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "gpg_passphrase")"
@@ -65,6 +67,8 @@ GPGCOMMENT="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "gpg_comment")
 
 USIGNKEY="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "usign_key")"
 USIGNCOMMENT="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "usign_comment")"
+
+APKSIGNKEY="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "apk_key")"
 fi
 
 if echo "$GPGKEY" | grep -q "BEGIN PGP PRIVATE KEY BLOCK"; then
@@ -101,6 +105,15 @@ if [ -n "$USIGNKEY" ]; then
                signify-openbsd -S -s "$(readlink -f "$tmpdir/usign.sec")" -m "{}" \; || finish 5
 fi
 
+if [ -n "$APKSIGNKEY" ]; then
+    umask 077
+    echo "$APKSIGNKEY" > "$tmpdir/apk.pem"
+
+    umask 022
+    find "$tmpdir/tar/" -type f -name "packages.adb" -exec \
+        "${APK_BIN:-apk}" adbsign --allow-untrusted --sign-key "$(readlink -f "$tmpdir/apk.pem")" "{}" \; || finish 6
+fi
+
 tar -C "$tmpdir/tar/" -czf "$tarball" . || finish 6
 
 finish 0