build: add integration for managing opkg package feed keys
authorFelix Fietkau <nbd@openwrt.org>
Mon, 6 Apr 2015 19:39:51 +0000 (19:39 +0000)
committerFelix Fietkau <nbd@openwrt.org>
Mon, 6 Apr 2015 19:39:51 +0000 (19:39 +0000)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 45286

.gitignore
config/Config-build.in
package/Makefile
package/base-files/Makefile
package/system/opkg/Makefile
package/system/opkg/files/opkg-key [new file with mode: 0755]
rules.mk

index 1bef86e97137eaf11c234ac6c08f8008536ca3a2..cd86e34cda73b42451a98291c662f93ec6e3ad9c 100644 (file)
@@ -15,6 +15,7 @@
 /files
 /package/feeds
 /package/openwrt-packages
+key-build*
 *.orig
 *.rej
 *~
@@ -22,4 +23,4 @@
 *#
 .emacs.desktop*
 TAGS*~
-git-src
\ No newline at end of file
+git-src
index 582724eff1a887127dc0f9407e426fe5c586c64b..78582ab415f2b1dde22e050e3229a511999723e0 100644 (file)
@@ -14,6 +14,9 @@ menu "Global build settings"
                bool "Select all userspace packages by default"
                default n
 
+       config SIGNED_PACKAGES
+               bool "Cryptographically signed package lists"
+
        comment "General build options"
 
        config DISPLAY_SUPPORT
index a6b34be0f485c650971e1771de417ec6aa666cc6..d5212f09a84fd0867fc2498439b2b9de93bec59f 100644 (file)
@@ -143,6 +143,14 @@ $(curdir)/index: FORCE
                $(SCRIPT_DIR)/ipkg-make-index.sh . 2>&1 > Packages && \
                        gzip -9c Packages > Packages.gz; \
        ); done
+ifdef CONFIG_SIGNED_PACKAGES
+       @echo Signing package index...
+       @for d in $(PACKAGE_SUBDIRS); do ( \
+               [ -d $(PACKAGE_DIR)/$$d ] && \
+                       cd $(PACKAGE_DIR)/$$d || continue; \
+               $(STAGING_DIR_HOST)/bin/usign -S -m Packages -s $(BUILD_KEY); \
+       ); done
+else
 ifeq ($(call qstrip,$(CONFIG_OPKGSMIME_KEY)),)
        @echo Signing key has not been configured
 else
@@ -161,6 +169,7 @@ else
        ); done
 endif
 endif
+endif
 
 $(curdir)/preconfig:
 
index d0d93e5ed6d0788fd1433e90cb9df2b9b631bb6b..0bba313702f0f9a3b42122b4b6beed929296d355 100644 (file)
@@ -14,9 +14,11 @@ PKG_NAME:=base-files
 PKG_RELEASE:=157
 
 PKG_FILE_DEPENDS:=$(PLATFORM_DIR)/ $(GENERIC_PLATFORM_DIR)/base-files/
-PKG_BUILD_DEPENDS:=opkg/host
+PKG_BUILD_DEPENDS:=opkg/host usign/host
 PKG_LICENSE:=GPL-2.0
 
+PKG_CONFIG_DEPENDS := CONFIG_SIGNED_PACKAGES
+
 include $(INCLUDE_DIR)/package.mk
 
 ifneq ($(DUMP),1)
@@ -29,7 +31,7 @@ endif
 define Package/base-files
   SECTION:=base
   CATEGORY:=Base system
-  DEPENDS:=+netifd +libc +procd +jsonfilter
+  DEPENDS:=+netifd +libc +procd +jsonfilter +SIGNED_PACKAGES:usign
   TITLE:=Base filesystem for OpenWrt
   URL:=http://openwrt.org/
   VERSION:=$(PKG_RELEASE)-$(REVISION)
@@ -87,8 +89,23 @@ define Build/Compile/Default
 endef
 Build/Compile = $(Build/Compile/Default)
 
+ifdef CONFIG_SIGNED_PACKAGES
+  define Build/Configure
+       [ -s $(BUILD_KEY) -a -s $(BUILD_KEY).pub ] || \
+               $(STAGING_DIR_HOST)/bin/usign -G -s $(BUILD_KEY) -p $(BUILD_KEY).pub -c "Local build key"
+
+  endef
+
+  define Package/base-files/install-key
+       mkdir -p $(1)/etc/opkg/keys
+       $(CP) $(BUILD_KEY).pub $(1)/etc/opkg/keys/`$(STAGING_DIR_HOST)/bin/usign -F -p $(BUILD_KEY).pub`
+
+  endef
+endif
+
 define Package/base-files/install
        $(CP) ./files/* $(1)/
+       $(Package/base-files/install-key)
        if [ -d $(GENERIC_PLATFORM_DIR)/base-files/. ]; then \
                $(CP) $(GENERIC_PLATFORM_DIR)/base-files/* $(1)/; \
        fi
index 391adfa0d9e6489daf210c14799a02a0e4e39a61..4f30ec2114882db68a8d51cbabec40491a3d3bfa 100644 (file)
@@ -26,6 +26,8 @@ PKG_REMOVE_FILES = autogen.sh aclocal.m4
 PKG_LICENSE:=GPL-2.0
 PKG_LICENSE_FILES:=COPYING
 
+PKG_CONFIG_DEPENDS := CONFIG_SIGNED_PACKAGES
+
 PKG_BUILD_PARALLEL:=1
 HOST_BUILD_PARALLEL:=1
 PKG_INSTALL:=1
@@ -91,7 +93,11 @@ CONFIGURE_ARGS += \
        --with-opkglockfile=/var/lock/opkg.lock
 
 ifeq ($(BUILD_VARIANT),smime)
-       CONFIGURE_ARGS += --enable-openssl --enable-sha256
+       CONFIGURE_ARGS += --enable-openssl --enable-sha256 --disable-usign
+else
+  ifndef CONFIG_SIGNED_PACKAGES
+    CONFIGURE_ARGS += --disable-usign
+  endif
 endif
 
 MAKE_FLAGS = \
@@ -105,6 +111,9 @@ define Package/opkg/Default/install
        $(INSTALL_DIR) $(1)/bin
        $(INSTALL_DIR) $(1)/etc
        $(INSTALL_DATA) ./files/opkg$(2).conf $(1)/etc/opkg.conf
+  ifneq ($(CONFIG_SIGNED_PACKAGES),)
+       echo "option check_signature 1" >> $(1)/etc/opkg.conf
+  endif
   ifeq ($(CONFIG_PER_FEED_REPO),)
        echo "src/gz %n %U" >> $(1)/etc/opkg.conf
   else
@@ -121,7 +130,11 @@ define Package/opkg/Default/install
        $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/opkg-cl $(1)/bin/opkg
 endef
 
-Package/opkg/install = $(call Package/opkg/Default/install,$(1),)
+define Package/opkg/install
+       $(call Package/opkg/Default/install,$(1),)
+       mkdir $(1)/usr/sbin
+       $(INSTALL_BIN) ./files/opkg-key $(1)/usr/sbin/
+endef
 
 define Package/opkg-smime/install
        $(call Package/opkg/Default/install,$(1),-smime)
diff --git a/package/system/opkg/files/opkg-key b/package/system/opkg/files/opkg-key
new file mode 100755 (executable)
index 0000000..ae5e8a4
--- /dev/null
@@ -0,0 +1,56 @@
+#!/bin/sh
+
+usage() {
+       cat <<EOF
+Usage: $0 <command> <arguments...>
+Commands:
+  add <file>:                  Add keyfile <file> to opkg trusted keys
+  remove <file>:               Remove keyfile matching <file> from opkg trusted keys
+  verify <sigfile> <list>:     Check list file <list> against signature file <sigfile>
+
+EOF
+       exit 1
+}
+
+opkg_key_verify() {
+       local sigfile="$1"
+       local msgfile="$2"
+
+       (
+               zcat "$msgfile" 2>/dev/null ||
+               cat "$msgfile" 2>/dev/null
+       ) | usign -V -P /etc/opkg/keys -q -x "$sigfile" -m -
+}
+
+opkg_key_add() {
+       local key="$1"
+       [ -n "$key" ] || usage
+       [ -f "$key" ] || echo "Cannot open file $1"
+       local fingerprint="$(usign -F -p "$key")"
+       mkdir -p "/etc/opkg/keys"
+       cp "$key" "/etc/opkg/keys/$fingerprint"
+}
+
+opkg_key_remove() {
+       local key="$1"
+       [ -n "$key" ] || usage
+       [ -f "$key" ] || echo "Cannot open file $1"
+       local fingerprint="$(usign -F -p "$key")"
+       rm -f "/etc/opkg/keys/$fingerprint"
+}
+
+case "$1" in
+       add)
+               shift
+               opkg_key_add "$@"
+               ;;
+       remove)
+               shift
+               opkg_key_remove "$@"
+               ;;
+       verify)
+               shift
+               opkg_key_verify "$@"
+               ;;
+       *) usage ;;
+esac
index e61cc3fde9a100b1e649f3003b316490c9fc5294..e13d8ccc9fc5df35edec772a98897081f25bb17c 100644 (file)
--- a/rules.mk
+++ b/rules.mk
@@ -207,6 +207,8 @@ else
   TARGET_NM:=$(TARGET_CROSS)nm
 endif
 
+BUILD_KEY=$(TOPDIR)/key-build
+
 TARGET_CC:=$(TARGET_CROSS)gcc
 TARGET_CXX:=$(TARGET_CROSS)g++
 KPATCH:=$(SCRIPT_DIR)/patch-kernel.sh