/files
/package/feeds
/package/openwrt-packages
+key-build*
*.orig
*.rej
*~
*#
.emacs.desktop*
TAGS*~
-git-src
\ No newline at end of file
+git-src
bool "Select all userspace packages by default"
default n
+ config SIGNED_PACKAGES
+ bool "Cryptographically signed package lists"
+
comment "General build options"
config DISPLAY_SUPPORT
$(SCRIPT_DIR)/ipkg-make-index.sh . 2>&1 > Packages && \
gzip -9c Packages > Packages.gz; \
); done
+ifdef CONFIG_SIGNED_PACKAGES
+ @echo Signing package index...
+ @for d in $(PACKAGE_SUBDIRS); do ( \
+ [ -d $(PACKAGE_DIR)/$$d ] && \
+ cd $(PACKAGE_DIR)/$$d || continue; \
+ $(STAGING_DIR_HOST)/bin/usign -S -m Packages -s $(BUILD_KEY); \
+ ); done
+else
ifeq ($(call qstrip,$(CONFIG_OPKGSMIME_KEY)),)
@echo Signing key has not been configured
else
); done
endif
endif
+endif
$(curdir)/preconfig:
PKG_RELEASE:=157
PKG_FILE_DEPENDS:=$(PLATFORM_DIR)/ $(GENERIC_PLATFORM_DIR)/base-files/
-PKG_BUILD_DEPENDS:=opkg/host
+PKG_BUILD_DEPENDS:=opkg/host usign/host
PKG_LICENSE:=GPL-2.0
+PKG_CONFIG_DEPENDS := CONFIG_SIGNED_PACKAGES
+
include $(INCLUDE_DIR)/package.mk
ifneq ($(DUMP),1)
define Package/base-files
SECTION:=base
CATEGORY:=Base system
- DEPENDS:=+netifd +libc +procd +jsonfilter
+ DEPENDS:=+netifd +libc +procd +jsonfilter +SIGNED_PACKAGES:usign
TITLE:=Base filesystem for OpenWrt
URL:=http://openwrt.org/
VERSION:=$(PKG_RELEASE)-$(REVISION)
endef
Build/Compile = $(Build/Compile/Default)
+ifdef CONFIG_SIGNED_PACKAGES
+ define Build/Configure
+ [ -s $(BUILD_KEY) -a -s $(BUILD_KEY).pub ] || \
+ $(STAGING_DIR_HOST)/bin/usign -G -s $(BUILD_KEY) -p $(BUILD_KEY).pub -c "Local build key"
+
+ endef
+
+ define Package/base-files/install-key
+ mkdir -p $(1)/etc/opkg/keys
+ $(CP) $(BUILD_KEY).pub $(1)/etc/opkg/keys/`$(STAGING_DIR_HOST)/bin/usign -F -p $(BUILD_KEY).pub`
+
+ endef
+endif
+
define Package/base-files/install
$(CP) ./files/* $(1)/
+ $(Package/base-files/install-key)
if [ -d $(GENERIC_PLATFORM_DIR)/base-files/. ]; then \
$(CP) $(GENERIC_PLATFORM_DIR)/base-files/* $(1)/; \
fi
PKG_LICENSE:=GPL-2.0
PKG_LICENSE_FILES:=COPYING
+PKG_CONFIG_DEPENDS := CONFIG_SIGNED_PACKAGES
+
PKG_BUILD_PARALLEL:=1
HOST_BUILD_PARALLEL:=1
PKG_INSTALL:=1
--with-opkglockfile=/var/lock/opkg.lock
ifeq ($(BUILD_VARIANT),smime)
- CONFIGURE_ARGS += --enable-openssl --enable-sha256
+ CONFIGURE_ARGS += --enable-openssl --enable-sha256 --disable-usign
+else
+ ifndef CONFIG_SIGNED_PACKAGES
+ CONFIGURE_ARGS += --disable-usign
+ endif
endif
MAKE_FLAGS = \
$(INSTALL_DIR) $(1)/bin
$(INSTALL_DIR) $(1)/etc
$(INSTALL_DATA) ./files/opkg$(2).conf $(1)/etc/opkg.conf
+ ifneq ($(CONFIG_SIGNED_PACKAGES),)
+ echo "option check_signature 1" >> $(1)/etc/opkg.conf
+ endif
ifeq ($(CONFIG_PER_FEED_REPO),)
echo "src/gz %n %U" >> $(1)/etc/opkg.conf
else
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/opkg-cl $(1)/bin/opkg
endef
-Package/opkg/install = $(call Package/opkg/Default/install,$(1),)
+define Package/opkg/install
+ $(call Package/opkg/Default/install,$(1),)
+ mkdir $(1)/usr/sbin
+ $(INSTALL_BIN) ./files/opkg-key $(1)/usr/sbin/
+endef
define Package/opkg-smime/install
$(call Package/opkg/Default/install,$(1),-smime)
--- /dev/null
+#!/bin/sh
+
+usage() {
+ cat <<EOF
+Usage: $0 <command> <arguments...>
+Commands:
+ add <file>: Add keyfile <file> to opkg trusted keys
+ remove <file>: Remove keyfile matching <file> from opkg trusted keys
+ verify <sigfile> <list>: Check list file <list> against signature file <sigfile>
+
+EOF
+ exit 1
+}
+
+opkg_key_verify() {
+ local sigfile="$1"
+ local msgfile="$2"
+
+ (
+ zcat "$msgfile" 2>/dev/null ||
+ cat "$msgfile" 2>/dev/null
+ ) | usign -V -P /etc/opkg/keys -q -x "$sigfile" -m -
+}
+
+opkg_key_add() {
+ local key="$1"
+ [ -n "$key" ] || usage
+ [ -f "$key" ] || echo "Cannot open file $1"
+ local fingerprint="$(usign -F -p "$key")"
+ mkdir -p "/etc/opkg/keys"
+ cp "$key" "/etc/opkg/keys/$fingerprint"
+}
+
+opkg_key_remove() {
+ local key="$1"
+ [ -n "$key" ] || usage
+ [ -f "$key" ] || echo "Cannot open file $1"
+ local fingerprint="$(usign -F -p "$key")"
+ rm -f "/etc/opkg/keys/$fingerprint"
+}
+
+case "$1" in
+ add)
+ shift
+ opkg_key_add "$@"
+ ;;
+ remove)
+ shift
+ opkg_key_remove "$@"
+ ;;
+ verify)
+ shift
+ opkg_key_verify "$@"
+ ;;
+ *) usage ;;
+esac
TARGET_NM:=$(TARGET_CROSS)nm
endif
+BUILD_KEY=$(TOPDIR)/key-build
+
TARGET_CC:=$(TARGET_CROSS)gcc
TARGET_CXX:=$(TARGET_CROSS)g++
KPATCH:=$(SCRIPT_DIR)/patch-kernel.sh