Revert "build: separate signing logic"
authorJohn Crispin <john@phrozen.org>
Mon, 21 Oct 2019 14:26:07 +0000 (16:26 +0200)
committerJohn Crispin <john@phrozen.org>
Mon, 21 Oct 2019 14:26:24 +0000 (16:26 +0200)
This reverts commit 4a45e69d190f72ed94878487b271ed7651dd9efa.

This broke the buildbots

Signed-off-by: John Crispin <john@phrozen.org>
config/Config-build.in
include/image-commands.mk
package/base-files/Makefile

index c6591708a20a50947663dce86ae29259b59d6bed..872e5c12abb42602cb195cf0cd12a38e66c34ab8 100644 (file)
@@ -37,21 +37,13 @@ menu "Global build settings"
                  - Enabling per-device rootfs support
                  ...
 
-       config INSTALL_LOCAL_KEY
-               bool "Install local usign key into image"
-               default n
-
        config SIGNED_PACKAGES
                bool "Cryptographically signed package lists"
-               default n
-
-       config SIGNED_IMAGES
-               bool "Cryptographically signed firmware images"
-               default n
+               default y
 
        config SIGNATURE_CHECK
                bool "Enable signature checking in opkg"
-               default y
+               default SIGNED_PACKAGES
 
        comment "General build options"
 
index 3d10b18bc82fc8b7faecd527c86ef988100db52c..5dfd6a2c2fd464821081b7ffc1070b9f8ada7ca8 100644 (file)
@@ -373,14 +373,11 @@ metadata_json = \
 
 define Build/append-metadata
        $(if $(SUPPORTED_DEVICES),-echo $(call metadata_json,$(SUPPORTED_DEVICES)) | fwtool -I - $@)
-       [ -z "$(SIGNED_IMAGES)" \
-               -o ! -s "$(BUILD_KEY)" \
-               -o ! -s "$(BUILD_KEY).ucert" \
-               -o ! -s "$@" ] || { \
-                       cp "$(BUILD_KEY).ucert" "$@.ucert" ;\
-                       usign -S -m "$@" -s "$(BUILD_KEY)" -x "$@.sig" ;\
-                       ucert -A -c "$@.ucert" -x "$@.sig" ;\
-                       fwtool -S "$@.ucert" "$@" ;\
+       [ ! -s "$(BUILD_KEY)" -o ! -s "$(BUILD_KEY).ucert" -o ! -s "$@" ] || { \
+               cp "$(BUILD_KEY).ucert" "$@.ucert" ;\
+               usign -S -m "$@" -s "$(BUILD_KEY)" -x "$@.sig" ;\
+               ucert -A -c "$@.ucert" -x "$@.sig" ;\
+               fwtool -S "$@.ucert" "$@" ;\
        }
 endef
 
index 588c958f80a0a5da199a3b1bae8df8e147d1a251..f105d2cd2768ad19221ef07b25842da77a78424c 100644 (file)
@@ -37,7 +37,7 @@ endif
 define Package/base-files
   SECTION:=base
   CATEGORY:=Base system
-  DEPENDS:=+netifd +libc +procd +jsonfilter +SIGNATURE_CHECK:usign +SIGNATURE_CHECK:openwrt-keyring +NAND_SUPPORT:ubi-utils +fstools +fwtool
+  DEPENDS:=+netifd +libc +procd +jsonfilter +SIGNED_PACKAGES:usign +SIGNED_PACKAGES:openwrt-keyring +NAND_SUPPORT:ubi-utils +fstools +fwtool
   TITLE:=Base filesystem for OpenWrt
   URL:=http://openwrt.org/
   VERSION:=$(PKG_RELEASE)-$(REVISION)
@@ -116,6 +116,12 @@ ifdef CONFIG_SIGNED_PACKAGES
                $(STAGING_DIR_HOST)/bin/ucert -I -c $(BUILD_KEY).ucert -p $(BUILD_KEY).pub -s $(BUILD_KEY)
 
   endef
+
+  define Package/base-files/install-key
+       mkdir -p $(1)/etc/opkg/keys
+       $(CP) $(BUILD_KEY).pub $(1)/etc/opkg/keys/`$(STAGING_DIR_HOST)/bin/usign -F -p $(BUILD_KEY).pub`
+
+  endef
 endif
 
 ifeq ($(CONFIG_NAND_SUPPORT),)
@@ -124,16 +130,9 @@ ifeq ($(CONFIG_NAND_SUPPORT),)
   endef
 endif
 
-ifdef CONFIG_INSTALL_LOCAL_KEY
-  define Package/base-files/install-local-key
-       mkdir -p $(1)/etc/opkg/keys
-       $(CP) $(BUILD_KEY).pub $(1)/etc/opkg/keys/`$(STAGING_DIR_HOST)/bin/usign \
-               -F -p $(BUILD_KEY).pub`
-endef
-
 define Package/base-files/install
        $(CP) ./files/* $(1)/
-       $(Package/base-files/install-local-key)
+       $(Package/base-files/install-key)
        $(Package/base-files/nand-support)
        if [ -d $(GENERIC_PLATFORM_DIR)/base-files/. ]; then \
                $(CP) $(GENERIC_PLATFORM_DIR)/base-files/* $(1)/; \