From: Christian Marangi Date: Thu, 24 Oct 2024 18:45:01 +0000 (+0200) Subject: imagebuilder: complete support for local signing keys X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=578f266ad7236d9d88fa955e63c5e4967e41c3b6;p=openwrt%2Fstaging%2Fstintel.git imagebuilder: complete support for local signing keys Complete support for local signing keys for APK. A local key will be always generated, mkndx is always called with --allow-untrusted as it needs to replace the sign key with the new local one. With CONFIG_SIGNATURE_CHECK the local index is signed with the local key. Local public key is added with the ADD_LOCAL_KEY option. Signed-off-by: Christian Marangi --- diff --git a/include/rootfs.mk b/include/rootfs.mk index c409e442b5..e6cadc531d 100644 --- a/include/rootfs.mk +++ b/include/rootfs.mk @@ -47,7 +47,7 @@ apk = \ IPKG_INSTROOT=$(1) \ $(FAKEROOT) $(STAGING_DIR_HOST)/bin/apk \ --root $(1) \ - --keys-dir $(TOPDIR) \ + --keys-dir $(if $(APK_KEYS),$(APK_KEYS),$(TOPDIR)) \ --no-cache \ --no-logfile \ --preserve-env diff --git a/target/imagebuilder/files/Makefile b/target/imagebuilder/files/Makefile index 3b1502cf57..24de26c771 100644 --- a/target/imagebuilder/files/Makefile +++ b/target/imagebuilder/files/Makefile @@ -83,6 +83,8 @@ help: FORCE # override variables from rules.mk +BUILD_KEY_APK_SEC=$(TOPDIR)/keys/local-private-key.pem +BUILD_KEY_APK_PUB=$(TOPDIR)/keys/local-public-key.pem export PACKAGE_DIR:=$(TOPDIR)/packages LISTS_DIR:=$(subst $(space),/,$(patsubst %,..,$(subst /,$(space),$(TARGET_DIR))))$(DL_DIR) export PACKAGE_DIR_ALL:=$(TOPDIR)/packages @@ -94,6 +96,7 @@ OPKG:=$(call opkg,$(TARGET_DIR)) \ --cache $(DL_DIR) \ --lists-dir $(LISTS_DIR) +export APK_KEYS:=$(TOPDIR)/keys APK:=$(call apk,$(TARGET_DIR)) \ --repositories-file $(TOPDIR)/repositories \ $(if $(CONFIG_SIGNATURE_CHECK),,--allow-untrusted) \ @@ -180,6 +183,7 @@ ifeq ($(CONFIG_USE_APK),) else $(APK) add --initdb (cd $(PACKAGE_DIR); $(APK) mkndx \ + $(if $(CONFIG_SIGNATURE_CHECK), --keys-dir $(APK_KEYS) --sign $(BUILD_KEY_APK_SEC)) \ --allow-untrusted --output packages.adb *.apk) >/dev/null 2>/dev/null || true $(APK) update >&2 || true endif @@ -241,6 +245,13 @@ ifeq ($(CONFIG_USE_APK),) $(SCRIPT_DIR)/opkg-key add $(BUILD_KEY).pub \ ) \ ) +else + $(if $(CONFIG_SIGNATURE_CHECK), \ + $(if $(ADD_LOCAL_KEY), \ + mkdir -p $(TARGET_DIR)/etc/opkg/keys/; \ + cp $(BUILD_KEY_APK_PUB) $(TARGET_DIR)/etc/apk/keys/; \ + ) \ + ) endif $(call prepare_rootfs,$(TARGET_DIR),$(USER_FILES),$(DISABLED_SERVICES)) @@ -288,8 +299,8 @@ ifneq ($(PROFILE),) endif _check_keys: FORCE -ifeq ($(CONFIG_USE_APK),) ifneq ($(CONFIG_SIGNATURE_CHECK),) +ifeq ($(CONFIG_USE_APK),) @if [ ! -s $(BUILD_KEY) -o ! -s $(BUILD_KEY).pub ]; then \ echo Generate local signing keys... >&2; \ $(STAGING_DIR_HOST)/bin/usign -G \ @@ -303,9 +314,15 @@ ifneq ($(CONFIG_SIGNATURE_CHECK),) -p $(BUILD_KEY).pub \ -s $(BUILD_KEY); \ fi -endif else - # TODO + @if [ ! -s $(BUILD_KEY_APK_SEC) -o ! -s $(BUILD_KEY_APK_PUB) ]; then \ + echo Generate local signing keys... >&2; \ + $(STAGING_DIR_HOST)/bin/openssl ecparam -name prime256v1 -genkey -noout -out $(BUILD_KEY_APK_SEC); \ + sed -i '1s/^/untrusted comment: Local build key\n/' $(BUILD_KEY_APK_SEC); \ + $(STAGING_DIR_HOST)/bin/openssl ec -in $(BUILD_KEY_APK_SEC) -pubout > $(BUILD_KEY_APK_PUB); \ + sed -i '1s/^/untrusted comment: Local build key\n/' $(BUILD_KEY_APK_PUB); \ + fi +endif endif image: