From a94d4e15fdc1e9715d7d0cfdcc62227186d0fc45 Mon Sep 17 00:00:00 2001 From: Paul Spooren Date: Tue, 6 Aug 2024 18:03:21 +0200 Subject: [PATCH] add APK signing logic With this commit it's possible to sign APK package indexes (packages.adb) via the `signall.sh` script, which is run on the buildmaster. As a consequence `apk` must be available on the buildmaster. This is the final step to replace OPKG with APK. Signed-off-by: Paul Spooren --- docker/config.ini | 6 ++++++ phase1/config.ini.example | 4 ++++ phase1/master.cfg | 3 ++- phase2/config.ini.example | 7 ++++++- phase2/master.cfg | 2 +- scripts/signall.sh | 13 +++++++++++++ 6 files changed, 32 insertions(+), 3 deletions(-) diff --git a/docker/config.ini b/docker/config.ini index 6278d3d..9da83eb 100644 --- a/docker/config.ini +++ b/docker/config.ini @@ -131,6 +131,12 @@ comment = Example GPG key key = RWRCSwAAAADUvtjCkFEF4bWWxpPBo9o8R5FK6Rz5aPUsaZONLu8kxIjud9Fd+Mgu7J2fFJDVyKFAXNH6pKS+AuBW3v+TQT5m1J0W/JYTjqzIrgAZhRtm5v3vSKRl3HUD2zEEbG5j3tg= comment = Example usign key +[apk] +key = -----BEGIN EC PRIVATE KEY----- + MHcCAQEEIIP54p1G0UgCleLObh07Gxq0S0Iz22OQpkUj8S1AzXB9oAoGCCqGSM49 + ... + -----END EC PRIVATE KEY----- + [worker 1] phase = 1 name = buildworker-phase1 diff --git a/phase1/config.ini.example b/phase1/config.ini.example index ced5ccb..455507e 100644 --- a/phase1/config.ini.example +++ b/phase1/config.ini.example @@ -36,6 +36,10 @@ gpg_passphrase = secret password gpg_comment = Unattended build signature usign_key = RWRCSwAAA...OihABfuLvGRVfVaJ6wLf0= usign_comment = Unattended build signature +apk_key = -----BEGIN EC PRIVATE KEY----- + MHcCAQEEIIP54p1G0UgCleLObh07Gxq0S0Iz22OQpkUj8S1AzXB9oAoGCCqGSM49 + ... + -----END EC PRIVATE KEY----- binary_url = user@example.org::upload-binary binary_password = example source_url = user@example.org::upload-sources diff --git a/phase1/master.cfg b/phase1/master.cfg index cefeaf0..3203d9d 100644 --- a/phase1/master.cfg +++ b/phase1/master.cfg @@ -1370,7 +1370,8 @@ def prepareFactory(target): "find bin/targets/%(kw:target)s/%(kw:subtarget)s%(prop:libc)s/ " "bin/targets/%(kw:target)s/%(kw:subtarget)s%(prop:libc)s/kmods/ " "-mindepth 1 -maxdepth 2 -type f -name sha256sums -print0 -or " - "-name Packages -print0 | xargs -0 tar -czf sign.tar.gz", + "-name Packages -print0 -or -name packages.adb -print0 " + "| xargs -0 tar -czf sign.tar.gz", target=target, subtarget=subtarget, ), diff --git a/phase2/config.ini.example b/phase2/config.ini.example index ec0e6db..eda9763 100644 --- a/phase2/config.ini.example +++ b/phase2/config.ini.example @@ -46,6 +46,12 @@ comment = Unattended build signature key = RWRCSwAAA...OihABfuLvGRVfVaJ6wLf0= comment = Unattended build signature +[apk] +key = -----BEGIN EC PRIVATE KEY----- + MHcCAQEEIIP54p1G0UgCleLObh07Gxq0S0Iz22OQpkUj8S1AzXB9oAoGCCqGSM49 + ... + -----END EC PRIVATE KEY----- + [worker 1] phase = 2 name = worker-example-1 @@ -57,4 +63,3 @@ phase = 2 name = worker-example-2 password = example2 builds = 3 - diff --git a/phase2/master.cfg b/phase2/master.cfg index c399c66..940831b 100644 --- a/phase2/master.cfg +++ b/phase2/master.cfg @@ -591,7 +591,7 @@ for arch in arches: name = "signpack", description = "Packing files to sign", workdir = "build/sdk", - command = "find bin/packages/%s/ -mindepth 2 -maxdepth 2 -type f -name Packages -print0 | xargs -0 tar -czf sign.tar.gz" %(arch[0]), + command = "find bin/packages/%s/ -mindepth 2 -maxdepth 2 -type f -name Packages -print0 -or -name packages.adb -print0 | xargs -0 tar -czf sign.tar.gz" %(arch[0]), haltOnFailure = True )) diff --git a/scripts/signall.sh b/scripts/signall.sh index b06844d..c15c9f2 100755 --- a/scripts/signall.sh +++ b/scripts/signall.sh @@ -58,6 +58,8 @@ GPGCOMMENT="$(iniget "${CONFIG_INI:-config.ini}" gpg comment)" USIGNKEY="$(iniget "${CONFIG_INI:-config.ini}" usign key)" USIGNCOMMENT="$(iniget "${CONFIG_INI:-config.ini}" usign comment)" + +APKSIGNKEY="$(iniget "${CONFIG_INI:-config.ini}" apk key)" else GPGKEY="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "gpg_key")" GPGPASS="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "gpg_passphrase")" @@ -65,6 +67,8 @@ GPGCOMMENT="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "gpg_comment") USIGNKEY="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "usign_key")" USIGNCOMMENT="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "usign_comment")" + +APKSIGNKEY="$(iniget "${CONFIG_INI:-config.ini}" "branch $branch" "apk_key")" fi if echo "$GPGKEY" | grep -q "BEGIN PGP PRIVATE KEY BLOCK"; then @@ -101,6 +105,15 @@ if [ -n "$USIGNKEY" ]; then signify-openbsd -S -s "$(readlink -f "$tmpdir/usign.sec")" -m "{}" \; || finish 5 fi +if [ -n "$APKSIGNKEY" ]; then + umask 077 + echo "$APKSIGNKEY" > "$tmpdir/apk.pem" + + umask 022 + find "$tmpdir/tar/" -type f -name "packages.adb" -exec \ + "${APK_BIN:-apk}" adbsign --allow-untrusted --sign-key "$(readlink -f "$tmpdir/apk.pem")" "{}" \; || finish 6 +fi + tar -C "$tmpdir/tar/" -czf "$tarball" . || finish 6 finish 0 -- 2.30.2