summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSteven Barth <cyrus@openwrt.org>2013-10-02 12:12:10 +0000
committerSteven Barth <cyrus@openwrt.org>2013-10-02 12:12:10 +0000
commitcbdd346b11c6f125f48cdb1e95870d16e5c0d628 (patch)
treea6c5edbe734be83f8bcd880083de81f5060132ab
parent0ad1d06c13a15a9e91cc7a1a635ac678a298ed7f (diff)
downloadmtk-20170518-cbdd346b11c6f125f48cdb1e95870d16e5c0d628.zip
mtk-20170518-cbdd346b11c6f125f48cdb1e95870d16e5c0d628.tar.gz
mtk-20170518-cbdd346b11c6f125f48cdb1e95870d16e5c0d628.tar.bz2
Add package signing infrastructure
Add package signing key and certificate configuration options to the "Image configuration" submenu. If enabled, the Packages.gz list will be signed as file Packages.sig. The passphrase for the signing key can be sourced from a file or entered by the user. The signing certificate is automatically added to the firmware image if opkg-smime is selected. Signed-off-by: Evan Hunt <each@isc.org> Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 38284
-rw-r--r--include/prereq-build.mk4
-rw-r--r--package/Makefile31
-rw-r--r--package/base-files/image-config.in38
-rw-r--r--package/system/opkg/Makefile6
-rw-r--r--package/system/opkg/files/opkg-smime.conf2
5 files changed, 76 insertions, 5 deletions
diff --git a/include/prereq-build.mk b/include/prereq-build.mk
index 59ea7ef..b7ada69 100644
--- a/include/prereq-build.mk
+++ b/include/prereq-build.mk
@@ -168,6 +168,10 @@ $(eval $(call RequireCommand,svn, \
Please install the subversion client. \
))
+$(eval $(call RequireCommand,openssl, \
+ Please install openssl. \
+))
+
define Require/gnu-find
$(FIND) --version 2>/dev/null
endef
diff --git a/package/Makefile b/package/Makefile
index 00ac773..bac7001 100644
--- a/package/Makefile
+++ b/package/Makefile
@@ -120,10 +120,35 @@ $(curdir)/install: $(TMP_DIR)/.build
$(if $(CONFIG_CLEAN_IPKG),rm -rf $(TARGET_DIR)/usr/lib/opkg)
$(call mklibs)
+PASSOPT=""
+PASSARG=""
+ifndef CONFIG_OPKGSMIME_PASSPHRASE
+ ifneq ($(call qstrip,$(CONFIG_OPKGSMIME_PASSFILE)),)
+ PASSOPT="-passin"
+ PASSARG="file:$(call qstrip,$(CONFIG_OPKGSMIME_PASSFILE))"
+ endif
+endif
+
$(curdir)/index: FORCE
- @(cd $(PACKAGE_DIR); $(SCRIPT_DIR)/ipkg-make-index.sh . 2>&1 > Packages && \
- gzip -9c Packages > Packages.gz \
- )
+ifeq ($(call qstrip,$(CONFIG_OPKGSMIME_KEY)),)
+ @echo Signing key has not been configured
+else
+ifeq ($(call qstrip,$(CONFIG_OPKGSMIME_CERT)),)
+ @echo Certificate has not been configured
+else
+ @echo Generating package index...
+ @(cd $(PACKAGE_DIR); \
+ $(SCRIPT_DIR)/ipkg-make-index.sh . 2>&1 > Packages && \
+ gzip -9c Packages > Packages.gz )
+ @echo Signing package index...
+ @(cd $(PACKAGE_DIR); \
+ openssl smime -binary -in Packages.gz \
+ -out Packages.sig -outform PEM -sign \
+ -signer $(CONFIG_OPKGSMIME_CERT) \
+ -inkey $(CONFIG_OPKGSMIME_KEY) \
+ $(PASSOPT) $(PASSARG) )
+endif
+endif
$(curdir)/preconfig:
diff --git a/package/base-files/image-config.in b/package/base-files/image-config.in
index ac08c8d..a9eb78c 100644
--- a/package/base-files/image-config.in
+++ b/package/base-files/image-config.in
@@ -183,3 +183,41 @@ menuconfig VERSIONOPT
%d .. Distribution name or "openwrt", lowercase
%T .. Target name
%S .. Target/Subtarget name
+
+menuconfig SMIMEOPT
+ bool "Package signing options" if IMAGEOPT
+ default n
+ help
+ These options configure the signing key and certificate to
+ be used for signing and verifying packages.
+
+ config OPKGSMIME_CERT
+ string
+ prompt "Path to certificate (PEM certificate format)" if SMIMEOPT
+ help
+ Path to the certificate to use for signature verification
+
+ config OPKGSMIME_KEY
+ string
+ prompt "Path to signing key (PEM private key format)" if SMIMEOPT
+ help
+ Path to the key to use for signing packages
+
+ config OPKGSMIME_PASSPHRASE
+ bool
+ default y
+ prompt "Wait for a passphrase when signing packages?" if SMIMEOPT
+ help
+ If this value is set, then the build will pause and request a passphrase
+ from the command line when signing packages. This SHOULD NOT be used with
+ automatic builds. If this value is not set, a file can be specified from
+ which the passphrase will be read.
+
+ config OPKGSMIME_PASSFILE
+ string
+ prompt "Path to a file containing the passphrase" if SMIMEOPT
+ depends on !OPKGSMIME_PASSPHRASE
+ help
+ Path to a file containing the passphrase for the signing key.
+ If the signing key is not encrypted and does not require a passphrase,
+ this option may be left blank.
diff --git a/package/system/opkg/Makefile b/package/system/opkg/Makefile
index eb3b10a..3327a8e 100644
--- a/package/system/opkg/Makefile
+++ b/package/system/opkg/Makefile
@@ -109,8 +109,12 @@ define Package/opkg/Default/install
endef
Package/opkg/install = $(call Package/opkg/Default/install,$(1),)
-Package/opkg-smime/install = $(call Package/opkg/Default/install,$(1),-smime)
+define Package/opkg-smime/install
+ $(call Package/opkg/Default/install,$(1),-smime)
+ $(INSTALL_DIR) $(1)/etc/ssl/certs
+ $(if $(CONFIG_OPKGSMIME_CERT),$(INSTALL_DATA) $(call qstrip,$(CONFIG_OPKGSMIME_CERT)) $(1)/etc/ssl/certs/opkg.pem,)
+endef
define Build/InstallDev
mkdir -p $(1)/usr/include
diff --git a/package/system/opkg/files/opkg-smime.conf b/package/system/opkg/files/opkg-smime.conf
index 103f231..849bb65 100644
--- a/package/system/opkg/files/opkg-smime.conf
+++ b/package/system/opkg/files/opkg-smime.conf
@@ -4,4 +4,4 @@ dest ram /tmp
lists_dir ext /var/opkg-lists
option overlay_root /overlay
option check_signature 1
-option signature_ca_path /etc/ssl/certs/
+option signature_ca_file /etc/ssl/certs/opkg.pem