From beca028bd6bb71898052faadff680d8e76f61eb3 Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Mon, 6 Apr 2015 19:39:51 +0000 Subject: build: add integration for managing opkg package feed keys Signed-off-by: Felix Fietkau SVN-Revision: 45286 --- package/system/opkg/Makefile | 17 ++++++++++-- package/system/opkg/files/opkg-key | 56 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 71 insertions(+), 2 deletions(-) create mode 100755 package/system/opkg/files/opkg-key (limited to 'package/system/opkg') diff --git a/package/system/opkg/Makefile b/package/system/opkg/Makefile index 391adfa..4f30ec2 100644 --- a/package/system/opkg/Makefile +++ b/package/system/opkg/Makefile @@ -26,6 +26,8 @@ PKG_REMOVE_FILES = autogen.sh aclocal.m4 PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING +PKG_CONFIG_DEPENDS := CONFIG_SIGNED_PACKAGES + PKG_BUILD_PARALLEL:=1 HOST_BUILD_PARALLEL:=1 PKG_INSTALL:=1 @@ -91,7 +93,11 @@ CONFIGURE_ARGS += \ --with-opkglockfile=/var/lock/opkg.lock ifeq ($(BUILD_VARIANT),smime) - CONFIGURE_ARGS += --enable-openssl --enable-sha256 + CONFIGURE_ARGS += --enable-openssl --enable-sha256 --disable-usign +else + ifndef CONFIG_SIGNED_PACKAGES + CONFIGURE_ARGS += --disable-usign + endif endif MAKE_FLAGS = \ @@ -105,6 +111,9 @@ define Package/opkg/Default/install $(INSTALL_DIR) $(1)/bin $(INSTALL_DIR) $(1)/etc $(INSTALL_DATA) ./files/opkg$(2).conf $(1)/etc/opkg.conf + ifneq ($(CONFIG_SIGNED_PACKAGES),) + echo "option check_signature 1" >> $(1)/etc/opkg.conf + endif ifeq ($(CONFIG_PER_FEED_REPO),) echo "src/gz %n %U" >> $(1)/etc/opkg.conf else @@ -121,7 +130,11 @@ define Package/opkg/Default/install $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/opkg-cl $(1)/bin/opkg endef -Package/opkg/install = $(call Package/opkg/Default/install,$(1),) +define Package/opkg/install + $(call Package/opkg/Default/install,$(1),) + mkdir $(1)/usr/sbin + $(INSTALL_BIN) ./files/opkg-key $(1)/usr/sbin/ +endef define Package/opkg-smime/install $(call Package/opkg/Default/install,$(1),-smime) diff --git a/package/system/opkg/files/opkg-key b/package/system/opkg/files/opkg-key new file mode 100755 index 0000000..ae5e8a4 --- /dev/null +++ b/package/system/opkg/files/opkg-key @@ -0,0 +1,56 @@ +#!/bin/sh + +usage() { + cat < +Commands: + add : Add keyfile to opkg trusted keys + remove : Remove keyfile matching from opkg trusted keys + verify : Check list file against signature file + +EOF + exit 1 +} + +opkg_key_verify() { + local sigfile="$1" + local msgfile="$2" + + ( + zcat "$msgfile" 2>/dev/null || + cat "$msgfile" 2>/dev/null + ) | usign -V -P /etc/opkg/keys -q -x "$sigfile" -m - +} + +opkg_key_add() { + local key="$1" + [ -n "$key" ] || usage + [ -f "$key" ] || echo "Cannot open file $1" + local fingerprint="$(usign -F -p "$key")" + mkdir -p "/etc/opkg/keys" + cp "$key" "/etc/opkg/keys/$fingerprint" +} + +opkg_key_remove() { + local key="$1" + [ -n "$key" ] || usage + [ -f "$key" ] || echo "Cannot open file $1" + local fingerprint="$(usign -F -p "$key")" + rm -f "/etc/opkg/keys/$fingerprint" +} + +case "$1" in + add) + shift + opkg_key_add "$@" + ;; + remove) + shift + opkg_key_remove "$@" + ;; + verify) + shift + opkg_key_verify "$@" + ;; + *) usage ;; +esac -- cgit v1.1