build: add integration for managing opkg package feed keys

Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 45286
2015-04-06 19:39:51 +00:00 · 2015-04-06 19:39:51 +00:00 · beca028bd6
commit beca028bd6
parent dde8214d16
7 changed files with 106 additions and 5 deletions
--- a/.gitignore
+++ b/.gitignore
@ -15,6 +15,7 @@
 /files
 /package/feeds
 /package/openwrt-packages
 key-build*
 *.orig
 *.rej
 *~
@ -22,4 +23,4 @@
 *#
 .emacs.desktop*
 TAGS*~
-git-src
+git-src
--- a/config/Config-build.in
+++ b/config/Config-build.in
@ -14,6 +14,9 @@ menu "Global build settings"
 		bool "Select all userspace packages by default"
 		default n
 	config SIGNED_PACKAGES
 		bool "Cryptographically signed package lists"
 	comment "General build options"
 	config DISPLAY_SUPPORT
--- a/package/Makefile
+++ b/package/Makefile
@ -143,6 +143,14 @@ $(curdir)/index: FORCE
 		$(SCRIPT_DIR)/ipkg-make-index.sh . 2>&1 > Packages && \
 			gzip -9c Packages > Packages.gz; \
 	); done
 ifdef CONFIG_SIGNED_PACKAGES
 	@echo Signing package index...
 	@for d in $(PACKAGE_SUBDIRS); do ( \
 		[ -d $(PACKAGE_DIR)/$$d ] && \
 			cd $(PACKAGE_DIR)/$$d || continue; \
 		$(STAGING_DIR_HOST)/bin/usign -S -m Packages -s $(BUILD_KEY); \
 	); done
 else
 ifeq ($(call qstrip,$(CONFIG_OPKGSMIME_KEY)),)
 	@echo Signing key has not been configured
 else
@ -161,6 +169,7 @@ else
 	); done
 endif
 endif
 endif
 $(curdir)/preconfig:
--- a/package/base-files/Makefile
+++ b/package/base-files/Makefile
@ -14,9 +14,11 @@ PKG_NAME:=base-files
 PKG_RELEASE:=157
 PKG_FILE_DEPENDS:=$(PLATFORM_DIR)/ $(GENERIC_PLATFORM_DIR)/base-files/
-PKG_BUILD_DEPENDS:=opkg/host
+PKG_BUILD_DEPENDS:=opkg/host usign/host
 PKG_LICENSE:=GPL-2.0
 PKG_CONFIG_DEPENDS := CONFIG_SIGNED_PACKAGES
 include $(INCLUDE_DIR)/package.mk
 ifneq ($(DUMP),1)
@ -29,7 +31,7 @@ endif
 define Package/base-files
  SECTION:=base
  CATEGORY:=Base system
-  DEPENDS:=+netifd +libc +procd +jsonfilter
+  DEPENDS:=+netifd +libc +procd +jsonfilter +SIGNED_PACKAGES:usign
  TITLE:=Base filesystem for OpenWrt
  URL:=http://openwrt.org/
  VERSION:=$(PKG_RELEASE)-$(REVISION)
@ -87,8 +89,23 @@ define Build/Compile/Default
 endef
 Build/Compile = $(Build/Compile/Default)
 ifdef CONFIG_SIGNED_PACKAGES
  define Build/Configure
 	[ -s $(BUILD_KEY) -a -s $(BUILD_KEY).pub ] || \
 		$(STAGING_DIR_HOST)/bin/usign -G -s $(BUILD_KEY) -p $(BUILD_KEY).pub -c "Local build key"
  endef
  define Package/base-files/install-key
 	mkdir -p $(1)/etc/opkg/keys
 	$(CP) $(BUILD_KEY).pub $(1)/etc/opkg/keys/`$(STAGING_DIR_HOST)/bin/usign -F -p $(BUILD_KEY).pub`
  endef
 endif
 define Package/base-files/install
 	$(CP) ./files/* $(1)/
 	$(Package/base-files/install-key)
 	if [ -d $(GENERIC_PLATFORM_DIR)/base-files/. ]; then \
 		$(CP) $(GENERIC_PLATFORM_DIR)/base-files/* $(1)/; \
 	fi
--- a/package/system/opkg/Makefile
+++ b/package/system/opkg/Makefile
@ -26,6 +26,8 @@ PKG_REMOVE_FILES = autogen.sh aclocal.m4
 PKG_LICENSE:=GPL-2.0
 PKG_LICENSE_FILES:=COPYING
 PKG_CONFIG_DEPENDS := CONFIG_SIGNED_PACKAGES
 PKG_BUILD_PARALLEL:=1
 HOST_BUILD_PARALLEL:=1
 PKG_INSTALL:=1
@ -91,7 +93,11 @@ CONFIGURE_ARGS += \
 	--with-opkglockfile=/var/lock/opkg.lock
 ifeq ($(BUILD_VARIANT),smime)
-	CONFIGURE_ARGS += --enable-openssl --enable-sha256
+	CONFIGURE_ARGS += --enable-openssl --enable-sha256 --disable-usign
 else
  ifndef CONFIG_SIGNED_PACKAGES
    CONFIGURE_ARGS += --disable-usign
  endif
 endif
 MAKE_FLAGS = \
@ -105,6 +111,9 @@ define Package/opkg/Default/install
 	$(INSTALL_DIR) $(1)/bin
 	$(INSTALL_DIR) $(1)/etc
 	$(INSTALL_DATA) ./files/opkg$(2).conf $(1)/etc/opkg.conf
  ifneq ($(CONFIG_SIGNED_PACKAGES),)
 	echo "option check_signature 1" >> $(1)/etc/opkg.conf
  endif
  ifeq ($(CONFIG_PER_FEED_REPO),)
 	echo "src/gz %n %U" >> $(1)/etc/opkg.conf
  else
@ -121,7 +130,11 @@ define Package/opkg/Default/install
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/opkg-cl $(1)/bin/opkg
 endef
-Package/opkg/install = $(call Package/opkg/Default/install,$(1),)
+define Package/opkg/install
 	$(call Package/opkg/Default/install,$(1),)
 	mkdir $(1)/usr/sbin
 	$(INSTALL_BIN) ./files/opkg-key $(1)/usr/sbin/
 endef
 define Package/opkg-smime/install
 	$(call Package/opkg/Default/install,$(1),-smime)
--- a/package/system/opkg/files/opkg-key
+++ b/package/system/opkg/files/opkg-key
@ -0,0 +1,56 @@
 #!/bin/sh
 usage() {
 	cat <<EOF
 Usage: $0 <command> <arguments...>
 Commands:
  add <file>:			Add keyfile <file> to opkg trusted keys
  remove <file>:		Remove keyfile matching <file> from opkg trusted keys
  verify <sigfile> <list>:	Check list file <list> against signature file <sigfile>
 EOF
 	exit 1
 }
 opkg_key_verify() {
 	local sigfile="$1"
 	local msgfile="$2"
 	(
 		zcat "$msgfile" 2>/dev/null ||
 		cat "$msgfile" 2>/dev/null
 	) | usign -V -P /etc/opkg/keys -q -x "$sigfile" -m -
 }
 opkg_key_add() {
 	local key="$1"
 	[ -n "$key" ] || usage
 	[ -f "$key" ] || echo "Cannot open file $1"
 	local fingerprint="$(usign -F -p "$key")"
 	mkdir -p "/etc/opkg/keys"
 	cp "$key" "/etc/opkg/keys/$fingerprint"
 }
 opkg_key_remove() {
 	local key="$1"
 	[ -n "$key" ] || usage
 	[ -f "$key" ] || echo "Cannot open file $1"
 	local fingerprint="$(usign -F -p "$key")"
 	rm -f "/etc/opkg/keys/$fingerprint"
 }
 case "$1" in
 	add)
 		shift
 		opkg_key_add "$@"
 		;;
 	remove)
 		shift
 		opkg_key_remove "$@"
 		;;
 	verify)
 		shift
 		opkg_key_verify "$@"
 		;;
 	*) usage ;;
 esac
--- a/rules.mk
+++ b/rules.mk
@ -207,6 +207,8 @@ else
  TARGET_NM:=$(TARGET_CROSS)nm
 endif
 BUILD_KEY=$(TOPDIR)/key-build
 TARGET_CC:=$(TARGET_CROSS)gcc
 TARGET_CXX:=$(TARGET_CROSS)g++
 KPATCH:=$(SCRIPT_DIR)/patch-kernel.sh