[OpenWrt-Devel] [PATCH v2] build: separate signing logic
Felix Fietkau
nbd at nbd.name
Tue Nov 12 04:51:10 EST 2019
On 2019-11-12 10:31, Paul Spooren wrote:
> This separates the options for signature creation and verification
>
> * SIGNED_PACKAGES create Packages.sig
> * SIGNED_IMAGES add ucert signature to created images
> * CHECK_SIGNATURE add verification capabilities to images
> * INSTALL_LOCAL_KEY add local key-build to /etc/opkg/keys
>
> Right now the buildbot.git contains some hacks to create images that
> have signature verification capabilities while not storing private keys
> on buildbot slaves. This commit allows to disable these steps for the
> buildbots and only perform signing on the master.
>
> Signed-off-by: Paul Spooren <mail at aparcar.org>
> ---
> v2: fix missing endif if base-files/Makefile
>
> config/Config-build.in | 12 ++++++++++--
> include/image-commands.mk | 13 ++++++++-----
> package/base-files/Makefile | 18 ++++++++++--------
> 3 files changed, 28 insertions(+), 15 deletions(-)
>
> diff --git a/config/Config-build.in b/config/Config-build.in
> index 872e5c12ab..c6591708a2 100644
> --- a/config/Config-build.in
> +++ b/config/Config-build.in
> @@ -37,13 +37,21 @@ menu "Global build settings"
> - Enabling per-device rootfs support
> ...
>
> + config INSTALL_LOCAL_KEY
> + bool "Install local usign key into image"
> + default n
> +
> config SIGNED_PACKAGES
> bool "Cryptographically signed package lists"
> - default y
> + default n
> +
> + config SIGNED_IMAGES
> + bool "Cryptographically signed firmware images"
> + default n
>
> config SIGNATURE_CHECK
> bool "Enable signature checking in opkg"
> - default SIGNED_PACKAGES
> + default y
>
> comment "General build options"
Please make all of these default to 'y if !BUILDBOT' in order to not add
extra inconvenience for people doing their own builds.
Just like before, builds should trust packages/images generated from the
same tree by default.
- Felix
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list