[OpenWrt-Devel] [PATCH v3] build: separate signing logic

Paul Spooren mail at aparcar.org
Tue Nov 19 15:53:17 EST 2019


Bump

On 11/12/19 12:04 AM, Paul Spooren wrote:
> This separates the options for signature creation and verification
>
> * SIGNED_PACKAGES create Packages.sig
> * SIGNED_IMAGES add ucert signature to created images
> * CHECK_SIGNATURE add verification capabilities to images
> * INSTALL_LOCAL_KEY add local key-build to /etc/opkg/keys
>
> Right now the buildbot.git contains some hacks to create images that
> have signature verification capabilities while not storing private keys
> on buildbot slaves. This commit allows to disable these steps for the
> buildbots and only perform signing on the master.
>
> Signed-off-by: Paul Spooren <mail at aparcar.org>
> ---
> v3: set "y if !BUILDBOT" to all new options
>
>   config/Config-build.in      | 12 ++++++++++--
>   include/image-commands.mk   | 13 ++++++++-----
>   package/base-files/Makefile | 18 ++++++++++--------
>   3 files changed, 28 insertions(+), 15 deletions(-)
>
> diff --git a/config/Config-build.in b/config/Config-build.in
> index 872e5c12ab..af5de42ac6 100644
> --- a/config/Config-build.in
> +++ b/config/Config-build.in
> @@ -37,13 +37,21 @@ menu "Global build settings"
>   		  - Enabling per-device rootfs support
>   		  ...
>   
> +	config INSTALL_LOCAL_KEY
> +		bool "Install local usign key into image"
> +		default y if !BUILDBOT
> +
>   	config SIGNED_PACKAGES
>   		bool "Cryptographically signed package lists"
> -		default y
> +		default y if !BUILDBOT
> +
> +	config SIGNED_IMAGES
> +		bool "Cryptographically signed firmware images"
> +		default y if !BUILDBOT
>   
>   	config SIGNATURE_CHECK
>   		bool "Enable signature checking in opkg"
> -		default SIGNED_PACKAGES
> +		default y
>   
>   	comment "General build options"
>   
> diff --git a/include/image-commands.mk b/include/image-commands.mk
> index 5dfd6a2c2f..3d10b18bc8 100644
> --- a/include/image-commands.mk
> +++ b/include/image-commands.mk
> @@ -373,11 +373,14 @@ metadata_json = \
>   
>   define Build/append-metadata
>   	$(if $(SUPPORTED_DEVICES),-echo $(call metadata_json,$(SUPPORTED_DEVICES)) | fwtool -I - $@)
> -	[ ! -s "$(BUILD_KEY)" -o ! -s "$(BUILD_KEY).ucert" -o ! -s "$@" ] || { \
> -		cp "$(BUILD_KEY).ucert" "$@.ucert" ;\
> -		usign -S -m "$@" -s "$(BUILD_KEY)" -x "$@.sig" ;\
> -		ucert -A -c "$@.ucert" -x "$@.sig" ;\
> -		fwtool -S "$@.ucert" "$@" ;\
> +	[ -z "$(SIGNED_IMAGES)" \
> +		-o ! -s "$(BUILD_KEY)" \
> +		-o ! -s "$(BUILD_KEY).ucert" \
> +		-o ! -s "$@" ] || { \
> +			cp "$(BUILD_KEY).ucert" "$@.ucert" ;\
> +			usign -S -m "$@" -s "$(BUILD_KEY)" -x "$@.sig" ;\
> +			ucert -A -c "$@.ucert" -x "$@.sig" ;\
> +			fwtool -S "$@.ucert" "$@" ;\
>   	}
>   endef
>   
> diff --git a/package/base-files/Makefile b/package/base-files/Makefile
> index addbac8664..3625f1320d 100644
> --- a/package/base-files/Makefile
> +++ b/package/base-files/Makefile
> @@ -37,7 +37,7 @@ endif
>   define Package/base-files
>     SECTION:=base
>     CATEGORY:=Base system
> -  DEPENDS:=+netifd +libc +procd +jsonfilter +SIGNED_PACKAGES:usign +SIGNED_PACKAGES:openwrt-keyring +NAND_SUPPORT:ubi-utils +fstools +fwtool
> +  DEPENDS:=+netifd +libc +procd +jsonfilter +SIGNATURE_CHECK:usign +SIGNATURE_CHECK:openwrt-keyring +NAND_SUPPORT:ubi-utils +fstools +fwtool
>     TITLE:=Base filesystem for OpenWrt
>     URL:=http://openwrt.org/
>     VERSION:=$(PKG_RELEASE)-$(REVISION)
> @@ -116,12 +116,6 @@ ifdef CONFIG_SIGNED_PACKAGES
>   		$(STAGING_DIR_HOST)/bin/ucert -I -c $(BUILD_KEY).ucert -p $(BUILD_KEY).pub -s $(BUILD_KEY)
>   
>     endef
> -
> -  define Package/base-files/install-key
> -	mkdir -p $(1)/etc/opkg/keys
> -	$(CP) $(BUILD_KEY).pub $(1)/etc/opkg/keys/`$(STAGING_DIR_HOST)/bin/usign -F -p $(BUILD_KEY).pub`
> -
> -  endef
>   endif
>   
>   ifeq ($(CONFIG_NAND_SUPPORT),)
> @@ -130,9 +124,17 @@ ifeq ($(CONFIG_NAND_SUPPORT),)
>     endef
>   endif
>   
> +ifdef CONFIG_INSTALL_LOCAL_KEY
> +  define Package/base-files/install-local-key
> +	mkdir -p $(1)/etc/opkg/keys
> +	$(CP) $(BUILD_KEY).pub $(1)/etc/opkg/keys/`$(STAGING_DIR_HOST)/bin/usign \
> +		-F -p $(BUILD_KEY).pub`
> +  endef
> +endif
> +
>   define Package/base-files/install
>   	$(CP) ./files/* $(1)/
> -	$(Package/base-files/install-key)
> +	$(Package/base-files/install-local-key)
>   	$(Package/base-files/nand-support)
>   	if [ -d $(GENERIC_PLATFORM_DIR)/base-files/. ]; then \
>   		$(CP) $(GENERIC_PLATFORM_DIR)/base-files/* $(1)/; \

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list