[OpenWrt-Devel] [PATCH 2/2] build: add script to sign packages

Paul Spooren mail at aparcar.org
Tue Sep 24 18:32:56 EDT 2019

This script allows image signing indipendend of the actual build
process, to run on a master server after receiving freshly backed
images. Idea is to avoid storying private keys on third party builders
while still beeing to be able to sign packages.

Run ./scripts/sign_images.sh with the following env vars:

* TOP_DIR where to search for sysupgrade.bin images
* BUILD_KEY place of key-build{,.pub,.ucert}
* REMOVE_OTHER_SIGNATURES removes signatures added by e.g. buildbots

Only sysupgrade.bin files are touched as factory.bin signatures wouldn't
be evaluated on stock from.

Signed-off-by: Paul Spooren <mail at aparcar.org>
 scripts/sign_images.sh | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100755 scripts/sign_images.sh

diff --git a/scripts/sign_images.sh b/scripts/sign_images.sh
new file mode 100755
index 0000000000..c41b21e091
--- /dev/null
+++ b/scripts/sign_images.sh
@@ -0,0 +1,27 @@
+# directory where search for images
+# key to sign images
+BUILD_KEY="${BUILD_KEY:-key-build}" # TODO unifiy naming?
+# remove other signatures (added e.g.  by buildbot)
+# find all sysupgrade images in TOP_DIR
+# factory images don't need signatures as non OpenWrt system doen't check them anyway
+for image in $(find $TOP_DIR -type f -name "*-sysupgrade.bin"); do
+	# check if image actually support metadata
+	if fwtool -i /dev/null "$image"; then
+		# remove all previous signatures
+		if [ -n "$REMOVE_OTER_SIGNATURES" ]; then
+			while [ "$?" = 0 ]; do
+				fwtool -t -s /dev/null "$image"
+			done
+		fi
+		# run same operation as build root does for signing
+		cp "$BUILD_KEY.ucert" "$image.ucert"
+		usign -S -m "$image" -s "$BUILD_KEY" -x "$image.sig"
+		ucert -A -c "$image.ucert" -x "$image.sig"
+		fwtool -S "$image.ucert" "$image"
+	fi

openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list