[PATCH] imagebuilder: add package signature verification

Paul Spooren mail at aparcar.org
Wed Aug 26 04:24:55 EDT 2020


The ImageBuilder downloads pre-built packages and adds them to images.
This process uses `opkg` which has the capability to verify package list
signatures, as enabled per default on running OpenWrt devices.

Until now this was disabled for ImageBuilders because neither the OPKG
keys nor the `opkg-add` script was present during first packagelist
update.

To harden the ImageBuilder against *drive-by-download-attacks* both keys
and verification script are added to the ImageBuilder allowing OPKG to
verify downloaded package indices.

This commit adds `opkg-add` to the IB scripts folder, as it is just a
shell script. The keys folder is added to IBs TOPDIR to have an obvious
place for users to store their own keys. The `option check_signature` is
appended to the repositories.conf file. All of the above only happens if
the Buildbot runs with the SIGNED_PACKAGES option.

Signed-off-by: Paul Spooren <mail at aparcar.org>
---
This patch requires the following two patches:

* opkg: allow to configure the path to the signature verification script
https://patchwork.ozlabs.org/project/openwrt/patch/20200824150740.450363-1-baptiste@bitsofnetworks.org/

* build: opkg-key variable key folder
https://patchwork.ozlabs.org/project/openwrt/patch/20200826005527.2696524-1-mail@aparcar.org/

In combination this should resolve the following 20.x goal:
* Improve security of ImageBuilder - Check signatures

I'm shaken by the fact that ImageBuilders downloaded packages via HTTP
and without OPKG signature checks by default - fun

 target/imagebuilder/Makefile       | 6 ++++++
 target/imagebuilder/files/Makefile | 2 ++
 2 files changed, 8 insertions(+)

diff --git a/target/imagebuilder/Makefile b/target/imagebuilder/Makefile
index ad19ab2b53..2a4e9263db 100644
--- a/target/imagebuilder/Makefile
+++ b/target/imagebuilder/Makefile
@@ -43,6 +43,12 @@ endif
 	echo ''                                                        >> $(PKG_BUILD_DIR)/repositories.conf
 	echo '## This is the local package repository, do not remove!' >> $(PKG_BUILD_DIR)/repositories.conf
 	echo 'src imagebuilder file:packages'                          >> $(PKG_BUILD_DIR)/repositories.conf
+ifneq ($(CONFIG_SIGNED_PACKAGES),)
+	echo 'option check_signature'                                  >> $(PKG_BUILD_DIR)/repositories.conf
+	$(INSTALL_DIR) $(PKG_BUILD_DIR)/keys
+	$(CP) -L $(STAGING_DIR_ROOT)/etc/opkg/keys/ $(PKG_BUILD_DIR)/
+	$(CP) -L $(STAGING_DIR_ROOT)/usr/sbin/opkg-key $(PKG_BUILD_DIR)/scripts/
+endif
 
 	$(VERSION_SED_SCRIPT) $(PKG_BUILD_DIR)/repositories.conf
 
diff --git a/target/imagebuilder/files/Makefile b/target/imagebuilder/files/Makefile
index 326dd2ba2f..98769d93de 100644
--- a/target/imagebuilder/files/Makefile
+++ b/target/imagebuilder/files/Makefile
@@ -64,8 +64,10 @@ help: FORCE
 # override variables from rules.mk
 PACKAGE_DIR:=$(TOPDIR)/packages
 LISTS_DIR:=$(subst $(space),/,$(patsubst %,..,$(subst /,$(space),$(TARGET_DIR))))$(DL_DIR)
+export OPKG_KEYS:=$(TOPDIR)/keys
 OPKG:=$(call opkg,$(TARGET_DIR)) \
 	-f $(TOPDIR)/repositories.conf \
+	--verify-program $(SCRIPT_DIR)/opkg-key \
 	--cache $(DL_DIR) \
 	--lists-dir $(LISTS_DIR)
 
-- 
2.25.1




More information about the openwrt-devel mailing list