[PATCH opkg] opkg: allow to configure the path to the signature verification script

Paul Spooren mail at aparcar.org
Tue Aug 25 19:21:31 EDT 2020 

On 24.08.20 05:07, Baptiste Jonglez wrote:
> From: Baptiste Jonglez <git at bitsofnetworks.org>
>
> Currently, package index signatures are only checked when opkg runs on the
> OpenWrt device.  The verification script is hard-coded to a path in
> /usr/sbin/.
>
> Making this path configurable is a first step to implement signature
> verification in host builds of opkg (e.g. in the imagebuilder).
>
> Signed-off-by: Baptiste Jonglez <git at bitsofnetworks.org>

Great, I was just looking for something like that! Thank you very much.

Tested via an ImageBuilder moving a `exit 0` script to the host machine 
at `/usr/sbin/opkg-key` and afterwards defining a custom place, both 
worked fine.

The openwrt.git/opkg-key (not opkg.git/opkg-key) script uses currently a 
hard coded key position (`/etc/opkg/keys`) which should be patched next.

Test-by: Paul Spooren <mail at aparcar.org>

Acked-by: Paul Spooren <mail at aparcar.org>

> ---
>   libopkg/opkg_conf.c     | 4 ++++
>   libopkg/opkg_conf.h     | 3 +++
>   libopkg/opkg_download.c | 2 +-
>   src/opkg-cl.c           | 8 ++++++++
>   4 files changed, 16 insertions(+), 1 deletion(-)
>
> diff --git a/libopkg/opkg_conf.c b/libopkg/opkg_conf.c
> index 08855eb..38703ee 100644
> --- a/libopkg/opkg_conf.c
> +++ b/libopkg/opkg_conf.c
> @@ -72,6 +72,7 @@ opkg_option_t options[] = {
>   	{"size", OPKG_OPT_TYPE_BOOL, &_conf.size},
>   	{"tmp_dir", OPKG_OPT_TYPE_STRING, &_conf.tmp_dir},
>   	{"verbosity", OPKG_OPT_TYPE_INT, &_conf.verbosity},
> +	{"verify_program", OPKG_OPT_TYPE_STRING, &_conf.verify_program},
>   	{NULL, 0, NULL}
>   };
>   
> @@ -572,6 +573,9 @@ int opkg_conf_load(void)
>   	if (conf->lists_dir == NULL)
>   		conf->lists_dir = xstrdup(OPKG_CONF_LISTS_DIR);
>   
> +	if (conf->verify_program == NULL)
> +		conf->verify_program = xstrdup(OPKG_CONF_DEFAULT_VERIFY_PROGRAM);
> +
>   	if (conf->offline_root) {
>   		sprintf_alloc(&tmp, "%s/%s", conf->offline_root,
>   			      conf->lists_dir);
> diff --git a/libopkg/opkg_conf.h b/libopkg/opkg_conf.h
> index 37f95a1..91190b3 100644
> --- a/libopkg/opkg_conf.h
> +++ b/libopkg/opkg_conf.h
> @@ -35,6 +35,8 @@ extern opkg_conf_t *conf;
>   
>   #define OPKG_CONF_DEFAULT_CONF_FILE_DIR OPKGETCDIR"/opkg"
>   
> +#define OPKG_CONF_DEFAULT_VERIFY_PROGRAM "/usr/sbin/opkg-key"
> +
>   /* In case the config file defines no dest */
>   #define OPKG_CONF_DEFAULT_DEST_NAME "root"
>   #define OPKG_CONF_DEFAULT_DEST_ROOT_DIR "/"
> @@ -85,6 +87,7 @@ struct opkg_conf {
>   	char *overlay_root;
>   	int query_all;
>   	int verbosity;
> +	char *verify_program;
>   	int noaction;
>   	int size;
>   	int download_only;
> diff --git a/libopkg/opkg_download.c b/libopkg/opkg_download.c
> index e970506..7bbf34b 100644
> --- a/libopkg/opkg_download.c
> +++ b/libopkg/opkg_download.c
> @@ -298,7 +298,7 @@ int opkg_prepare_url_for_install(const char *url, char **namep)
>   int opkg_verify_file(char *text_file, char *sig_file)
>   {
>   #if defined HAVE_USIGN
> -	const char *argv[] = { "/usr/sbin/opkg-key", "verify", sig_file,
> +	const char *argv[] = { conf->verify_program, "verify", sig_file,
>   	                       text_file, NULL };
>   
>   	return xsystem(argv) ? -1 : 0;
> diff --git a/src/opkg-cl.c b/src/opkg-cl.c
> index 40a7502..01c6e94 100644
> --- a/src/opkg-cl.c
> +++ b/src/opkg-cl.c
> @@ -53,6 +53,7 @@ enum {
>   	ARGS_OPT_CACHE,
>   	ARGS_OPT_FORCE_SIGNATURE,
>   	ARGS_OPT_NO_CHECK_CERTIFICATE,
> +	ARGS_OPT_VERIFY_PROGRAM,
>   	ARGS_OPT_SIZE,
>   };
>   
> @@ -109,6 +110,8 @@ static struct option long_options[] = {
>   	{"lists-dir", 1, 0, 'l'},
>   	{"lists_dir", 1, 0, 'l'},
>   	{"verbosity", 2, 0, 'V'},
> +	{"verify-program", 1, 0, ARGS_OPT_VERIFY_PROGRAM},
> +	{"verify_program", 1, 0, ARGS_OPT_VERIFY_PROGRAM},
>   	{"version", 0, 0, 'v'},
>   	{0, 0, 0, 0}
>   };
> @@ -232,6 +235,9 @@ static int args_parse(int argc, char *argv[])
>   		case ARGS_OPT_NO_CHECK_CERTIFICATE:
>   			conf->no_check_certificate = 1;
>   			break;
> +		case ARGS_OPT_VERIFY_PROGRAM:
> +			conf->verify_program = xstrdup(optarg);
> +			break;
>   		case ':':
>   			parse_err = -1;
>   			break;
> @@ -322,6 +328,8 @@ static void usage()
>   	printf("				directory name in a pinch).\n");
>   	printf("\t-o <dir>		Use <dir> as the root directory for\n");
>   	printf("\t--offline-root <dir>	offline installation of packages.\n");
> +	printf
> +	    ("\t--verify-program <path>	Use the given program to verify usign signatures\n");
>   	printf
>   	    ("\t--add-arch <arch>:<prio>	Register architecture with given priority\n");
>   	printf

More information about the openwrt-devel mailing list