Add package signing infrastructure

Add package signing key and certificate configuration options to the
"Image configuration" submenu. If enabled, the Packages.gz list will
be signed as file Packages.sig. The passphrase for the signing key can
be sourced from a file or entered by the user. The signing certificate
is automatically added to the firmware image if opkg-smime is selected.

Signed-off-by: Evan Hunt <each@isc.org>
Signed-off-by: Steven Barth <steven@midlink.org>

git-svn-id: svn://svn.openwrt.org/openwrt/trunk@38284 3c298f89-4303-0410-b956-a3cf2f4a3e73
master
Steven Barth 2013-10-02 12:12:10 +00:00
parent a21d544dc5
commit 414c5be62b
5 changed files with 76 additions and 5 deletions

View File

@ -168,6 +168,10 @@ $(eval $(call RequireCommand,svn, \
Please install the subversion client. \
))
$(eval $(call RequireCommand,openssl, \
Please install openssl. \
))
define Require/gnu-find
$(FIND) --version 2>/dev/null
endef

View File

@ -120,10 +120,35 @@ $(curdir)/install: $(TMP_DIR)/.build
$(if $(CONFIG_CLEAN_IPKG),rm -rf $(TARGET_DIR)/usr/lib/opkg)
$(call mklibs)
PASSOPT=""
PASSARG=""
ifndef CONFIG_OPKGSMIME_PASSPHRASE
ifneq ($(call qstrip,$(CONFIG_OPKGSMIME_PASSFILE)),)
PASSOPT="-passin"
PASSARG="file:$(call qstrip,$(CONFIG_OPKGSMIME_PASSFILE))"
endif
endif
$(curdir)/index: FORCE
@(cd $(PACKAGE_DIR); $(SCRIPT_DIR)/ipkg-make-index.sh . 2>&1 > Packages && \
gzip -9c Packages > Packages.gz \
)
ifeq ($(call qstrip,$(CONFIG_OPKGSMIME_KEY)),)
@echo Signing key has not been configured
else
ifeq ($(call qstrip,$(CONFIG_OPKGSMIME_CERT)),)
@echo Certificate has not been configured
else
@echo Generating package index...
@(cd $(PACKAGE_DIR); \
$(SCRIPT_DIR)/ipkg-make-index.sh . 2>&1 > Packages && \
gzip -9c Packages > Packages.gz )
@echo Signing package index...
@(cd $(PACKAGE_DIR); \
openssl smime -binary -in Packages.gz \
-out Packages.sig -outform PEM -sign \
-signer $(CONFIG_OPKGSMIME_CERT) \
-inkey $(CONFIG_OPKGSMIME_KEY) \
$(PASSOPT) $(PASSARG) )
endif
endif
$(curdir)/preconfig:

View File

@ -183,3 +183,41 @@ menuconfig VERSIONOPT
%d .. Distribution name or "openwrt", lowercase
%T .. Target name
%S .. Target/Subtarget name
menuconfig SMIMEOPT
bool "Package signing options" if IMAGEOPT
default n
help
These options configure the signing key and certificate to
be used for signing and verifying packages.
config OPKGSMIME_CERT
string
prompt "Path to certificate (PEM certificate format)" if SMIMEOPT
help
Path to the certificate to use for signature verification
config OPKGSMIME_KEY
string
prompt "Path to signing key (PEM private key format)" if SMIMEOPT
help
Path to the key to use for signing packages
config OPKGSMIME_PASSPHRASE
bool
default y
prompt "Wait for a passphrase when signing packages?" if SMIMEOPT
help
If this value is set, then the build will pause and request a passphrase
from the command line when signing packages. This SHOULD NOT be used with
automatic builds. If this value is not set, a file can be specified from
which the passphrase will be read.
config OPKGSMIME_PASSFILE
string
prompt "Path to a file containing the passphrase" if SMIMEOPT
depends on !OPKGSMIME_PASSPHRASE
help
Path to a file containing the passphrase for the signing key.
If the signing key is not encrypted and does not require a passphrase,
this option may be left blank.

View File

@ -109,8 +109,12 @@ define Package/opkg/Default/install
endef
Package/opkg/install = $(call Package/opkg/Default/install,$(1),)
Package/opkg-smime/install = $(call Package/opkg/Default/install,$(1),-smime)
define Package/opkg-smime/install
$(call Package/opkg/Default/install,$(1),-smime)
$(INSTALL_DIR) $(1)/etc/ssl/certs
$(if $(CONFIG_OPKGSMIME_CERT),$(INSTALL_DATA) $(call qstrip,$(CONFIG_OPKGSMIME_CERT)) $(1)/etc/ssl/certs/opkg.pem,)
endef
define Build/InstallDev
mkdir -p $(1)/usr/include

View File

@ -4,4 +4,4 @@ dest ram /tmp
lists_dir ext /var/opkg-lists
option overlay_root /overlay
option check_signature 1
option signature_ca_path /etc/ssl/certs/
option signature_ca_file /etc/ssl/certs/opkg.pem