From 741a0576ad3184f0f061ff8fd056f933986d110d Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Mon, 6 Apr 2015 19:39:51 +0000 Subject: [PATCH] build: add integration for managing opkg package feed keys Signed-off-by: Felix Fietkau git-svn-id: svn://svn.openwrt.org/openwrt/trunk@45286 3c298f89-4303-0410-b956-a3cf2f4a3e73 --- .gitignore | 3 +- config/Config-build.in | 3 ++ package/Makefile | 9 +++++ package/base-files/Makefile | 21 +++++++++-- package/system/opkg/Makefile | 17 +++++++-- package/system/opkg/files/opkg-key | 56 ++++++++++++++++++++++++++++++ rules.mk | 2 ++ 7 files changed, 106 insertions(+), 5 deletions(-) create mode 100755 package/system/opkg/files/opkg-key diff --git a/.gitignore b/.gitignore index 1bef86e971..cd86e34cda 100644 --- a/.gitignore +++ b/.gitignore @@ -15,6 +15,7 @@ /files /package/feeds /package/openwrt-packages +key-build* *.orig *.rej *~ @@ -22,4 +23,4 @@ *# .emacs.desktop* TAGS*~ -git-src \ No newline at end of file +git-src diff --git a/config/Config-build.in b/config/Config-build.in index 582724eff1..78582ab415 100644 --- a/config/Config-build.in +++ b/config/Config-build.in @@ -14,6 +14,9 @@ menu "Global build settings" bool "Select all userspace packages by default" default n + config SIGNED_PACKAGES + bool "Cryptographically signed package lists" + comment "General build options" config DISPLAY_SUPPORT diff --git a/package/Makefile b/package/Makefile index a6b34be0f4..d5212f09a8 100644 --- a/package/Makefile +++ b/package/Makefile @@ -143,6 +143,14 @@ $(curdir)/index: FORCE $(SCRIPT_DIR)/ipkg-make-index.sh . 2>&1 > Packages && \ gzip -9c Packages > Packages.gz; \ ); done +ifdef CONFIG_SIGNED_PACKAGES + @echo Signing package index... + @for d in $(PACKAGE_SUBDIRS); do ( \ + [ -d $(PACKAGE_DIR)/$$d ] && \ + cd $(PACKAGE_DIR)/$$d || continue; \ + $(STAGING_DIR_HOST)/bin/usign -S -m Packages -s $(BUILD_KEY); \ + ); done +else ifeq ($(call qstrip,$(CONFIG_OPKGSMIME_KEY)),) @echo Signing key has not been configured else @@ -161,6 +169,7 @@ else ); done endif endif +endif $(curdir)/preconfig: diff --git a/package/base-files/Makefile b/package/base-files/Makefile index d0d93e5ed6..0bba313702 100644 --- a/package/base-files/Makefile +++ b/package/base-files/Makefile @@ -14,9 +14,11 @@ PKG_NAME:=base-files PKG_RELEASE:=157 PKG_FILE_DEPENDS:=$(PLATFORM_DIR)/ $(GENERIC_PLATFORM_DIR)/base-files/ -PKG_BUILD_DEPENDS:=opkg/host +PKG_BUILD_DEPENDS:=opkg/host usign/host PKG_LICENSE:=GPL-2.0 +PKG_CONFIG_DEPENDS := CONFIG_SIGNED_PACKAGES + include $(INCLUDE_DIR)/package.mk ifneq ($(DUMP),1) @@ -29,7 +31,7 @@ endif define Package/base-files SECTION:=base CATEGORY:=Base system - DEPENDS:=+netifd +libc +procd +jsonfilter + DEPENDS:=+netifd +libc +procd +jsonfilter +SIGNED_PACKAGES:usign TITLE:=Base filesystem for OpenWrt URL:=http://openwrt.org/ VERSION:=$(PKG_RELEASE)-$(REVISION) @@ -87,8 +89,23 @@ define Build/Compile/Default endef Build/Compile = $(Build/Compile/Default) +ifdef CONFIG_SIGNED_PACKAGES + define Build/Configure + [ -s $(BUILD_KEY) -a -s $(BUILD_KEY).pub ] || \ + $(STAGING_DIR_HOST)/bin/usign -G -s $(BUILD_KEY) -p $(BUILD_KEY).pub -c "Local build key" + + endef + + define Package/base-files/install-key + mkdir -p $(1)/etc/opkg/keys + $(CP) $(BUILD_KEY).pub $(1)/etc/opkg/keys/`$(STAGING_DIR_HOST)/bin/usign -F -p $(BUILD_KEY).pub` + + endef +endif + define Package/base-files/install $(CP) ./files/* $(1)/ + $(Package/base-files/install-key) if [ -d $(GENERIC_PLATFORM_DIR)/base-files/. ]; then \ $(CP) $(GENERIC_PLATFORM_DIR)/base-files/* $(1)/; \ fi diff --git a/package/system/opkg/Makefile b/package/system/opkg/Makefile index 391adfa0d9..4f30ec2114 100644 --- a/package/system/opkg/Makefile +++ b/package/system/opkg/Makefile @@ -26,6 +26,8 @@ PKG_REMOVE_FILES = autogen.sh aclocal.m4 PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING +PKG_CONFIG_DEPENDS := CONFIG_SIGNED_PACKAGES + PKG_BUILD_PARALLEL:=1 HOST_BUILD_PARALLEL:=1 PKG_INSTALL:=1 @@ -91,7 +93,11 @@ CONFIGURE_ARGS += \ --with-opkglockfile=/var/lock/opkg.lock ifeq ($(BUILD_VARIANT),smime) - CONFIGURE_ARGS += --enable-openssl --enable-sha256 + CONFIGURE_ARGS += --enable-openssl --enable-sha256 --disable-usign +else + ifndef CONFIG_SIGNED_PACKAGES + CONFIGURE_ARGS += --disable-usign + endif endif MAKE_FLAGS = \ @@ -105,6 +111,9 @@ define Package/opkg/Default/install $(INSTALL_DIR) $(1)/bin $(INSTALL_DIR) $(1)/etc $(INSTALL_DATA) ./files/opkg$(2).conf $(1)/etc/opkg.conf + ifneq ($(CONFIG_SIGNED_PACKAGES),) + echo "option check_signature 1" >> $(1)/etc/opkg.conf + endif ifeq ($(CONFIG_PER_FEED_REPO),) echo "src/gz %n %U" >> $(1)/etc/opkg.conf else @@ -121,7 +130,11 @@ define Package/opkg/Default/install $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/opkg-cl $(1)/bin/opkg endef -Package/opkg/install = $(call Package/opkg/Default/install,$(1),) +define Package/opkg/install + $(call Package/opkg/Default/install,$(1),) + mkdir $(1)/usr/sbin + $(INSTALL_BIN) ./files/opkg-key $(1)/usr/sbin/ +endef define Package/opkg-smime/install $(call Package/opkg/Default/install,$(1),-smime) diff --git a/package/system/opkg/files/opkg-key b/package/system/opkg/files/opkg-key new file mode 100755 index 0000000000..ae5e8a4591 --- /dev/null +++ b/package/system/opkg/files/opkg-key @@ -0,0 +1,56 @@ +#!/bin/sh + +usage() { + cat < +Commands: + add : Add keyfile to opkg trusted keys + remove : Remove keyfile matching from opkg trusted keys + verify : Check list file against signature file + +EOF + exit 1 +} + +opkg_key_verify() { + local sigfile="$1" + local msgfile="$2" + + ( + zcat "$msgfile" 2>/dev/null || + cat "$msgfile" 2>/dev/null + ) | usign -V -P /etc/opkg/keys -q -x "$sigfile" -m - +} + +opkg_key_add() { + local key="$1" + [ -n "$key" ] || usage + [ -f "$key" ] || echo "Cannot open file $1" + local fingerprint="$(usign -F -p "$key")" + mkdir -p "/etc/opkg/keys" + cp "$key" "/etc/opkg/keys/$fingerprint" +} + +opkg_key_remove() { + local key="$1" + [ -n "$key" ] || usage + [ -f "$key" ] || echo "Cannot open file $1" + local fingerprint="$(usign -F -p "$key")" + rm -f "/etc/opkg/keys/$fingerprint" +} + +case "$1" in + add) + shift + opkg_key_add "$@" + ;; + remove) + shift + opkg_key_remove "$@" + ;; + verify) + shift + opkg_key_verify "$@" + ;; + *) usage ;; +esac diff --git a/rules.mk b/rules.mk index e61cc3fde9..e13d8ccc9f 100644 --- a/rules.mk +++ b/rules.mk @@ -207,6 +207,8 @@ else TARGET_NM:=$(TARGET_CROSS)nm endif +BUILD_KEY=$(TOPDIR)/key-build + TARGET_CC:=$(TARGET_CROSS)gcc TARGET_CXX:=$(TARGET_CROSS)g++ KPATCH:=$(SCRIPT_DIR)/patch-kernel.sh