Add package signing infrastructure

Add package signing key and certificate configuration options to the
"Image configuration" submenu. If enabled, the Packages.gz list will
be signed as file Packages.sig. The passphrase for the signing key can
be sourced from a file or entered by the user. The signing certificate
is automatically added to the firmware image if opkg-smime is selected.

Signed-off-by: Evan Hunt <each@isc.org>
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 38284
This commit is contained in:
Steven Barth 2013-10-02 12:12:10 +00:00
parent 0ad1d06c13
commit cbdd346b11
5 changed files with 76 additions and 5 deletions

View File

@ -168,6 +168,10 @@ $(eval $(call RequireCommand,svn, \
Please install the subversion client. \ Please install the subversion client. \
)) ))
$(eval $(call RequireCommand,openssl, \
Please install openssl. \
))
define Require/gnu-find define Require/gnu-find
$(FIND) --version 2>/dev/null $(FIND) --version 2>/dev/null
endef endef

View File

@ -120,10 +120,35 @@ $(curdir)/install: $(TMP_DIR)/.build
$(if $(CONFIG_CLEAN_IPKG),rm -rf $(TARGET_DIR)/usr/lib/opkg) $(if $(CONFIG_CLEAN_IPKG),rm -rf $(TARGET_DIR)/usr/lib/opkg)
$(call mklibs) $(call mklibs)
PASSOPT=""
PASSARG=""
ifndef CONFIG_OPKGSMIME_PASSPHRASE
ifneq ($(call qstrip,$(CONFIG_OPKGSMIME_PASSFILE)),)
PASSOPT="-passin"
PASSARG="file:$(call qstrip,$(CONFIG_OPKGSMIME_PASSFILE))"
endif
endif
$(curdir)/index: FORCE $(curdir)/index: FORCE
@(cd $(PACKAGE_DIR); $(SCRIPT_DIR)/ipkg-make-index.sh . 2>&1 > Packages && \ ifeq ($(call qstrip,$(CONFIG_OPKGSMIME_KEY)),)
gzip -9c Packages > Packages.gz \ @echo Signing key has not been configured
) else
ifeq ($(call qstrip,$(CONFIG_OPKGSMIME_CERT)),)
@echo Certificate has not been configured
else
@echo Generating package index...
@(cd $(PACKAGE_DIR); \
$(SCRIPT_DIR)/ipkg-make-index.sh . 2>&1 > Packages && \
gzip -9c Packages > Packages.gz )
@echo Signing package index...
@(cd $(PACKAGE_DIR); \
openssl smime -binary -in Packages.gz \
-out Packages.sig -outform PEM -sign \
-signer $(CONFIG_OPKGSMIME_CERT) \
-inkey $(CONFIG_OPKGSMIME_KEY) \
$(PASSOPT) $(PASSARG) )
endif
endif
$(curdir)/preconfig: $(curdir)/preconfig:

View File

@ -183,3 +183,41 @@ menuconfig VERSIONOPT
%d .. Distribution name or "openwrt", lowercase %d .. Distribution name or "openwrt", lowercase
%T .. Target name %T .. Target name
%S .. Target/Subtarget name %S .. Target/Subtarget name
menuconfig SMIMEOPT
bool "Package signing options" if IMAGEOPT
default n
help
These options configure the signing key and certificate to
be used for signing and verifying packages.
config OPKGSMIME_CERT
string
prompt "Path to certificate (PEM certificate format)" if SMIMEOPT
help
Path to the certificate to use for signature verification
config OPKGSMIME_KEY
string
prompt "Path to signing key (PEM private key format)" if SMIMEOPT
help
Path to the key to use for signing packages
config OPKGSMIME_PASSPHRASE
bool
default y
prompt "Wait for a passphrase when signing packages?" if SMIMEOPT
help
If this value is set, then the build will pause and request a passphrase
from the command line when signing packages. This SHOULD NOT be used with
automatic builds. If this value is not set, a file can be specified from
which the passphrase will be read.
config OPKGSMIME_PASSFILE
string
prompt "Path to a file containing the passphrase" if SMIMEOPT
depends on !OPKGSMIME_PASSPHRASE
help
Path to a file containing the passphrase for the signing key.
If the signing key is not encrypted and does not require a passphrase,
this option may be left blank.

View File

@ -109,8 +109,12 @@ define Package/opkg/Default/install
endef endef
Package/opkg/install = $(call Package/opkg/Default/install,$(1),) Package/opkg/install = $(call Package/opkg/Default/install,$(1),)
Package/opkg-smime/install = $(call Package/opkg/Default/install,$(1),-smime)
define Package/opkg-smime/install
$(call Package/opkg/Default/install,$(1),-smime)
$(INSTALL_DIR) $(1)/etc/ssl/certs
$(if $(CONFIG_OPKGSMIME_CERT),$(INSTALL_DATA) $(call qstrip,$(CONFIG_OPKGSMIME_CERT)) $(1)/etc/ssl/certs/opkg.pem,)
endef
define Build/InstallDev define Build/InstallDev
mkdir -p $(1)/usr/include mkdir -p $(1)/usr/include

View File

@ -4,4 +4,4 @@ dest ram /tmp
lists_dir ext /var/opkg-lists lists_dir ext /var/opkg-lists
option overlay_root /overlay option overlay_root /overlay
option check_signature 1 option check_signature 1
option signature_ca_path /etc/ssl/certs/ option signature_ca_file /etc/ssl/certs/opkg.pem