This repository is a mirror of https://git.openwrt.org/openwrt/openwrt.git It is for reference only and is not active for check-ins. We will continue to accept Pull Requests here. They will be merged via staging trees then into openwrt.git.
Go to file
Paul Spooren 418362b1cc imagebuilder: add package signature verification
The ImageBuilder downloads pre-built packages and adds them to images.
This process uses `opkg` which has the capability to verify package list
signatures via `usign`, as enabled per default on running OpenWrt
devices.

Until now this was disabled for ImageBuilders because neither the `opkg`
keys nor the `opkg-add` script was present during first packagelist
update.

To harden the ImageBuilder against *drive-by-download-attacks* both keys
and verification script are added to the ImageBuilder allowing `opkg` to
verify downloaded package indices.

This commit adds `opkg-add` to the ImageBuilder scripts folder. The keys
folder is added to ImageBuilder $TOPDIR to have an obvious place for users to
store their own keys. The `option check_signature` is appended to the
repositories.conf file. All of the above only happens if the Buildbot
runs with the SIGNATURE_CHECK option.

The keys stored in the ImageBuilder keys/ are the same as included in
the openwrt-keyring package. To avoid the chicken-egg problem of
downloading and verifying a package, containing signing keys, the keys
are added during the ImageBuilder generation. They are same as in
shipped images (stored at `/etc/opkg/keys/`).

To allow a local package feed in which the user can add additional
packages, a local set of `usign` and `ucert` keys is generated, same as
building OpenWrt from source. The private key signs the local repository
inside the packages/ folder. The local public key is added to the keys/
folder to be considered by `opkg` when updating repositories. This way a
local package feed can be modified while requiring `opkg` to check
signatures for remote feed, making HTTPS optional.

The new option `ADD_LOCAL_KEY` allows to add the local key inside the
created images, adding the advantage that sysupgrades can validate the
ImageBuilders local key.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2020-11-19 22:15:00 +00:00
.github build: Update README & github help 2018-07-08 09:41:53 +01:00
config refpolicy: add variant that builds modular policy 2020-11-09 13:06:19 +00:00
include build: create $(PKG_SYMVERS_DIR) if non-existent 2020-11-19 18:52:15 +01:00
package base-files: generated named bridge-vlan sections 2020-11-19 15:38:37 +01:00
scripts scripts: add const_structs.checkpatch for checkpatch.pl 2020-11-18 21:50:58 +01:00
target imagebuilder: add package signature verification 2020-11-19 22:15:00 +00:00
toolchain glibc: update to latest 2.32 commit (BZ #25399) 2020-11-12 17:49:20 +01:00
tools tools/bc: use autoreconf to fix build failure on macOS with recent Xcode versions 2020-11-14 14:48:30 +01:00
.gitattributes add .gitattributes to prevent the git autocrlf option from messing with CRLF/LF in files 2012-05-08 13:30:49 +00:00
.gitignore build: improve ccache support 2020-07-11 15:19:53 +02:00
BSDmakefile add missing copyright header 2007-02-26 01:05:09 +00:00
Config.in merge: base: update base-files and basic config 2017-12-08 19:41:18 +01:00
feeds.conf.default feeds: add freifunk feed 2020-06-24 14:58:17 +02:00
LICENSE LICENSE: use updated GNU copy 2020-08-02 15:54:43 +02:00
logo.svg README: port to 21st century 2020-08-02 15:44:40 +02:00
Makefile build: improve ccache support 2020-07-11 15:19:53 +02:00
README.md README: port to 21st century 2020-08-02 15:44:40 +02:00
rules.mk rules.mk: simplify FAKEROOT command line 2020-10-30 00:39:09 +00:00

OpenWrt logo

OpenWrt Project is a Linux operating system targeting embedded devices. Instead of trying to create a single, static firmware, OpenWrt provides a fully writable filesystem with package management. This frees you from the application selection and configuration provided by the vendor and allows you to customize the device through the use of packages to suit any application. For developers, OpenWrt is the framework to build an application without having to build a complete firmware around it; for users this means the ability for full customization, to use the device in ways never envisioned.

Sunshine!

Development

To build your own firmware you need a GNU/Linux, BSD or MacOSX system (case sensitive filesystem required). Cygwin is unsupported because of the lack of a case sensitive file system.

Requirements

You need the following tools to compile OpenWrt, the package names vary between distributions. A complete list with distribution specific packages is found in the Build System Setup documentation.

gcc binutils bzip2 flex python3 perl make find grep diff unzip gawk getopt
subversion libz-dev libc-dev

Quickstart

  1. Run ./scripts/feeds update -a to obtain all the latest package definitions defined in feeds.conf / feeds.conf.default

  2. Run ./scripts/feeds install -a to install symlinks for all obtained packages into package/feeds/

  3. Run make menuconfig to select your preferred configuration for the toolchain, target system & firmware packages.

  4. Run make to build your firmware. This will download all sources, build the cross-compile toolchain and then cross-compile the GNU/Linux kernel & all chosen applications for your target system.

The main repository uses multiple sub-repositories to manage packages of different categories. All packages are installed via the OpenWrt package manager called opkg. If you're looking to develop the web interface or port packages to OpenWrt, please find the fitting repository below.

Support Information

For a list of supported devices see the OpenWrt Hardware Database

Documentation

Support Community

  • Forum: For usage, projects, discussions and hardware advise.
  • Support Chat: Channel #openwrt on freenode.net.

Developer Community

License

OpenWrt is licensed under GPL-2.0