From cbdd346b11c6f125f48cdb1e95870d16e5c0d628 Mon Sep 17 00:00:00 2001 From: Steven Barth Date: Wed, 2 Oct 2013 12:12:10 +0000 Subject: Add package signing infrastructure Add package signing key and certificate configuration options to the "Image configuration" submenu. If enabled, the Packages.gz list will be signed as file Packages.sig. The passphrase for the signing key can be sourced from a file or entered by the user. The signing certificate is automatically added to the firmware image if opkg-smime is selected. Signed-off-by: Evan Hunt Signed-off-by: Steven Barth SVN-Revision: 38284 --- package/Makefile | 31 ++++++++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) (limited to 'package/Makefile') diff --git a/package/Makefile b/package/Makefile index 00ac773..bac7001 100644 --- a/package/Makefile +++ b/package/Makefile @@ -120,10 +120,35 @@ $(curdir)/install: $(TMP_DIR)/.build $(if $(CONFIG_CLEAN_IPKG),rm -rf $(TARGET_DIR)/usr/lib/opkg) $(call mklibs) +PASSOPT="" +PASSARG="" +ifndef CONFIG_OPKGSMIME_PASSPHRASE + ifneq ($(call qstrip,$(CONFIG_OPKGSMIME_PASSFILE)),) + PASSOPT="-passin" + PASSARG="file:$(call qstrip,$(CONFIG_OPKGSMIME_PASSFILE))" + endif +endif + $(curdir)/index: FORCE - @(cd $(PACKAGE_DIR); $(SCRIPT_DIR)/ipkg-make-index.sh . 2>&1 > Packages && \ - gzip -9c Packages > Packages.gz \ - ) +ifeq ($(call qstrip,$(CONFIG_OPKGSMIME_KEY)),) + @echo Signing key has not been configured +else +ifeq ($(call qstrip,$(CONFIG_OPKGSMIME_CERT)),) + @echo Certificate has not been configured +else + @echo Generating package index... + @(cd $(PACKAGE_DIR); \ + $(SCRIPT_DIR)/ipkg-make-index.sh . 2>&1 > Packages && \ + gzip -9c Packages > Packages.gz ) + @echo Signing package index... + @(cd $(PACKAGE_DIR); \ + openssl smime -binary -in Packages.gz \ + -out Packages.sig -outform PEM -sign \ + -signer $(CONFIG_OPKGSMIME_CERT) \ + -inkey $(CONFIG_OPKGSMIME_KEY) \ + $(PASSOPT) $(PASSARG) ) +endif +endif $(curdir)/preconfig: -- cgit v1.1