Add package signing infrastructure

Add package signing key and certificate configuration options to the "Image configuration" submenu. If enabled, the Packages.gz list will be signed as file Packages.sig. The passphrase for the signing key can be sourced from a file or entered by the user. The signing certificate is automatically added to the firmware image if opkg-smime is selected. Signed-off-by: Evan Hunt <each@isc.org> Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 38284
2013-10-02 12:12:10 +00:00
parent 0ad1d06c13
commit cbdd346b11
5 changed files with 76 additions and 5 deletions
--- a/package/Makefile
+++ b/package/Makefile
@@ -120,10 +120,35 @@ $(curdir)/install: $(TMP_DIR)/.build
 	$(if $(CONFIG_CLEAN_IPKG),rm -rf $(TARGET_DIR)/usr/lib/opkg)
 	$(call mklibs)

+PASSOPT=""
+PASSARG=""
+ifndef CONFIG_OPKGSMIME_PASSPHRASE
+  ifneq ($(call qstrip,$(CONFIG_OPKGSMIME_PASSFILE)),)
+    PASSOPT="-passin"
+    PASSARG="file:$(call qstrip,$(CONFIG_OPKGSMIME_PASSFILE))"
+  endif
+endif
+
 $(curdir)/index: FORCE
-	@(cd $(PACKAGE_DIR); $(SCRIPT_DIR)/ipkg-make-index.sh . 2>&1 > Packages && \
-		gzip -9c Packages > Packages.gz \
-	)
+ifeq ($(call qstrip,$(CONFIG_OPKGSMIME_KEY)),)
+	@echo Signing key has not been configured
+else
+ifeq ($(call qstrip,$(CONFIG_OPKGSMIME_CERT)),)
+	@echo Certificate has not been configured
+else
+	@echo Generating package index...
+	@(cd $(PACKAGE_DIR); \
+		$(SCRIPT_DIR)/ipkg-make-index.sh . 2>&1 > Packages && \
+		gzip -9c Packages > Packages.gz )
+	@echo Signing package index...
+	@(cd $(PACKAGE_DIR); \
+		openssl smime -binary -in Packages.gz \
+			-out Packages.sig -outform PEM -sign \
+			-signer $(CONFIG_OPKGSMIME_CERT) \
+			-inkey $(CONFIG_OPKGSMIME_KEY) \
+			$(PASSOPT) $(PASSARG) )
+endif
+endif

 $(curdir)/preconfig: