build: add integration for managing opkg package feed keys

Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 45286
2015-04-06 19:39:51 +00:00
parent dde8214d16
commit beca028bd6
7 changed files with 106 additions and 5 deletions
--- a/package/system/opkg/Makefile
+++ b/package/system/opkg/Makefile
@@ -26,6 +26,8 @@ PKG_REMOVE_FILES = autogen.sh aclocal.m4
 PKG_LICENSE:=GPL-2.0
 PKG_LICENSE_FILES:=COPYING

+PKG_CONFIG_DEPENDS := CONFIG_SIGNED_PACKAGES
+
 PKG_BUILD_PARALLEL:=1
 HOST_BUILD_PARALLEL:=1
 PKG_INSTALL:=1
@@ -91,7 +93,11 @@ CONFIGURE_ARGS += \
 	--with-opkglockfile=/var/lock/opkg.lock

 ifeq ($(BUILD_VARIANT),smime)
-	CONFIGURE_ARGS += --enable-openssl --enable-sha256
+	CONFIGURE_ARGS += --enable-openssl --enable-sha256 --disable-usign
+else
+  ifndef CONFIG_SIGNED_PACKAGES
+    CONFIGURE_ARGS += --disable-usign
+  endif
 endif

 MAKE_FLAGS = \
@@ -105,6 +111,9 @@ define Package/opkg/Default/install
 	$(INSTALL_DIR) $(1)/bin
 	$(INSTALL_DIR) $(1)/etc
 	$(INSTALL_DATA) ./files/opkg$(2).conf $(1)/etc/opkg.conf
+  ifneq ($(CONFIG_SIGNED_PACKAGES),)
+	echo "option check_signature 1" >> $(1)/etc/opkg.conf
+  endif
  ifeq ($(CONFIG_PER_FEED_REPO),)
 	echo "src/gz %n %U" >> $(1)/etc/opkg.conf
  else
@@ -121,7 +130,11 @@ define Package/opkg/Default/install
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/opkg-cl $(1)/bin/opkg
 endef

-Package/opkg/install = $(call Package/opkg/Default/install,$(1),)
+define Package/opkg/install
+	$(call Package/opkg/Default/install,$(1),)
+	mkdir $(1)/usr/sbin
+	$(INSTALL_BIN) ./files/opkg-key $(1)/usr/sbin/
+endef

 define Package/opkg-smime/install
 	$(call Package/opkg/Default/install,$(1),-smime)
--- a/package/system/opkg/files/opkg-key
+++ b/package/system/opkg/files/opkg-key
@@ -0,0 +1,56 @@
+#!/bin/sh
+
+usage() {
+	cat <<EOF
+Usage: $0 <command> <arguments...>
+Commands:
+  add <file>:			Add keyfile <file> to opkg trusted keys
+  remove <file>:		Remove keyfile matching <file> from opkg trusted keys
+  verify <sigfile> <list>:	Check list file <list> against signature file <sigfile>
+
+EOF
+	exit 1
+}
+
+opkg_key_verify() {
+	local sigfile="$1"
+	local msgfile="$2"
+
+	(
+		zcat "$msgfile" 2>/dev/null ||
+		cat "$msgfile" 2>/dev/null
+	) | usign -V -P /etc/opkg/keys -q -x "$sigfile" -m -
+}
+
+opkg_key_add() {
+	local key="$1"
+	[ -n "$key" ] || usage
+	[ -f "$key" ] || echo "Cannot open file $1"
+	local fingerprint="$(usign -F -p "$key")"
+	mkdir -p "/etc/opkg/keys"
+	cp "$key" "/etc/opkg/keys/$fingerprint"
+}
+
+opkg_key_remove() {
+	local key="$1"
+	[ -n "$key" ] || usage
+	[ -f "$key" ] || echo "Cannot open file $1"
+	local fingerprint="$(usign -F -p "$key")"
+	rm -f "/etc/opkg/keys/$fingerprint"
+}
+
+case "$1" in
+	add)
+		shift
+		opkg_key_add "$@"
+		;;
+	remove)
+		shift
+		opkg_key_remove "$@"
+		;;
+	verify)
+		shift
+		opkg_key_verify "$@"
+		;;
+	*) usage ;;
+esac