From cbdd346b11c6f125f48cdb1e95870d16e5c0d628 Mon Sep 17 00:00:00 2001
From: Steven Barth <cyrus@openwrt.org>
Date: Wed, 2 Oct 2013 12:12:10 +0000
Subject: Add package signing infrastructure

Add package signing key and certificate configuration options to the
"Image configuration" submenu. If enabled, the Packages.gz list will
be signed as file Packages.sig. The passphrase for the signing key can
be sourced from a file or entered by the user. The signing certificate
is automatically added to the firmware image if opkg-smime is selected.

Signed-off-by: Evan Hunt <each@isc.org>
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 38284
---
 package/base-files/image-config.in | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

(limited to 'package/base-files/image-config.in')

diff --git a/package/base-files/image-config.in b/package/base-files/image-config.in
index ac08c8da7c..a9eb78c4f9 100644
--- a/package/base-files/image-config.in
+++ b/package/base-files/image-config.in
@@ -183,3 +183,41 @@ menuconfig VERSIONOPT
 			 %d .. Distribution name or "openwrt", lowercase
 			 %T .. Target name
 			 %S .. Target/Subtarget name
+
+menuconfig SMIMEOPT
+	bool "Package signing options" if IMAGEOPT
+        default n
+	help
+		These options configure the signing key and certificate to
+		be used for signing and verifying packages.
+
+	config OPKGSMIME_CERT
+		string
+		prompt "Path to certificate (PEM certificate format)" if SMIMEOPT
+		help
+		  Path to the certificate to use for signature verification
+
+	config OPKGSMIME_KEY
+		string
+		prompt "Path to signing key (PEM private key format)" if SMIMEOPT
+		help
+		  Path to the key to use for signing packages
+
+	config OPKGSMIME_PASSPHRASE
+		bool
+		default y
+		prompt "Wait for a passphrase when signing packages?" if SMIMEOPT
+		help
+		  If this value is set, then the build will pause and request a passphrase
+                  from the command line when signing packages. This SHOULD NOT be used with
+                  automatic builds. If this value is not set, a file can be specified from
+                  which the passphrase will be read.
+
+	config OPKGSMIME_PASSFILE
+		string
+		prompt "Path to a file containing the passphrase" if SMIMEOPT
+                depends on !OPKGSMIME_PASSPHRASE
+		help
+		  Path to a file containing the passphrase for the signing key.
+                  If the signing key is not encrypted and does not require a passphrase,
+                  this option may be left blank.
-- 
cgit v1.2.3