aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPaul Spooren <mail@aparcar.org>2019-09-24 12:32:56 -1000
committerJohn Crispin <john@phrozen.org>2019-10-21 14:07:08 +0200
commit2ae5100d707057c29ed2ebdd0ae31b50a333f95b (patch)
tree794f35cfc87ec2f38590d6bae36c32e277af8706
parent4a45e69d190f72ed94878487b271ed7651dd9efa (diff)
downloadupstream-2ae5100d707057c29ed2ebdd0ae31b50a333f95b.tar.gz
upstream-2ae5100d707057c29ed2ebdd0ae31b50a333f95b.tar.bz2
upstream-2ae5100d707057c29ed2ebdd0ae31b50a333f95b.zip
build: add script to sign packages
This script allows image signing indipendend of the actual build process, to run on a master server after receiving freshly backed images. Idea is to avoid storying private keys on third party builders while still beeing to be able to sign packages. Run ./scripts/sign_images.sh with the following env vars: * TOP_DIR where to search for sysupgrade.bin images * BUILD_KEY place of key-build{,.pub,.ucert} * REMOVE_OTHER_SIGNATURES removes signatures added by e.g. buildbots Only sysupgrade.bin files are touched as factory.bin signatures wouldn't be evaluated on stock from. Signed-off-by: Paul Spooren <mail@aparcar.org>
-rwxr-xr-xscripts/sign_images.sh27
1 files changed, 27 insertions, 0 deletions
diff --git a/scripts/sign_images.sh b/scripts/sign_images.sh
new file mode 100755
index 0000000000..c41b21e091
--- /dev/null
+++ b/scripts/sign_images.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+# directory where search for images
+TOP_DIR="${TOP_DIR:-./bin/targets}"
+# key to sign images
+BUILD_KEY="${BUILD_KEY:-key-build}" # TODO unifiy naming?
+# remove other signatures (added e.g. by buildbot)
+REMOVE_OTER_SIGNATURES="${REMOVE_OTER_SIGNATURES:-1}"
+
+# find all sysupgrade images in TOP_DIR
+# factory images don't need signatures as non OpenWrt system doen't check them anyway
+for image in $(find $TOP_DIR -type f -name "*-sysupgrade.bin"); do
+ # check if image actually support metadata
+ if fwtool -i /dev/null "$image"; then
+ # remove all previous signatures
+ if [ -n "$REMOVE_OTER_SIGNATURES" ]; then
+ while [ "$?" = 0 ]; do
+ fwtool -t -s /dev/null "$image"
+ done
+ fi
+ # run same operation as build root does for signing
+ cp "$BUILD_KEY.ucert" "$image.ucert"
+ usign -S -m "$image" -s "$BUILD_KEY" -x "$image.sig"
+ ucert -A -c "$image.ucert" -x "$image.sig"
+ fwtool -S "$image.ucert" "$image"
+ fi
+done