aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/prereq-build.mk4
-rw-r--r--package/Makefile31
-rw-r--r--package/base-files/image-config.in38
-rw-r--r--package/system/opkg/Makefile6
-rw-r--r--package/system/opkg/files/opkg-smime.conf2
5 files changed, 76 insertions, 5 deletions
diff --git a/include/prereq-build.mk b/include/prereq-build.mk
index 59ea7ef9a7..b7ada69bb4 100644
--- a/include/prereq-build.mk
+++ b/include/prereq-build.mk
@@ -168,6 +168,10 @@ $(eval $(call RequireCommand,svn, \
Please install the subversion client. \
))
+$(eval $(call RequireCommand,openssl, \
+ Please install openssl. \
+))
+
define Require/gnu-find
$(FIND) --version 2>/dev/null
endef
diff --git a/package/Makefile b/package/Makefile
index 00ac773499..bac7001c4f 100644
--- a/package/Makefile
+++ b/package/Makefile
@@ -120,10 +120,35 @@ $(curdir)/install: $(TMP_DIR)/.build
$(if $(CONFIG_CLEAN_IPKG),rm -rf $(TARGET_DIR)/usr/lib/opkg)
$(call mklibs)
+PASSOPT=""
+PASSARG=""
+ifndef CONFIG_OPKGSMIME_PASSPHRASE
+ ifneq ($(call qstrip,$(CONFIG_OPKGSMIME_PASSFILE)),)
+ PASSOPT="-passin"
+ PASSARG="file:$(call qstrip,$(CONFIG_OPKGSMIME_PASSFILE))"
+ endif
+endif
+
$(curdir)/index: FORCE
- @(cd $(PACKAGE_DIR); $(SCRIPT_DIR)/ipkg-make-index.sh . 2>&1 > Packages && \
- gzip -9c Packages > Packages.gz \
- )
+ifeq ($(call qstrip,$(CONFIG_OPKGSMIME_KEY)),)
+ @echo Signing key has not been configured
+else
+ifeq ($(call qstrip,$(CONFIG_OPKGSMIME_CERT)),)
+ @echo Certificate has not been configured
+else
+ @echo Generating package index...
+ @(cd $(PACKAGE_DIR); \
+ $(SCRIPT_DIR)/ipkg-make-index.sh . 2>&1 > Packages && \
+ gzip -9c Packages > Packages.gz )
+ @echo Signing package index...
+ @(cd $(PACKAGE_DIR); \
+ openssl smime -binary -in Packages.gz \
+ -out Packages.sig -outform PEM -sign \
+ -signer $(CONFIG_OPKGSMIME_CERT) \
+ -inkey $(CONFIG_OPKGSMIME_KEY) \
+ $(PASSOPT) $(PASSARG) )
+endif
+endif
$(curdir)/preconfig:
diff --git a/package/base-files/image-config.in b/package/base-files/image-config.in
index ac08c8da7c..a9eb78c4f9 100644
--- a/package/base-files/image-config.in
+++ b/package/base-files/image-config.in
@@ -183,3 +183,41 @@ menuconfig VERSIONOPT
%d .. Distribution name or "openwrt", lowercase
%T .. Target name
%S .. Target/Subtarget name
+
+menuconfig SMIMEOPT
+ bool "Package signing options" if IMAGEOPT
+ default n
+ help
+ These options configure the signing key and certificate to
+ be used for signing and verifying packages.
+
+ config OPKGSMIME_CERT
+ string
+ prompt "Path to certificate (PEM certificate format)" if SMIMEOPT
+ help
+ Path to the certificate to use for signature verification
+
+ config OPKGSMIME_KEY
+ string
+ prompt "Path to signing key (PEM private key format)" if SMIMEOPT
+ help
+ Path to the key to use for signing packages
+
+ config OPKGSMIME_PASSPHRASE
+ bool
+ default y
+ prompt "Wait for a passphrase when signing packages?" if SMIMEOPT
+ help
+ If this value is set, then the build will pause and request a passphrase
+ from the command line when signing packages. This SHOULD NOT be used with
+ automatic builds. If this value is not set, a file can be specified from
+ which the passphrase will be read.
+
+ config OPKGSMIME_PASSFILE
+ string
+ prompt "Path to a file containing the passphrase" if SMIMEOPT
+ depends on !OPKGSMIME_PASSPHRASE
+ help
+ Path to a file containing the passphrase for the signing key.
+ If the signing key is not encrypted and does not require a passphrase,
+ this option may be left blank.
diff --git a/package/system/opkg/Makefile b/package/system/opkg/Makefile
index eb3b10a776..3327a8e1ad 100644
--- a/package/system/opkg/Makefile
+++ b/package/system/opkg/Makefile
@@ -109,8 +109,12 @@ define Package/opkg/Default/install
endef
Package/opkg/install = $(call Package/opkg/Default/install,$(1),)
-Package/opkg-smime/install = $(call Package/opkg/Default/install,$(1),-smime)
+define Package/opkg-smime/install
+ $(call Package/opkg/Default/install,$(1),-smime)
+ $(INSTALL_DIR) $(1)/etc/ssl/certs
+ $(if $(CONFIG_OPKGSMIME_CERT),$(INSTALL_DATA) $(call qstrip,$(CONFIG_OPKGSMIME_CERT)) $(1)/etc/ssl/certs/opkg.pem,)
+endef
define Build/InstallDev
mkdir -p $(1)/usr/include
diff --git a/package/system/opkg/files/opkg-smime.conf b/package/system/opkg/files/opkg-smime.conf
index 103f231842..849bb65b20 100644
--- a/package/system/opkg/files/opkg-smime.conf
+++ b/package/system/opkg/files/opkg-smime.conf
@@ -4,4 +4,4 @@ dest ram /tmp
lists_dir ext /var/opkg-lists
option overlay_root /overlay
option check_signature 1
-option signature_ca_path /etc/ssl/certs/
+option signature_ca_file /etc/ssl/certs/opkg.pem