From f0bca34f16327c6001515f9c73c2c284574c7b6d Mon Sep 17 00:00:00 2001 From: Josh Roys Date: Sat, 23 Jul 2022 11:23:16 -0400 Subject: scripts: always check certificates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Remove flags from wget and curl instructing them to ignore bad server certificates. Although other mechanisms can protect against malicious modifications of downloads, other vectors of attack may be available to an adversary. TLS certificate verification can be disabled by turning oof the "Enable TLS certificate verification during package download" option enabled by default in the "Global build settings" in "make menuconfig" Signed-off-by: Josh Roys [ add additional info on how to disable this option ] Signed-off-by: Christian Marangi Signed-off-by: Petr Štetiar [backport] (cherry picked from commit 90c6e3aedf167b0ae1baf376e7800a631681e69a) --- rules.mk | 3 +++ 1 file changed, 3 insertions(+) (limited to 'rules.mk') diff --git a/rules.mk b/rules.mk index da9bee2899..7c83d90eda 100644 --- a/rules.mk +++ b/rules.mk @@ -265,6 +265,9 @@ TARGET_CXX:=$(TARGET_CROSS)g++ KPATCH:=$(SCRIPT_DIR)/patch-kernel.sh SED:=$(STAGING_DIR_HOST)/bin/sed -i -e ESED:=$(STAGING_DIR_HOST)/bin/sed -E -i -e +# DOWNLOAD_CHECK_CERTIFICATE is used in /scripts, so we export it here. +DOWNLOAD_CHECK_CERTIFICATE:=$(CONFIG_DOWNLOAD_CHECK_CERTIFICATE) +export DOWNLOAD_CHECK_CERTIFICATE CP:=cp -fpR LN:=ln -sf XARGS:=xargs -r -- cgit v1.2.3