diff options
author | Paul Spooren <mail@aparcar.org> | 2019-09-24 12:32:56 -1000 |
---|---|---|
committer | John Crispin <john@phrozen.org> | 2019-10-21 14:07:08 +0200 |
commit | 2ae5100d707057c29ed2ebdd0ae31b50a333f95b (patch) | |
tree | 794f35cfc87ec2f38590d6bae36c32e277af8706 /scripts | |
parent | 4a45e69d190f72ed94878487b271ed7651dd9efa (diff) | |
download | upstream-2ae5100d707057c29ed2ebdd0ae31b50a333f95b.tar.gz upstream-2ae5100d707057c29ed2ebdd0ae31b50a333f95b.tar.bz2 upstream-2ae5100d707057c29ed2ebdd0ae31b50a333f95b.zip |
build: add script to sign packages
This script allows image signing indipendend of the actual build
process, to run on a master server after receiving freshly backed
images. Idea is to avoid storying private keys on third party builders
while still beeing to be able to sign packages.
Run ./scripts/sign_images.sh with the following env vars:
* TOP_DIR where to search for sysupgrade.bin images
* BUILD_KEY place of key-build{,.pub,.ucert}
* REMOVE_OTHER_SIGNATURES removes signatures added by e.g. buildbots
Only sysupgrade.bin files are touched as factory.bin signatures wouldn't
be evaluated on stock from.
Signed-off-by: Paul Spooren <mail@aparcar.org>
Diffstat (limited to 'scripts')
-rwxr-xr-x | scripts/sign_images.sh | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/scripts/sign_images.sh b/scripts/sign_images.sh new file mode 100755 index 0000000000..c41b21e091 --- /dev/null +++ b/scripts/sign_images.sh @@ -0,0 +1,27 @@ +#!/bin/sh + +# directory where search for images +TOP_DIR="${TOP_DIR:-./bin/targets}" +# key to sign images +BUILD_KEY="${BUILD_KEY:-key-build}" # TODO unifiy naming? +# remove other signatures (added e.g. by buildbot) +REMOVE_OTER_SIGNATURES="${REMOVE_OTER_SIGNATURES:-1}" + +# find all sysupgrade images in TOP_DIR +# factory images don't need signatures as non OpenWrt system doen't check them anyway +for image in $(find $TOP_DIR -type f -name "*-sysupgrade.bin"); do + # check if image actually support metadata + if fwtool -i /dev/null "$image"; then + # remove all previous signatures + if [ -n "$REMOVE_OTER_SIGNATURES" ]; then + while [ "$?" = 0 ]; do + fwtool -t -s /dev/null "$image" + done + fi + # run same operation as build root does for signing + cp "$BUILD_KEY.ucert" "$image.ucert" + usign -S -m "$image" -s "$BUILD_KEY" -x "$image.sig" + ucert -A -c "$image.ucert" -x "$image.sig" + fwtool -S "$image.ucert" "$image" + fi +done |