aboutsummaryrefslogtreecommitdiffstats
path: root/target/imagebuilder/Makefile
diff options
context:
space:
mode:
authorPaul Spooren <mail@aparcar.org>2020-11-02 12:15:05 -1000
committerDaniel Golle <daniel@makrotopia.org>2020-11-19 22:15:00 +0000
commit418362b1cc106b9aca3905150199f60548906fff (patch)
tree2d47ae0121e3c893975359dc9bc214d29ed597f5 /target/imagebuilder/Makefile
parent2127accd441b1c979c8f3f56f3ad5264542e185a (diff)
downloadupstream-418362b1cc106b9aca3905150199f60548906fff.tar.gz
upstream-418362b1cc106b9aca3905150199f60548906fff.tar.bz2
upstream-418362b1cc106b9aca3905150199f60548906fff.zip
imagebuilder: add package signature verification
The ImageBuilder downloads pre-built packages and adds them to images. This process uses `opkg` which has the capability to verify package list signatures via `usign`, as enabled per default on running OpenWrt devices. Until now this was disabled for ImageBuilders because neither the `opkg` keys nor the `opkg-add` script was present during first packagelist update. To harden the ImageBuilder against *drive-by-download-attacks* both keys and verification script are added to the ImageBuilder allowing `opkg` to verify downloaded package indices. This commit adds `opkg-add` to the ImageBuilder scripts folder. The keys folder is added to ImageBuilder $TOPDIR to have an obvious place for users to store their own keys. The `option check_signature` is appended to the repositories.conf file. All of the above only happens if the Buildbot runs with the SIGNATURE_CHECK option. The keys stored in the ImageBuilder keys/ are the same as included in the openwrt-keyring package. To avoid the chicken-egg problem of downloading and verifying a package, containing signing keys, the keys are added during the ImageBuilder generation. They are same as in shipped images (stored at `/etc/opkg/keys/`). To allow a local package feed in which the user can add additional packages, a local set of `usign` and `ucert` keys is generated, same as building OpenWrt from source. The private key signs the local repository inside the packages/ folder. The local public key is added to the keys/ folder to be considered by `opkg` when updating repositories. This way a local package feed can be modified while requiring `opkg` to check signatures for remote feed, making HTTPS optional. The new option `ADD_LOCAL_KEY` allows to add the local key inside the created images, adding the advantage that sysupgrades can validate the ImageBuilders local key. Signed-off-by: Paul Spooren <mail@aparcar.org>
Diffstat (limited to 'target/imagebuilder/Makefile')
-rw-r--r--target/imagebuilder/Makefile8
1 files changed, 8 insertions, 0 deletions
diff --git a/target/imagebuilder/Makefile b/target/imagebuilder/Makefile
index 8b2f4e5af6..a96f8618e8 100644
--- a/target/imagebuilder/Makefile
+++ b/target/imagebuilder/Makefile
@@ -61,6 +61,14 @@ else
-exec $(CP) -t $(IB_LDIR)/ {} +
endif
+ifneq ($(CONFIG_SIGNATURE_CHECK),)
+ echo '' >> $(PKG_BUILD_DIR)/repositories.conf
+ echo 'option check_signature' >> $(PKG_BUILD_DIR)/repositories.conf
+ $(INSTALL_DIR) $(PKG_BUILD_DIR)/keys
+ $(CP) -L $(STAGING_DIR_ROOT)/etc/opkg/keys/ $(PKG_BUILD_DIR)/
+ $(CP) -L $(STAGING_DIR_ROOT)/usr/sbin/opkg-key $(PKG_BUILD_DIR)/scripts/
+endif
+
$(CP) $(TOPDIR)/target/linux $(PKG_BUILD_DIR)/target/
if [ -d $(TOPDIR)/staging_dir/host/lib/grub ]; then \
$(CP) $(TOPDIR)/staging_dir/host/lib/grub/ $(PKG_BUILD_DIR)/staging_dir/host/lib; \