Message ID | 20220413073119.458265-1-andrei.fomitchevhervieu@getinge.com |
---|---|
State | Rejected |
Headers | show |
Series | [1/1] package/opkg: enable openssl signature | expand |
Hello Andreï, On Wed, 13 Apr 2022 09:31:19 +0200 Andreï V. FOMITCHEV-HERVIEU <andrei.fomitchevhervieu@getinge.com> wrote: > OPKG supports either GPG or OpenSSL signature check. It is already possible > to enable in buildroot the check of GPG signatures. This patch adds similar > configuration to enable the OpenSSL signature checks. > > Signed-off-by: Andreï V. FOMITCHEV-HERVIEU <andrei.fomitchevhervieu@getinge.com> > Change-Id: Id2c76b3cb39ba5eed5bd0bef7648f7970033b87b Nice to see you here, thanks for the contribution! However, are you sure it makes sense to support this and use this? Indeed, opkg has deprecated the usage of openssl for signature. From opkg's configure.ac: AC_MSG_WARN(OpenSSL signature-checking support is depracted and will be \ removed in future releases. Consider using GPGME (--enable-gpg) instead.) So, it is really sensible to support this? Thomas
Hello Thomas, Thank you for the point. Maybe you remember, I (still) use the version 2021.02 of buildroot and this version integrates the version 0.4.2 of OPKG. The quoted comment in OPKG sources was introduced in v0.4.5 and the reason is "relatively unused feature" of OpenSSL signatures (https://groups.google.com/g/opkg-devel/c/drqw5_HuXuU). So I agree, the OPKG project plans make my patch to buildroot useless Best regards De : Thomas Petazzoni <thomas.petazzoni@bootlin.com> Envoyé : mercredi 13 avril 2022 23:09 À : Andrei FOMITCHEV HERVIEU <andrei.fomitchevhervieu@getinge.com> Cc : buildroot@buildroot.org Objet : [EXT] Re: [Buildroot] [PATCH 1/1] package/opkg: enable openssl signature CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hello Andreï, On Wed, 13 Apr 2022 09:31:19 +0200 Andreï V. FOMITCHEV-HERVIEU <mailto:andrei.fomitchevhervieu@getinge.com> wrote: > OPKG supports either GPG or OpenSSL signature check. It is already possible > to enable in buildroot the check of GPG signatures. This patch adds similar > configuration to enable the OpenSSL signature checks. > > Signed-off-by: Andreï V. FOMITCHEV-HERVIEU <mailto:andrei.fomitchevhervieu@getinge.com> > Change-Id: Id2c76b3cb39ba5eed5bd0bef7648f7970033b87b Nice to see you here, thanks for the contribution! However, are you sure it makes sense to support this and use this? Indeed, opkg has deprecated the usage of openssl for signature. From opkg's configure.ac: AC_MSG_WARN(OpenSSL signature-checking support is depracted and will be \ removed in future releases. Consider using GPGME (--enable-gpg) instead.) So, it is really sensible to support this? Thomas -- Thomas Petazzoni, co-owner and CEO, Bootlin Embedded Linux and Kernel engineering and training https://bootlin.com This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
diff --git a/package/opkg/Config.in b/package/opkg/Config.in index 1f6a39343f..2e3f9fca3e 100644 --- a/package/opkg/Config.in +++ b/package/opkg/Config.in @@ -29,5 +29,17 @@ config BR2_PACKAGE_OPKG_GPG_SIGN help Enable opkg package signature checking support using gnupg/libgpgme. +config BR2_PACKAGE_OPKG_OPENSSL_SIGN + bool "openssl support" + select BR2_PACKAGE_OPENSSL + select BR2_PACKAGE_LIBOPENSSL_ENGINES + help + Enable opkg package signature checking support using + openssl. Example of openssl command to generate opkg + signature + openssl smime -sign -in Packages -inkey private.key + -signer public.pem -binary -outform PEM --nodetach + -out Packages.sig + Where Packages is the file to sign endif diff --git a/package/opkg/opkg.mk b/package/opkg/opkg.mk index 501edcf8af..583744ec93 100644 --- a/package/opkg/opkg.mk +++ b/package/opkg/opkg.mk @@ -23,6 +23,8 @@ OPKG_CONF_ENV += \ ac_cv_path_GPGME_CONFIG=$(STAGING_DIR)/usr/bin/gpgme-config \ ac_cv_path_GPGERR_CONFIG=$(STAGING_DIR)/usr/bin/gpg-error-config OPKG_DEPENDENCIES += libgpgme libgpg-error +else ifeq ($(BR2_PACKAGE_OPKG_OPENSSL_SIGN),y) +OPKG_CONF_OPTS += --disable-gpg --enable-openssl else OPKG_CONF_OPTS += --disable-gpg endif
OPKG supports either GPG or OpenSSL signature check. It is already possible to enable in buildroot the check of GPG signatures. This patch adds similar configuration to enable the OpenSSL signature checks. Signed-off-by: Andreï V. FOMITCHEV-HERVIEU <andrei.fomitchevhervieu@getinge.com> Change-Id: Id2c76b3cb39ba5eed5bd0bef7648f7970033b87b --- package/opkg/Config.in | 12 ++++++++++++ package/opkg/opkg.mk | 2 ++ 2 files changed, 14 insertions(+)