diff mbox series

[v2] imagebuilder: add package signature verification

Message ID 20200916012457.1748220-1-mail@aparcar.org
State New
Headers show
Series [v2] imagebuilder: add package signature verification | expand

Commit Message

Paul Spooren Sept. 16, 2020, 1:24 a.m. UTC
The ImageBuilder downloads pre-built packages and adds them to images.
This process uses `opkg` which has the capability to verify package list
signatures via `usign`, as enabled per default on running OpenWrt

Until now this was disabled for ImageBuilders because neither the `opkg`
keys nor the `opkg-add` script was present during first packagelist

To harden the ImageBuilder against *drive-by-download-attacks* both keys
and verification script are added to the ImageBuilder allowing `opkg` to
verify downloaded package indices.

This commit adds `opkg-add` to the ImageBuilder scripts folder. The keys
folder is added to ImageBuilder $TOPDIR to have an obvious place for users to
store their own keys. The `option check_signature` is appended to the
repositories.conf file. All of the above only happens if the Buildbot
runs with the SIGNATURE_CHECK option.

The keys stored in the ImageBuilder keys/ folder are the same as stored
within images in `/etc/opkg/keys`.

To allow a local package feed in which the user can add additional
packages, the local *imagebuilder* feed is set to `src/trusted` which
skips signature verification only on this particular feed.

Signed-off-by: Paul Spooren <mail@aparcar.org>
 target/imagebuilder/Makefile       | 10 +++++++++-
 target/imagebuilder/files/Makefile |  2 ++
 2 files changed, 11 insertions(+), 1 deletion(-)
diff mbox series


diff --git a/target/imagebuilder/Makefile b/target/imagebuilder/Makefile
index ad19ab2b53..0cdc1f4d93 100644
--- a/target/imagebuilder/Makefile
+++ b/target/imagebuilder/Makefile
@@ -42,7 +42,7 @@  endif
 	echo ''                                                        >> $(PKG_BUILD_DIR)/repositories.conf
 	echo '## This is the local package repository, do not remove!' >> $(PKG_BUILD_DIR)/repositories.conf
-	echo 'src imagebuilder file:packages'                          >> $(PKG_BUILD_DIR)/repositories.conf
+	echo 'src/trusted imagebuilder file:packages'                  >> $(PKG_BUILD_DIR)/repositories.conf
 	$(VERSION_SED_SCRIPT) $(PKG_BUILD_DIR)/repositories.conf
@@ -57,6 +57,14 @@  else
 	find $(wildcard $(PACKAGE_SUBDIRS)) -type f -name '*.ipk' -exec $(CP) {} $(PKG_BUILD_DIR)/packages/ \;
+	echo ''                                                        >> $(PKG_BUILD_DIR)/repositories.conf
+	echo 'option check_signature'                                  >> $(PKG_BUILD_DIR)/repositories.conf
+	$(CP) -L $(STAGING_DIR_ROOT)/etc/opkg/keys/ $(PKG_BUILD_DIR)/
+	$(CP) -L $(STAGING_DIR_ROOT)/usr/sbin/opkg-key $(PKG_BUILD_DIR)/scripts/
 	$(CP) $(TOPDIR)/target/linux $(PKG_BUILD_DIR)/target/
 	if [ -d $(TOPDIR)/staging_dir/host/lib/grub ]; then \
 		$(CP) $(TOPDIR)/staging_dir/host/lib/grub/ $(PKG_BUILD_DIR)/staging_dir/host/lib; \
diff --git a/target/imagebuilder/files/Makefile b/target/imagebuilder/files/Makefile
index 27d3cfa8df..56b70f16b5 100644
--- a/target/imagebuilder/files/Makefile
+++ b/target/imagebuilder/files/Makefile
@@ -64,8 +64,10 @@  help: FORCE
 # override variables from rules.mk
 LISTS_DIR:=$(subst $(space),/,$(patsubst %,..,$(subst /,$(space),$(TARGET_DIR))))$(DL_DIR)
+export OPKG_KEYS:=$(TOPDIR)/keys
 OPKG:=$(call opkg,$(TARGET_DIR)) \
 	-f $(TOPDIR)/repositories.conf \
+	--verify-program $(SCRIPT_DIR)/opkg-key \
 	--cache $(DL_DIR) \
 	--lists-dir $(LISTS_DIR)