diff mbox series

package/dehydrated: new package

Message ID 20180618121309.10606-1-arnout@mind.be
State Accepted
Headers show
Series package/dehydrated: new package | expand

Commit Message

Arnout Vandecappelle June 18, 2018, 12:13 p.m. UTC 
dehydrated is an ACME client written in bash. It should be able to run
under zsh as well, but this hasn't been tested so it isn't enabled for
now.

Normally, we would want an init script to start dehydrated, and an
example configuration file. However, it is very difficult to do this
in a generic way in Buildroot:
- we normally don't have cron running;
- we have no standard location for webroot;
- we have no standard location for certificates;
- we have no standard way to restart/reload the webserver.
So instead, provide brief documentation of how to use dehydrated in the
help text.

Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
---
In the hash file, I made a little (IMO) improvement of how we typically
handle things: in addition to the URL of the signature file, I also
added the PGP fingerprint and the URL where I got the key. This
establishes a kind of informal TOFU approach: when someone updates the
package, they can verify that it was signed with the same key, or (if
the key is renewed by then) check on keybase if it really is the same
person. Without this, and adversary could just upload a tarball and
signature with some different key and nobody would be any wiser.
---
 DEVELOPERS                         |  1 +
 package/Config.in                  |  1 +
 package/dehydrated/Config.in       | 33 ++++++++++++++++++++++++++++++
 package/dehydrated/dehydrated.hash |  6 ++++++
 package/dehydrated/dehydrated.mk   | 18 ++++++++++++++++
 5 files changed, 59 insertions(+)
 create mode 100644 package/dehydrated/Config.in
 create mode 100644 package/dehydrated/dehydrated.hash
 create mode 100644 package/dehydrated/dehydrated.mk

Comments

Thomas Petazzoni June 26, 2018, 9:39 p.m. UTC | #1 
Hello,

On Mon, 18 Jun 2018 14:13:09 +0200, Arnout Vandecappelle
(Essensium/Mind) wrote:
> dehydrated is an ACME client written in bash. It should be able to run
> under zsh as well, but this hasn't been tested so it isn't enabled for
> now.
> 
> Normally, we would want an init script to start dehydrated, and an
> example configuration file. However, it is very difficult to do this
> in a generic way in Buildroot:
> - we normally don't have cron running;
> - we have no standard location for webroot;
> - we have no standard location for certificates;
> - we have no standard way to restart/reload the webserver.
> So instead, provide brief documentation of how to use dehydrated in the
> help text.
> 
> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>

Applied, thanks.

> In the hash file, I made a little (IMO) improvement of how we typically
> handle things: in addition to the URL of the signature file, I also
> added the PGP fingerprint and the URL where I got the key. This
> establishes a kind of informal TOFU approach: when someone updates the
> package, they can verify that it was signed with the same key, or (if
> the key is renewed by then) check on keybase if it really is the same
> person. Without this, and adversary could just upload a tarball and
> signature with some different key and nobody would be any wiser.

This looks interesting to me, but I'm a bit worried about the additional
complexity for newcomers who are adding new packages or updating
existing packages. It is not easy to understand how to do all this PGP
verification, and the overall reasoning behind storing those details in
the .hash file. Of course, when you understand PGP and have a bit of
a security mindset, it all makes sense, but for newcomers, it may not
be that trivial. Not necessarily a reason not to do it, but it's worth
considering this aspect.

Best regards,

Thomas
diff mbox series

Patch

diff --git a/DEVELOPERS b/DEVELOPERS
index 07c24acb91..fdcbf8aa08 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -185,6 +185,7 @@  F:	package/espeak/
 
 N:	Arnout Vandecappelle <arnout@mind.be>
 F:	package/arp-scan/
+F:	package/dehydrated/
 F:	package/freescale-imx/firmware-imx/
 F:	package/freescale-imx/imx-lib/
 F:	package/gstreamer/gst-fsl-plugins/
diff --git a/package/Config.in b/package/Config.in
index a5ecfecbf9..19f4d60dd6 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1709,6 +1709,7 @@  menu "Networking applications"
 	source "package/cups-filters/Config.in"
 	source "package/dante/Config.in"
 	source "package/darkhttpd/Config.in"
+	source "package/dehydrated/Config.in"
 	source "package/dhcp/Config.in"
 	source "package/dhcpcd/Config.in"
 	source "package/dhcpdump/Config.in"
diff --git a/package/dehydrated/Config.in b/package/dehydrated/Config.in
new file mode 100644
index 0000000000..f14ae0f611
--- /dev/null
+++ b/package/dehydrated/Config.in
@@ -0,0 +1,33 @@ 
+config BR2_PACKAGE_DEHYDRATED
+	bool "dehydrated"
+	depends on BR2_USE_MMU # bash
+	select BR2_PACKAGE_BASH
+	select BR2_PACKAGE_BUSYBOX_SHOW_OTHERS # bash
+	select BR2_PACKAGE_LIBCURL
+	select BR2_PACKAGE_CURL
+	select BR2_PACKAGE_OPENSSL
+	select BR2_PACKAGE_LIBOPENSSL_BIN if BR2_PACKAGE_LIBOPENSSL
+	select BR2_PACKAGE_LIBRESSL_BIN if BR2_PACKAGE_LIBRESSL
+	help
+	  Dehydrated is a client for signing certificates with an
+	  ACME-server (e.g. Let's Encrypt) implemented as a relatively
+	  simple (zsh-compatible) bash-script. This client supports
+	  both ACME v1 and the new ACME v2 including support for
+	  wildcard certificates!
+
+	  To use this script in Buildroot:
+	    - Create /etc/dehydrated/domains.txt
+	    - Make sure that "dehydrated -c" is called regularly, e.g.
+	      from cron.
+	    - Make sure /etc/dehydrated is writable.
+	    - Configure the webserver to export the WELLKNOWN directory
+	      (/var/www/dehydrated) as /.well-known/acme-challenge
+	    - Configure the webserver to use the certificates under
+	      /etc/dehydrated/certs/<domain>
+	    - Register a HOOK to reload the webserver after the
+	      certificates have been renewed.
+
+	  You probably need to install a custom /etc/dehydrated/config
+	  with the rootfs overlay.
+
+	  https://github.com/lukas2511/dehydrated
diff --git a/package/dehydrated/dehydrated.hash b/package/dehydrated/dehydrated.hash
new file mode 100644
index 0000000000..1d194e5a7d
--- /dev/null
+++ b/package/dehydrated/dehydrated.hash
@@ -0,0 +1,6 @@ 
+# Locally computed after verifying
+# https://github.com/lukas2511/dehydrated/releases/download/v0.6.2/dehydrated-0.6.2.tar.gz.asc
+# with key 3C2F2605E078A1E18F4793909C4DBE6CF438F333 from https://keybase.io/lukas2511
+sha256  163384479199f06f59382ceb6291a299567a2f4f0b963b9b61f2db65a407e80e  dehydrated-0.6.2.tar.gz
+# License, locally computed
+sha256  b4583b7dd07e3e2a08906de38e7e329d41f921ed9dcb6310b3886e013a6b8723  LICENSE
diff --git a/package/dehydrated/dehydrated.mk b/package/dehydrated/dehydrated.mk
new file mode 100644
index 0000000000..b7de27a407
--- /dev/null
+++ b/package/dehydrated/dehydrated.mk
@@ -0,0 +1,18 @@ 
+################################################################################
+#
+# dehydrated
+#
+################################################################################
+
+DEHYDRATED_VERSION = 0.6.2
+DEHYDRATED_SITE = https://github.com/lukas2511/dehydrated/releases/download/v$(DEHYDRATED_VERSION)
+
+DEHYDRATED_LICENSE = MIT
+DEHYDRATED_LICENSE_FILES = LICENSE
+
+define DEHYDRATED_INSTALL_TARGET_CMDS
+	$(INSTALL) -D -m 0755 $(@D)/dehydrated $(TARGET_DIR)/usr/bin/dehydrated
+	$(INSTALL) -D -m 0644 $(@D)/docs/examples/config $(TARGET_DIR)/etc/dehydrated/config
+endef
+
+$(eval $(generic-package))