@@ -37,13 +37,21 @@ menu "Global build settings"
- Enabling per-device rootfs support
...
+ config INSTALL_LOCAL_KEY
+ bool "Install local usign key into image"
+ default y if !BUILDBOT
+
config SIGNED_PACKAGES
bool "Cryptographically signed package lists"
- default y
+ default y if !BUILDBOT
+
+ config SIGNED_IMAGES
+ bool "Cryptographically signed firmware images"
+ default y if !BUILDBOT
config SIGNATURE_CHECK
bool "Enable signature checking in opkg"
- default SIGNED_PACKAGES
+ default y
comment "General build options"
@@ -373,11 +373,14 @@ metadata_json = \
define Build/append-metadata
$(if $(SUPPORTED_DEVICES),-echo $(call metadata_json,$(SUPPORTED_DEVICES)) | fwtool -I - $@)
- [ ! -s "$(BUILD_KEY)" -o ! -s "$(BUILD_KEY).ucert" -o ! -s "$@" ] || { \
- cp "$(BUILD_KEY).ucert" "$@.ucert" ;\
- usign -S -m "$@" -s "$(BUILD_KEY)" -x "$@.sig" ;\
- ucert -A -c "$@.ucert" -x "$@.sig" ;\
- fwtool -S "$@.ucert" "$@" ;\
+ [ -z "$(SIGNED_IMAGES)" \
+ -o ! -s "$(BUILD_KEY)" \
+ -o ! -s "$(BUILD_KEY).ucert" \
+ -o ! -s "$@" ] || { \
+ cp "$(BUILD_KEY).ucert" "$@.ucert" ;\
+ usign -S -m "$@" -s "$(BUILD_KEY)" -x "$@.sig" ;\
+ ucert -A -c "$@.ucert" -x "$@.sig" ;\
+ fwtool -S "$@.ucert" "$@" ;\
}
endef
@@ -37,7 +37,7 @@ endif
define Package/base-files
SECTION:=base
CATEGORY:=Base system
- DEPENDS:=+netifd +libc +procd +jsonfilter +SIGNED_PACKAGES:usign +SIGNED_PACKAGES:openwrt-keyring +NAND_SUPPORT:ubi-utils +fstools +fwtool
+ DEPENDS:=+netifd +libc +procd +jsonfilter +SIGNATURE_CHECK:usign +SIGNATURE_CHECK:openwrt-keyring +NAND_SUPPORT:ubi-utils +fstools +fwtool
TITLE:=Base filesystem for OpenWrt
URL:=http://openwrt.org/
VERSION:=$(PKG_RELEASE)-$(REVISION)
@@ -107,7 +107,7 @@ define Build/Compile/Default
endef
Build/Compile = $(Build/Compile/Default)
-ifdef CONFIG_SIGNED_PACKAGES
+ifneq ($(CONFIG_SIGNED_PACKAGES),)
define Build/Configure
[ -s $(BUILD_KEY) -a -s $(BUILD_KEY).pub ] || \
$(STAGING_DIR_HOST)/bin/usign -G -s $(BUILD_KEY) -p $(BUILD_KEY).pub -c "Local build key"
@@ -116,12 +116,6 @@ ifdef CONFIG_SIGNED_PACKAGES
$(STAGING_DIR_HOST)/bin/ucert -I -c $(BUILD_KEY).ucert -p $(BUILD_KEY).pub -s $(BUILD_KEY)
endef
-
- define Package/base-files/install-key
- mkdir -p $(1)/etc/opkg/keys
- $(CP) $(BUILD_KEY).pub $(1)/etc/opkg/keys/`$(STAGING_DIR_HOST)/bin/usign -F -p $(BUILD_KEY).pub`
-
- endef
endif
ifeq ($(CONFIG_NAND_SUPPORT),)
@@ -130,9 +124,17 @@ ifeq ($(CONFIG_NAND_SUPPORT),)
endef
endif
+ifneq ($(CONFIG_INSTALL_LOCAL_KEY),)
+ define Package/base-files/install-local-key
+ mkdir -p $(1)/etc/opkg/keys
+ $(CP) $(BUILD_KEY).pub $(1)/etc/opkg/keys/`$(STAGING_DIR_HOST)/bin/usign \
+ -F -p $(BUILD_KEY).pub`
+ endef
+endif
+
define Package/base-files/install
$(CP) ./files/* $(1)/
- $(Package/base-files/install-key)
+ $(Package/base-files/install-local-key)
$(Package/base-files/nand-support)
if [ -d $(GENERIC_PLATFORM_DIR)/base-files/. ]; then \
$(CP) $(GENERIC_PLATFORM_DIR)/base-files/* $(1)/; \
* SIGNED_PACKAGES create Packages.sig * SIGNED_IMAGES add ucert signature to created images * CHECK_SIGNATURE add verification capabilities to images * INSTALL_LOCAL_KEY add local key-build to /etc/opkg/keys Right now the buildbot.git contains some hacks to create images that have signature verification capabilities while not storing private keys on buildbot slaves. This commit allows to disable these steps for the buildbots and only perform signing on the master. Signed-off-by: Paul Spooren <mail@aparcar.org> --- v4: replace ifdef with ifneq - Makefile magic -ifdef CONFIG_SIGNED_PACKAGES +ifneq ($(CONFIG_SIGNED_PACKAGES),) config/Config-build.in | 12 ++++++++++-- include/image-commands.mk | 13 ++++++++----- package/base-files/Makefile | 20 +++++++++++--------- 3 files changed, 29 insertions(+), 16 deletions(-)