From patchwork Mon Aug 24 15:07:40 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Baptiste Jonglez X-Patchwork-Id: 1350437 X-Patchwork-Delegate: daniel@makrotopia.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=bitsofnetworks.org Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=BTg5kUYO; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BZwWl09gXz9sTK for ; Tue, 25 Aug 2020 01:09:22 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=nGbsq2sEPW7vuqS2ewZwPQb0bLFE5ZD5cVP0bBmMQvg=; b=BTg5kUYOCY5sdbP0jHlh4/896q iafFKwmUbbpgKeR47WU6QL2AdbFHuoqTKds78AZazr7VK1wTSXoXFqufiwBCnciE+OVk+Y0Lu+K7t 4G35mF1H4pyM0lOkNeYEStrum9GC0Sog3xCWLevnz/QvoPHmWp2jFgNv1Te8gpvkFk49ihjcfNsjj 52+SVKrbOnLjhHxlz9W/qMvbjuWxkSdffO1S7ymnnA9EP04bkwh7y7aGICUoCHH6jM8Tgi6mu63Zh Nip32DafWur0uBFfrpe3xN+H7nmPgFoWUiEAC92jghMQnkPSIHDIn9PW3BCvdbYRxqrDpxvAPu/5r ddILylXQ==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kAE4b-0006Gp-4L; Mon, 24 Aug 2020 15:07:49 +0000 Received: from mails.bitsofnetworks.org ([2001:912:1800:ff::131]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kAE4Y-0006Fx-IU for openwrt-devel@lists.openwrt.org; Mon, 24 Aug 2020 15:07:47 +0000 Received: from [2001:912:1800::5c8] (helo=localhost.localdomain) by mails.bitsofnetworks.org with esmtp (Exim 4.89) (envelope-from ) id 1kAE4X-0008Vn-AG; Mon, 24 Aug 2020 17:07:45 +0200 From: Baptiste Jonglez To: openwrt-devel@lists.openwrt.org Subject: [PATCH opkg] opkg: allow to configure the path to the signature verification script Date: Mon, 24 Aug 2020 17:07:40 +0200 Message-Id: <20200824150740.450363-1-baptiste@bitsofnetworks.org> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200824_110746_744695_8102406E X-CRM114-Status: GOOD ( 19.20 ) X-Spam-Score: 0.0 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (0.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Baptiste Jonglez Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org From: Baptiste Jonglez Currently, package index signatures are only checked when opkg runs on the OpenWrt device. The verification script is hard-coded to a path in /usr/sbin/. Making this path configurable is a first step to implement signature verification in host builds of opkg (e.g. in the imagebuilder). Signed-off-by: Baptiste Jonglez Acked-by: Paul Spooren --- libopkg/opkg_conf.c | 4 ++++ libopkg/opkg_conf.h | 3 +++ libopkg/opkg_download.c | 2 +- src/opkg-cl.c | 8 ++++++++ 4 files changed, 16 insertions(+), 1 deletion(-) diff --git a/libopkg/opkg_conf.c b/libopkg/opkg_conf.c index 08855eb..38703ee 100644 --- a/libopkg/opkg_conf.c +++ b/libopkg/opkg_conf.c @@ -72,6 +72,7 @@ opkg_option_t options[] = { {"size", OPKG_OPT_TYPE_BOOL, &_conf.size}, {"tmp_dir", OPKG_OPT_TYPE_STRING, &_conf.tmp_dir}, {"verbosity", OPKG_OPT_TYPE_INT, &_conf.verbosity}, + {"verify_program", OPKG_OPT_TYPE_STRING, &_conf.verify_program}, {NULL, 0, NULL} }; @@ -572,6 +573,9 @@ int opkg_conf_load(void) if (conf->lists_dir == NULL) conf->lists_dir = xstrdup(OPKG_CONF_LISTS_DIR); + if (conf->verify_program == NULL) + conf->verify_program = xstrdup(OPKG_CONF_DEFAULT_VERIFY_PROGRAM); + if (conf->offline_root) { sprintf_alloc(&tmp, "%s/%s", conf->offline_root, conf->lists_dir); diff --git a/libopkg/opkg_conf.h b/libopkg/opkg_conf.h index 37f95a1..91190b3 100644 --- a/libopkg/opkg_conf.h +++ b/libopkg/opkg_conf.h @@ -35,6 +35,8 @@ extern opkg_conf_t *conf; #define OPKG_CONF_DEFAULT_CONF_FILE_DIR OPKGETCDIR"/opkg" +#define OPKG_CONF_DEFAULT_VERIFY_PROGRAM "/usr/sbin/opkg-key" + /* In case the config file defines no dest */ #define OPKG_CONF_DEFAULT_DEST_NAME "root" #define OPKG_CONF_DEFAULT_DEST_ROOT_DIR "/" @@ -85,6 +87,7 @@ struct opkg_conf { char *overlay_root; int query_all; int verbosity; + char *verify_program; int noaction; int size; int download_only; diff --git a/libopkg/opkg_download.c b/libopkg/opkg_download.c index e970506..7bbf34b 100644 --- a/libopkg/opkg_download.c +++ b/libopkg/opkg_download.c @@ -298,7 +298,7 @@ int opkg_prepare_url_for_install(const char *url, char **namep) int opkg_verify_file(char *text_file, char *sig_file) { #if defined HAVE_USIGN - const char *argv[] = { "/usr/sbin/opkg-key", "verify", sig_file, + const char *argv[] = { conf->verify_program, "verify", sig_file, text_file, NULL }; return xsystem(argv) ? -1 : 0; diff --git a/src/opkg-cl.c b/src/opkg-cl.c index 40a7502..01c6e94 100644 --- a/src/opkg-cl.c +++ b/src/opkg-cl.c @@ -53,6 +53,7 @@ enum { ARGS_OPT_CACHE, ARGS_OPT_FORCE_SIGNATURE, ARGS_OPT_NO_CHECK_CERTIFICATE, + ARGS_OPT_VERIFY_PROGRAM, ARGS_OPT_SIZE, }; @@ -109,6 +110,8 @@ static struct option long_options[] = { {"lists-dir", 1, 0, 'l'}, {"lists_dir", 1, 0, 'l'}, {"verbosity", 2, 0, 'V'}, + {"verify-program", 1, 0, ARGS_OPT_VERIFY_PROGRAM}, + {"verify_program", 1, 0, ARGS_OPT_VERIFY_PROGRAM}, {"version", 0, 0, 'v'}, {0, 0, 0, 0} }; @@ -232,6 +235,9 @@ static int args_parse(int argc, char *argv[]) case ARGS_OPT_NO_CHECK_CERTIFICATE: conf->no_check_certificate = 1; break; + case ARGS_OPT_VERIFY_PROGRAM: + conf->verify_program = xstrdup(optarg); + break; case ':': parse_err = -1; break; @@ -322,6 +328,8 @@ static void usage() printf(" directory name in a pinch).\n"); printf("\t-o Use as the root directory for\n"); printf("\t--offline-root offline installation of packages.\n"); + printf + ("\t--verify-program Use the given program to verify usign signatures\n"); printf ("\t--add-arch : Register architecture with given priority\n"); printf