build: separate signing logic

This separates the options for signature creation and verification

* SIGNED_PACKAGES create Packages.sig
* SIGNED_IMAGES add ucert signature to created images
* CHECK_SIGNATURE add verification capabilities to images
* INSTALL_LOCAL_KEY add local key-build to /etc/opkg/keys

Right now the buildbot.git contains some hacks to create images that
have signature verification capabilities while not storing private keys
on buildbot slaves. This commit allows to disable these steps for the
buildbots and only perform signing on the master.

Signed-off-by: Paul Spooren <mail@aparcar.org>

diff --git a/config/Config-build.in b/config/Config-build.in
index 872e5c12abb42602cb195cf0cd12a38e66c34ab8..c6591708a20a50947663dce86ae29259b59d6bed 100644 (file)
--- a/config/Config-build.in
+++ b/config/Config-build.in
@@ -37,13 +37,21 @@ menu "Global build settings"
                  - Enabling per-device rootfs support
                  ...
 
+       config INSTALL_LOCAL_KEY
+               bool "Install local usign key into image"
+               default n
+
        config SIGNED_PACKAGES
                bool "Cryptographically signed package lists"
-               default y
+               default n
+
+       config SIGNED_IMAGES
+               bool "Cryptographically signed firmware images"
+               default n
 
        config SIGNATURE_CHECK
                bool "Enable signature checking in opkg"
-               default SIGNED_PACKAGES
+               default y
 
        comment "General build options"
 

diff --git a/include/image-commands.mk b/include/image-commands.mk
index 5dfd6a2c2fd464821081b7ffc1070b9f8ada7ca8..3d10b18bc82fc8b7faecd527c86ef988100db52c 100644 (file)
--- a/include/image-commands.mk
+++ b/include/image-commands.mk
@@ -373,11 +373,14 @@ metadata_json = \
 
 define Build/append-metadata
        $(if $(SUPPORTED_DEVICES),-echo $(call metadata_json,$(SUPPORTED_DEVICES)) | fwtool -I - $@)
-       [ ! -s "$(BUILD_KEY)" -o ! -s "$(BUILD_KEY).ucert" -o ! -s "$@" ] || { \
-               cp "$(BUILD_KEY).ucert" "$@.ucert" ;\
-               usign -S -m "$@" -s "$(BUILD_KEY)" -x "$@.sig" ;\
-               ucert -A -c "$@.ucert" -x "$@.sig" ;\
-               fwtool -S "$@.ucert" "$@" ;\
+       [ -z "$(SIGNED_IMAGES)" \
+               -o ! -s "$(BUILD_KEY)" \
+               -o ! -s "$(BUILD_KEY).ucert" \
+               -o ! -s "$@" ] || { \
+                       cp "$(BUILD_KEY).ucert" "$@.ucert" ;\
+                       usign -S -m "$@" -s "$(BUILD_KEY)" -x "$@.sig" ;\
+                       ucert -A -c "$@.ucert" -x "$@.sig" ;\
+                       fwtool -S "$@.ucert" "$@" ;\
        }
 endef
 

diff --git a/package/base-files/Makefile b/package/base-files/Makefile
index f105d2cd2768ad19221ef07b25842da77a78424c..588c958f80a0a5da199a3b1bae8df8e147d1a251 100644 (file)
--- a/package/base-files/Makefile
+++ b/package/base-files/Makefile
@@ -37,7 +37,7 @@ endif
 define Package/base-files
   SECTION:=base
   CATEGORY:=Base system
-  DEPENDS:=+netifd +libc +procd +jsonfilter +SIGNED_PACKAGES:usign +SIGNED_PACKAGES:openwrt-keyring +NAND_SUPPORT:ubi-utils +fstools +fwtool
+  DEPENDS:=+netifd +libc +procd +jsonfilter +SIGNATURE_CHECK:usign +SIGNATURE_CHECK:openwrt-keyring +NAND_SUPPORT:ubi-utils +fstools +fwtool
   TITLE:=Base filesystem for OpenWrt
   URL:=http://openwrt.org/
   VERSION:=$(PKG_RELEASE)-$(REVISION)
@@ -116,12 +116,6 @@ ifdef CONFIG_SIGNED_PACKAGES
                $(STAGING_DIR_HOST)/bin/ucert -I -c $(BUILD_KEY).ucert -p $(BUILD_KEY).pub -s $(BUILD_KEY)
 
   endef
-
-  define Package/base-files/install-key
-       mkdir -p $(1)/etc/opkg/keys
-       $(CP) $(BUILD_KEY).pub $(1)/etc/opkg/keys/`$(STAGING_DIR_HOST)/bin/usign -F -p $(BUILD_KEY).pub`
-
-  endef
 endif
 
 ifeq ($(CONFIG_NAND_SUPPORT),)
@@ -130,9 +124,16 @@ ifeq ($(CONFIG_NAND_SUPPORT),)
   endef
 endif
 
+ifdef CONFIG_INSTALL_LOCAL_KEY
+  define Package/base-files/install-local-key
+       mkdir -p $(1)/etc/opkg/keys
+       $(CP) $(BUILD_KEY).pub $(1)/etc/opkg/keys/`$(STAGING_DIR_HOST)/bin/usign \
+               -F -p $(BUILD_KEY).pub`
+endef
+
 define Package/base-files/install
        $(CP) ./files/* $(1)/
-       $(Package/base-files/install-key)
+       $(Package/base-files/install-local-key)
        $(Package/base-files/nand-support)
        if [ -d $(GENERIC_PLATFORM_DIR)/base-files/. ]; then \
                $(CP) $(GENERIC_PLATFORM_DIR)/base-files/* $(1)/; \