From: Daniel Dickinson <[email protected]> In order to make it easier to sign packages built with an SDK we make signing-key a separate package from base-files with a configuration option and variants (so that different builds can use different keys) which can be easy included in images with imagebuilder
Signed-off-by: Daniel Dickinson <[email protected]> --- config/Config-build.in | 5 +++ package/base-files/Makefile | 20 +--------- package/signing-key/Makefile | 95 ++++++++++++++++++++++++++++++++++++++++++++ rules.mk | 3 +- 4 files changed, 104 insertions(+), 19 deletions(-) create mode 100644 package/signing-key/Makefile diff --git a/config/Config-build.in b/config/Config-build.in index 2523a18..5867f53 100644 --- a/config/Config-build.in +++ b/config/Config-build.in @@ -18,6 +18,11 @@ menu "Global build settings" bool "Cryptographically signed package lists" default y + config BUILD_KEY_TYPE + string + prompt "Name for build key with signed package lists" + depends on SIGNED_PACKAGES + comment "General build options" config DISPLAY_SUPPORT diff --git a/package/base-files/Makefile b/package/base-files/Makefile index bf32f63..d1d6da1 100644 --- a/package/base-files/Makefile +++ b/package/base-files/Makefile @@ -17,8 +17,6 @@ PKG_FILE_DEPENDS:=$(PLATFORM_DIR)/ $(GENERIC_PLATFORM_DIR)/base-files/ PKG_BUILD_DEPENDS:=usign/host PKG_LICENSE:=GPL-2.0 -PKG_CONFIG_DEPENDS := CONFIG_SIGNED_PACKAGES - include $(INCLUDE_DIR)/package.mk ifneq ($(DUMP),1) @@ -31,7 +29,7 @@ endif define Package/base-files SECTION:=base CATEGORY:=Base system - DEPENDS:=+netifd +libc +procd +jsonfilter +SIGNED_PACKAGES:usign +fstools + DEPENDS:=+netifd +libc +procd +jsonfilter +fstools +SIGNED_PACKAGES:signing-key-$(BUILD_KEY_TYPE) TITLE:=Base filesystem for OpenWrt URL:=http://openwrt.org/ VERSION:=$(PKG_RELEASE)-$(REVISION) @@ -90,25 +88,11 @@ endef define Build/Compile/Default endef -Build/Compile = $(Build/Compile/Default) - -ifdef CONFIG_SIGNED_PACKAGES - define Build/Configure - [ -s $(BUILD_KEY) -a -s $(BUILD_KEY).pub ] || \ - $(STAGING_DIR_HOST)/bin/usign -G -s $(BUILD_KEY) -p $(BUILD_KEY).pub -c "Local build key" - - endef - define Package/base-files/install-key - mkdir -p $(1)/etc/opkg/keys - $(CP) $(BUILD_KEY).pub $(1)/etc/opkg/keys/`$(STAGING_DIR_HOST)/bin/usign -F -p $(BUILD_KEY).pub` - - endef -endif +Build/Compile = $(Build/Compile/Default) define Package/base-files/install $(CP) ./files/* $(1)/ - $(Package/base-files/install-key) if [ -d $(GENERIC_PLATFORM_DIR)/base-files/. ]; then \ $(CP) $(GENERIC_PLATFORM_DIR)/base-files/* $(1)/; \ fi diff --git a/package/signing-key/Makefile b/package/signing-key/Makefile new file mode 100644 index 0000000..1ac2996 --- /dev/null +++ b/package/signing-key/Makefile @@ -0,0 +1,95 @@ +# +# Copyright (C) 2007-2015 OpenWrt.org +# Copyright (C) 2010 Vertical Communications +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +ifneq ($(DUMP),) + -include $(TOPDIR)/.config +endif +include $(TOPDIR)/rules.mk + +PKG_NAME:=signing-key +PKG_VERSION:=1.0 +PKG_RELEASE:=1 + +PKG_BUILD_DEPENDS:=usign/host +PKG_LICENSE:=GPL-2.0 + +PKG_CONFIG_DEPENDS := CONFIG_SIGNED_PACKAGES +PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_KEY_TYPE) + +include $(INCLUDE_DIR)/package.mk + +# Cheat and use VARIANT so we can have package names which +# are different from the subdirectory / PKG_NAME + +define Package/signing-key/Default + SECTION:=base + CATEGORY:=Base system + DEPENDS:=+usign + TITLE:=Signing key when using signed package lists + URL:=http://openwrt.org/ +endef + +define Package/signing-key +$(call Package/signing-key/Default) + DEPENDS+=@!IN_SDK + TITLE+= (base key) + VARIANT:=base +endef + +ifneq ($(BUILD_KEY_TYPE),base) +define Package/signing-key-$(BUILD_KEY_TYPE) +$(call Package/signing-key/Default) + DEPENDS+=@IN_SDK + TITLE+= ($(BUILD_KEY_TYPE) key) + VARIANT:=$(BUILD_KEY_TYPE) +endef +endif + +define Package/signing-key/description + This package contains the opkg signing key for the base build when using signed package lists +endef + +ifneq ($(BUILD_KEY_TYPE),base) +define Package/signing-key-$(BUILD_KEY_TYPE)/description + This package contains the opkg signing key for the $(BUILD_KEY_TYPE) build when using signed package lists +endef +endif + +define Build/Prepare + true +endef + +define Build/Configure + [ -s $(BUILD_KEY) -a -s $(BUILD_KEY).pub ] || \ + $(STAGING_DIR_HOST)/bin/usign -G -s $(BUILD_KEY) -p $(BUILD_KEY).pub -c "Local $(BUILD_KEY_TYPE) build key" +endef + +define Build/Compile + echo "Placeholder for log file" +endef + +define Package/signing-key/install/Default + $(INSTALL_DIR) $(1)/etc/opkg/keys + $(CP) $(BUILD_KEY).pub $(1)/etc/opkg/keys/`$(STAGING_DIR_HOST)/bin/usign -F -p $(BUILD_KEY).pub` +endef + +define Package/signing-key/install +$(call Package/signing-key/install/Default,$(1),$(2)) +endef + +ifneq ($(BUILD_KEY_TYPE),base) +define Package/signing-key-$(BUILD_KEY_TYPE)/install +$(call Package/signing-key/install/Default,$(1),$(2)) +endef +endif + +$(eval $(call BuildPackage,signing-key)) +ifneq ($(BUILD_KEY_TYPE),base) +$(eval $(call BuildPackage,signing-key-$(BUILD_KEY_TYPE))) +endif + diff --git a/rules.mk b/rules.mk index eb5665d..09aff9b 100644 --- a/rules.mk +++ b/rules.mk @@ -211,7 +211,8 @@ else TARGET_NM:=$(TARGET_CROSS)nm endif -BUILD_KEY=$(TOPDIR)/key-build +BUILD_KEY_TYPE:=$(call qstrip,$(CONFIG_BUILD_KEY_TYPE)) +BUILD_KEY=$(TOPDIR)/key-$(BUILD_KEY_TYPE) TARGET_CC:=$(TARGET_CROSS)gcc TARGET_CXX:=$(TARGET_CROSS)g++ -- 2.4.3 _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
