ipkg-repository can now be signed using openssl. A signature for the Packages file is created and stored in Packages.sig. On the target, opkg can be configured to enforce verification of the Packages file (which in turn contains hashes of each ipk file) by using an /etc/opkg/opkg.conf similar to the following: src myrepo http://server/ipkg-repository/mydistro/dists/mydistro-3 option check_signature option signature_ca_path /var/keys option signature_ca_file /var/keys/selfsigned.crt
Signed-off-by: George McCollister <[email protected]> --- platforms/image_ipkg.in | 28 ++++++++++++++++++++++++++++ rules/post/image_ipkg.make | 13 +++++++++++++ 2 files changed, 41 insertions(+), 0 deletions(-) diff --git a/platforms/image_ipkg.in b/platforms/image_ipkg.in index caafb24..20d01cc 100644 --- a/platforms/image_ipkg.in +++ b/platforms/image_ipkg.in @@ -24,6 +24,34 @@ config IMAGE_IPKG_FORCED_PUSH If this option is checked, this is done by default. This is most useful for development purposes. +menuconfig IMAGE_IPKG_SIGN_OPENSSL + depends on IMAGE_IPKG_PUSH_TO_REPOSITORY + bool + select HOST_OPENSSL + prompt "sign ipkg-repository with openssl" + help + Use openssl to to sign the Packages file in the package + repository. + + +if IMAGE_IPKG_SIGN_OPENSSL + +config IMAGE_IPKG_SIGN_OPENSSL_SIGNER + string + default "" + prompt "signer certificate file" + help + signer certificate file to pass to openssl for signing. + +config IMAGE_IPKG_SIGN_OPENSSL_KEY + string + default "" + prompt "private key file" + help + private key file to pass to openssl. + +endif + config IMAGE_INSTALL_FROM_IPKG_REPOSITORY bool select IMAGE_IPKG_PUSH_TO_REPOSITORY diff --git a/rules/post/image_ipkg.make b/rules/post/image_ipkg.make index a375868..3588745 100644 --- a/rules/post/image_ipkg.make +++ b/rules/post/image_ipkg.make @@ -27,6 +27,19 @@ endif --dist $(call remove_quotes,$(PTXCONF_PROJECT)$(PTXCONF_PROJECT_VERSION)) \ --type $(PTXCONF_HOST_PACKAGE_MANAGEMENT) @echo "ipkg-repository updated" +ifdef PTXCONF_IMAGE_IPKG_SIGN_OPENSSL + @echo "signing Packages..." + openssl smime -sign \ + -in $(PTXCONF_SETUP_IPKG_REPOSITORY)/$(PTXCONF_PROJECT)/dists/$(PTXCONF_PROJECT)$(PTXCONF_PROJECT_VERSION)/Packages \ + -text -binary \ + -signer $(PTXCONF_IMAGE_IPKG_SIGN_OPENSSL_SIGNER) \ + -inkey $(PTXCONF_IMAGE_IPKG_SIGN_OPENSSL_KEY) | \ + (echo -----BEGIN PKCS7----- ; \ + sed -e '1,/^Content-Disposition:/d;/^-----/d;/^$$/d'; \ + echo -----END PKCS7-----) > \ + $(PTXCONF_SETUP_IPKG_REPOSITORY)/$(PTXCONF_PROJECT)/dists/$(PTXCONF_PROJECT)$(PTXCONF_PROJECT_VERSION)/Packages.sig + @echo "Packages.sig created" +endif @touch $@ -- 1.7.1 -- ptxdist mailing list [email protected]
