Added an option to enable signature checking of repositories on the target. When this option is selected opkg.conf is modified to turn on check_signature.
If PTXCONF_IMAGE_IPKG_SIGN_OPENSSL is defined, install certificate for the repository signer to /etc/ssl/certs/opkg.crt. Added CHECKSIG, CAPATH and CAFILE to the opkg.conf template. Define CHECKSIG, CAPATH and CAFILE as empty strings in ptxd_make_image_prepare_work_dir.sh Signed-off-by: George McCollister <[email protected]> --- generic/etc/opkg/opkg.conf | 4 ++++ rules/opkg.in | 11 +++++++++++ rules/opkg.make | 19 +++++++++++++++++++ scripts/lib/ptxd_make_image_prepare_work_dir.sh | 3 +++ 4 files changed, 37 insertions(+), 0 deletions(-) diff --git a/generic/etc/opkg/opkg.conf b/generic/etc/opkg/opkg.conf index e9c75c1..9173012 100644 --- a/generic/etc/opkg/opkg.conf +++ b/generic/etc/opkg/opkg.conf @@ -10,3 +10,7 @@ dest root / arch @ARCH@ 10 arch all 1 arch noarch 1 + +@CHECKSIG@ +@CAPATH@ +@CAFILE@ diff --git a/rules/opkg.in b/rules/opkg.in index 25412e1..3b83cdf 100644 --- a/rules/opkg.in +++ b/rules/opkg.in @@ -84,6 +84,17 @@ config OPKG_OPKG_CONF_URL If you don't want to use this feature, keep the whole entry empty. +config OPKG_OPKG_CONF_CHECKSIG + bool + prompt "enable repository signature checking" + depends on OPKG_OPENSSL + help + Set the following options in opkg.conf: + option check_signature 1 + option signature_ca_path /etc/ssl/certs + option signature_ca_file /etc/ssl/certs/opkg.crt + + Repository will only be used if it's signature can be validated. endif endif diff --git a/rules/opkg.make b/rules/opkg.make index b11a67a..e9f5b8d 100644 --- a/rules/opkg.make +++ b/rules/opkg.make @@ -95,12 +95,31 @@ endif @$(call install_lib, opkg, 0, 0, 0644, libopkg) +ifdef PTXCONF_IMAGE_IPKG_SIGN_OPENSSL + @$(call install_copy, opkg, 0, 0, 0644, $(PTXCONF_IMAGE_IPKG_SIGN_OPENSSL_SIGNER), /etc/ssl/certs/opkg.crt) +endif + ifdef PTXCONF_OPKG_OPKG_CONF @$(call install_alternative, opkg, 0, 0, 0644, /etc/opkg/opkg.conf) @$(call install_replace, opkg, /etc/opkg/opkg.conf, @SRC@, \ $(PTXCONF_OPKG_OPKG_CONF_URL)) @$(call install_replace, opkg, /etc/opkg/opkg.conf, @ARCH@, \ $(PTXDIST_IPKG_ARCH_STRING)) +ifdef PTXCONF_OPKG_OPKG_CONF_CHECKSIG + @$(call install_replace, opkg, /etc/opkg/opkg.conf, @CHECKSIG@, \ + "option check_signature 1") + @$(call install_replace, opkg, /etc/opkg/opkg.conf, @CAPATH@, \ + "option signature_ca_path /etc/ssl/certs") + @$(call install_replace, opkg, /etc/opkg/opkg.conf, @CAFILE@, \ + "option signature_ca_file /etc/ssl/certs/opkg.crt") +else + @$(call install_replace, opkg, /etc/opkg/opkg.conf, @CHECKSIG@, \ + "option check_signature 0") + @$(call install_replace, opkg, /etc/opkg/opkg.conf, @CAPATH@, \ + "#option signature_ca_path /etc/ssl/certs") + @$(call install_replace, opkg, /etc/opkg/opkg.conf, @CAFILE@, \ + "#option signature_ca_file /etc/ssl/certs/opkg.crt") +endif endif @$(call install_finish, opkg) diff --git a/scripts/lib/ptxd_make_image_prepare_work_dir.sh b/scripts/lib/ptxd_make_image_prepare_work_dir.sh index 3dd6229..296c1ec 100644 --- a/scripts/lib/ptxd_make_image_prepare_work_dir.sh +++ b/scripts/lib/ptxd_make_image_prepare_work_dir.sh @@ -56,6 +56,9 @@ ${list[*]} ARCH="${PTXDIST_IPKG_ARCH_STRING}" \ SRC="" \ + CHECKSIG="" \ + CAPATH="" \ + CAFILE="" \ ptxd_replace_magic "${ptxd_reply}" > "${xpkg_conf}" && DESTDIR="${image_work_dir}" \ -- 1.7.1 -- ptxdist mailing list [email protected]
