diff --git a/include/prereq-build.mk b/include/prereq-build.mk index 59ea7ef9a7..b7ada69bb4 100644 --- a/include/prereq-build.mk +++ b/include/prereq-build.mk @@ -168,6 +168,10 @@ $(eval $(call RequireCommand,svn, \ Please install the subversion client. \ )) +$(eval $(call RequireCommand,openssl, \ + Please install openssl. \ +)) + define Require/gnu-find $(FIND) --version 2>/dev/null endef diff --git a/package/Makefile b/package/Makefile index 00ac773499..bac7001c4f 100644 --- a/package/Makefile +++ b/package/Makefile @@ -120,10 +120,35 @@ $(curdir)/install: $(TMP_DIR)/.build $(if $(CONFIG_CLEAN_IPKG),rm -rf $(TARGET_DIR)/usr/lib/opkg) $(call mklibs) +PASSOPT="" +PASSARG="" +ifndef CONFIG_OPKGSMIME_PASSPHRASE + ifneq ($(call qstrip,$(CONFIG_OPKGSMIME_PASSFILE)),) + PASSOPT="-passin" + PASSARG="file:$(call qstrip,$(CONFIG_OPKGSMIME_PASSFILE))" + endif +endif + $(curdir)/index: FORCE - @(cd $(PACKAGE_DIR); $(SCRIPT_DIR)/ipkg-make-index.sh . 2>&1 > Packages && \ - gzip -9c Packages > Packages.gz \ - ) +ifeq ($(call qstrip,$(CONFIG_OPKGSMIME_KEY)),) + @echo Signing key has not been configured +else +ifeq ($(call qstrip,$(CONFIG_OPKGSMIME_CERT)),) + @echo Certificate has not been configured +else + @echo Generating package index... + @(cd $(PACKAGE_DIR); \ + $(SCRIPT_DIR)/ipkg-make-index.sh . 2>&1 > Packages && \ + gzip -9c Packages > Packages.gz ) + @echo Signing package index... + @(cd $(PACKAGE_DIR); \ + openssl smime -binary -in Packages.gz \ + -out Packages.sig -outform PEM -sign \ + -signer $(CONFIG_OPKGSMIME_CERT) \ + -inkey $(CONFIG_OPKGSMIME_KEY) \ + $(PASSOPT) $(PASSARG) ) +endif +endif $(curdir)/preconfig: diff --git a/package/base-files/image-config.in b/package/base-files/image-config.in index ac08c8da7c..a9eb78c4f9 100644 --- a/package/base-files/image-config.in +++ b/package/base-files/image-config.in @@ -183,3 +183,41 @@ menuconfig VERSIONOPT %d .. Distribution name or "openwrt", lowercase %T .. Target name %S .. Target/Subtarget name + +menuconfig SMIMEOPT + bool "Package signing options" if IMAGEOPT + default n + help + These options configure the signing key and certificate to + be used for signing and verifying packages. + + config OPKGSMIME_CERT + string + prompt "Path to certificate (PEM certificate format)" if SMIMEOPT + help + Path to the certificate to use for signature verification + + config OPKGSMIME_KEY + string + prompt "Path to signing key (PEM private key format)" if SMIMEOPT + help + Path to the key to use for signing packages + + config OPKGSMIME_PASSPHRASE + bool + default y + prompt "Wait for a passphrase when signing packages?" if SMIMEOPT + help + If this value is set, then the build will pause and request a passphrase + from the command line when signing packages. This SHOULD NOT be used with + automatic builds. If this value is not set, a file can be specified from + which the passphrase will be read. + + config OPKGSMIME_PASSFILE + string + prompt "Path to a file containing the passphrase" if SMIMEOPT + depends on !OPKGSMIME_PASSPHRASE + help + Path to a file containing the passphrase for the signing key. + If the signing key is not encrypted and does not require a passphrase, + this option may be left blank. diff --git a/package/system/opkg/Makefile b/package/system/opkg/Makefile index eb3b10a776..3327a8e1ad 100644 --- a/package/system/opkg/Makefile +++ b/package/system/opkg/Makefile @@ -109,8 +109,12 @@ define Package/opkg/Default/install endef Package/opkg/install = $(call Package/opkg/Default/install,$(1),) -Package/opkg-smime/install = $(call Package/opkg/Default/install,$(1),-smime) +define Package/opkg-smime/install + $(call Package/opkg/Default/install,$(1),-smime) + $(INSTALL_DIR) $(1)/etc/ssl/certs + $(if $(CONFIG_OPKGSMIME_CERT),$(INSTALL_DATA) $(call qstrip,$(CONFIG_OPKGSMIME_CERT)) $(1)/etc/ssl/certs/opkg.pem,) +endef define Build/InstallDev mkdir -p $(1)/usr/include diff --git a/package/system/opkg/files/opkg-smime.conf b/package/system/opkg/files/opkg-smime.conf index 103f231842..849bb65b20 100644 --- a/package/system/opkg/files/opkg-smime.conf +++ b/package/system/opkg/files/opkg-smime.conf @@ -4,4 +4,4 @@ dest ram /tmp lists_dir ext /var/opkg-lists option overlay_root /overlay option check_signature 1 -option signature_ca_path /etc/ssl/certs/ +option signature_ca_file /etc/ssl/certs/opkg.pem