[OpenWrt-Devel] [PATCH 09/14] package/signing-key base-files: Move the package list signing key to separate package

openwrt at daniel.thecshore.com openwrt at daniel.thecshore.com
Sun Jan 3 01:02:57 EST 2016


From: Daniel Dickinson <openwrt at daniel.thecshore.com>

In order to make it easier to sign packages built with an SDK
we make signing-key a separate package from base-files with
a configuration option and variants (so that different builds
can use different keys) which can be easy included in images
with imagebuilder

Signed-off-by: Daniel Dickinson <openwrt at daniel.thecshore.com>
---
 config/Config-build.in       |  5 +++
 package/base-files/Makefile  | 20 +---------
 package/signing-key/Makefile | 95 ++++++++++++++++++++++++++++++++++++++++++++
 rules.mk                     |  3 +-
 4 files changed, 104 insertions(+), 19 deletions(-)
 create mode 100644 package/signing-key/Makefile

diff --git a/config/Config-build.in b/config/Config-build.in
index 2523a18..5867f53 100644
--- a/config/Config-build.in
+++ b/config/Config-build.in
@@ -18,6 +18,11 @@ menu "Global build settings"
 		bool "Cryptographically signed package lists"
 		default y
 
+	config BUILD_KEY_TYPE
+		string
+		prompt "Name for build key with signed package lists"
+		depends on SIGNED_PACKAGES
+
 	comment "General build options"
 
 	config DISPLAY_SUPPORT
diff --git a/package/base-files/Makefile b/package/base-files/Makefile
index bf32f63..d1d6da1 100644
--- a/package/base-files/Makefile
+++ b/package/base-files/Makefile
@@ -17,8 +17,6 @@ PKG_FILE_DEPENDS:=$(PLATFORM_DIR)/ $(GENERIC_PLATFORM_DIR)/base-files/
 PKG_BUILD_DEPENDS:=usign/host
 PKG_LICENSE:=GPL-2.0
 
-PKG_CONFIG_DEPENDS := CONFIG_SIGNED_PACKAGES
-
 include $(INCLUDE_DIR)/package.mk
 
 ifneq ($(DUMP),1)
@@ -31,7 +29,7 @@ endif
 define Package/base-files
   SECTION:=base
   CATEGORY:=Base system
-  DEPENDS:=+netifd +libc +procd +jsonfilter +SIGNED_PACKAGES:usign +fstools
+  DEPENDS:=+netifd +libc +procd +jsonfilter +fstools +SIGNED_PACKAGES:signing-key-$(BUILD_KEY_TYPE)
   TITLE:=Base filesystem for OpenWrt
   URL:=http://openwrt.org/
   VERSION:=$(PKG_RELEASE)-$(REVISION)
@@ -90,25 +88,11 @@ endef
 define Build/Compile/Default
 
 endef
-Build/Compile = $(Build/Compile/Default)
-
-ifdef CONFIG_SIGNED_PACKAGES
-  define Build/Configure
-	[ -s $(BUILD_KEY) -a -s $(BUILD_KEY).pub ] || \
-		$(STAGING_DIR_HOST)/bin/usign -G -s $(BUILD_KEY) -p $(BUILD_KEY).pub -c "Local build key"
-
-  endef
 
-  define Package/base-files/install-key
-	mkdir -p $(1)/etc/opkg/keys
-	$(CP) $(BUILD_KEY).pub $(1)/etc/opkg/keys/`$(STAGING_DIR_HOST)/bin/usign -F -p $(BUILD_KEY).pub`
-
-  endef
-endif
+Build/Compile = $(Build/Compile/Default)
 
 define Package/base-files/install
 	$(CP) ./files/* $(1)/
-	$(Package/base-files/install-key)
 	if [ -d $(GENERIC_PLATFORM_DIR)/base-files/. ]; then \
 		$(CP) $(GENERIC_PLATFORM_DIR)/base-files/* $(1)/; \
 	fi
diff --git a/package/signing-key/Makefile b/package/signing-key/Makefile
new file mode 100644
index 0000000..1ac2996
--- /dev/null
+++ b/package/signing-key/Makefile
@@ -0,0 +1,95 @@
+#
+# Copyright (C) 2007-2015 OpenWrt.org
+# Copyright (C) 2010 Vertical Communications
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+ifneq ($(DUMP),)
+  -include $(TOPDIR)/.config
+endif
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=signing-key
+PKG_VERSION:=1.0
+PKG_RELEASE:=1
+
+PKG_BUILD_DEPENDS:=usign/host
+PKG_LICENSE:=GPL-2.0
+
+PKG_CONFIG_DEPENDS := CONFIG_SIGNED_PACKAGES
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_KEY_TYPE)
+
+include $(INCLUDE_DIR)/package.mk
+
+# Cheat and use VARIANT so we can have package names which
+# are different from the subdirectory / PKG_NAME
+
+define Package/signing-key/Default
+  SECTION:=base
+  CATEGORY:=Base system
+  DEPENDS:=+usign
+  TITLE:=Signing key when using signed package lists
+  URL:=http://openwrt.org/
+endef
+
+define Package/signing-key
+$(call Package/signing-key/Default)
+  DEPENDS+=@!IN_SDK
+  TITLE+= (base key)
+  VARIANT:=base
+endef
+
+ifneq ($(BUILD_KEY_TYPE),base)
+define Package/signing-key-$(BUILD_KEY_TYPE)
+$(call Package/signing-key/Default)
+  DEPENDS+=@IN_SDK
+  TITLE+= ($(BUILD_KEY_TYPE) key)
+  VARIANT:=$(BUILD_KEY_TYPE)
+endef
+endif
+
+define Package/signing-key/description
+  This package contains the opkg signing key for the base build when using signed package lists
+endef
+
+ifneq ($(BUILD_KEY_TYPE),base)
+define Package/signing-key-$(BUILD_KEY_TYPE)/description
+  This package contains the opkg signing key for the $(BUILD_KEY_TYPE) build when using signed package lists
+endef
+endif
+
+define Build/Prepare
+	true
+endef
+
+define Build/Configure
+	[ -s $(BUILD_KEY) -a -s $(BUILD_KEY).pub ] || \
+		$(STAGING_DIR_HOST)/bin/usign -G -s $(BUILD_KEY) -p $(BUILD_KEY).pub -c "Local $(BUILD_KEY_TYPE) build key"
+endef
+
+define Build/Compile
+	echo "Placeholder for log file"
+endef
+
+define Package/signing-key/install/Default
+	$(INSTALL_DIR) $(1)/etc/opkg/keys
+	$(CP) $(BUILD_KEY).pub $(1)/etc/opkg/keys/`$(STAGING_DIR_HOST)/bin/usign -F -p $(BUILD_KEY).pub`
+endef
+
+define Package/signing-key/install
+$(call Package/signing-key/install/Default,$(1),$(2))
+endef
+
+ifneq ($(BUILD_KEY_TYPE),base)
+define Package/signing-key-$(BUILD_KEY_TYPE)/install
+$(call Package/signing-key/install/Default,$(1),$(2))
+endef
+endif
+
+$(eval $(call BuildPackage,signing-key))
+ifneq ($(BUILD_KEY_TYPE),base)
+$(eval $(call BuildPackage,signing-key-$(BUILD_KEY_TYPE)))
+endif
+
diff --git a/rules.mk b/rules.mk
index eb5665d..09aff9b 100644
--- a/rules.mk
+++ b/rules.mk
@@ -211,7 +211,8 @@ else
   TARGET_NM:=$(TARGET_CROSS)nm
 endif
 
-BUILD_KEY=$(TOPDIR)/key-build
+BUILD_KEY_TYPE:=$(call qstrip,$(CONFIG_BUILD_KEY_TYPE))
+BUILD_KEY=$(TOPDIR)/key-$(BUILD_KEY_TYPE)
 
 TARGET_CC:=$(TARGET_CROSS)gcc
 TARGET_CXX:=$(TARGET_CROSS)g++
-- 
2.4.3
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list