[PATCH opkg] opkg: allow to configure the path to the signature verification script

Mon Aug 24 11:07:40 EDT 2020

From: Baptiste Jonglez <git at bitsofnetworks.org>

Currently, package index signatures are only checked when opkg runs on the
OpenWrt device.  The verification script is hard-coded to a path in
/usr/sbin/.

Making this path configurable is a first step to implement signature
verification in host builds of opkg (e.g. in the imagebuilder).

Signed-off-by: Baptiste Jonglez <git at bitsofnetworks.org>
---
 libopkg/opkg_conf.c     | 4 ++++
 libopkg/opkg_conf.h     | 3 +++
 libopkg/opkg_download.c | 2 +-
 src/opkg-cl.c           | 8 ++++++++
 4 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/libopkg/opkg_conf.c b/libopkg/opkg_conf.c
index 08855eb..38703ee 100644
--- a/libopkg/opkg_conf.c
+++ b/libopkg/opkg_conf.c
@@ -72,6 +72,7 @@ opkg_option_t options[] = {
 	{"size", OPKG_OPT_TYPE_BOOL, &_conf.size},
 	{"tmp_dir", OPKG_OPT_TYPE_STRING, &_conf.tmp_dir},
 	{"verbosity", OPKG_OPT_TYPE_INT, &_conf.verbosity},
+	{"verify_program", OPKG_OPT_TYPE_STRING, &_conf.verify_program},
 	{NULL, 0, NULL}
 };
 
@@ -572,6 +573,9 @@ int opkg_conf_load(void)
 	if (conf->lists_dir == NULL)
 		conf->lists_dir = xstrdup(OPKG_CONF_LISTS_DIR);
 
+	if (conf->verify_program == NULL)
+		conf->verify_program = xstrdup(OPKG_CONF_DEFAULT_VERIFY_PROGRAM);
+
 	if (conf->offline_root) {
 		sprintf_alloc(&tmp, "%s/%s", conf->offline_root,
 			      conf->lists_dir);
diff --git a/libopkg/opkg_conf.h b/libopkg/opkg_conf.h
index 37f95a1..91190b3 100644
--- a/libopkg/opkg_conf.h
+++ b/libopkg/opkg_conf.h
@@ -35,6 +35,8 @@ extern opkg_conf_t *conf;
 
 #define OPKG_CONF_DEFAULT_CONF_FILE_DIR OPKGETCDIR"/opkg"
 
+#define OPKG_CONF_DEFAULT_VERIFY_PROGRAM "/usr/sbin/opkg-key"
+
 /* In case the config file defines no dest */
 #define OPKG_CONF_DEFAULT_DEST_NAME "root"
 #define OPKG_CONF_DEFAULT_DEST_ROOT_DIR "/"
@@ -85,6 +87,7 @@ struct opkg_conf {
 	char *overlay_root;
 	int query_all;
 	int verbosity;
+	char *verify_program;
 	int noaction;
 	int size;
 	int download_only;
diff --git a/libopkg/opkg_download.c b/libopkg/opkg_download.c
index e970506..7bbf34b 100644
--- a/libopkg/opkg_download.c
+++ b/libopkg/opkg_download.c
@@ -298,7 +298,7 @@ int opkg_prepare_url_for_install(const char *url, char **namep)
 int opkg_verify_file(char *text_file, char *sig_file)
 {
 #if defined HAVE_USIGN
-	const char *argv[] = { "/usr/sbin/opkg-key", "verify", sig_file,
+	const char *argv[] = { conf->verify_program, "verify", sig_file,
 	                       text_file, NULL };
 
 	return xsystem(argv) ? -1 : 0;
diff --git a/src/opkg-cl.c b/src/opkg-cl.c
index 40a7502..01c6e94 100644
--- a/src/opkg-cl.c
+++ b/src/opkg-cl.c
@@ -53,6 +53,7 @@ enum {
 	ARGS_OPT_CACHE,
 	ARGS_OPT_FORCE_SIGNATURE,
 	ARGS_OPT_NO_CHECK_CERTIFICATE,
+	ARGS_OPT_VERIFY_PROGRAM,
 	ARGS_OPT_SIZE,
 };
 
@@ -109,6 +110,8 @@ static struct option long_options[] = {
 	{"lists-dir", 1, 0, 'l'},
 	{"lists_dir", 1, 0, 'l'},
 	{"verbosity", 2, 0, 'V'},
+	{"verify-program", 1, 0, ARGS_OPT_VERIFY_PROGRAM},
+	{"verify_program", 1, 0, ARGS_OPT_VERIFY_PROGRAM},
 	{"version", 0, 0, 'v'},
 	{0, 0, 0, 0}
 };
@@ -232,6 +235,9 @@ static int args_parse(int argc, char *argv[])
 		case ARGS_OPT_NO_CHECK_CERTIFICATE:
 			conf->no_check_certificate = 1;
 			break;
+		case ARGS_OPT_VERIFY_PROGRAM:
+			conf->verify_program = xstrdup(optarg);
+			break;
 		case ':':
 			parse_err = -1;
 			break;
@@ -322,6 +328,8 @@ static void usage()
 	printf("				directory name in a pinch).\n");
 	printf("\t-o <dir>		Use <dir> as the root directory for\n");
 	printf("\t--offline-root <dir>	offline installation of packages.\n");
+	printf
+	    ("\t--verify-program <path>	Use the given program to verify usign signatures\n");
 	printf
 	    ("\t--add-arch <arch>:<prio>	Register architecture with given priority\n");
 	printf
-- 
2.27.0


