imagebuilder: complete support for local signing keys

Complete support for local signing keys for APK. A local key will be always generated, mkndx is always called with --allow-untrusted as it needs to replace the sign key with the new local one. With CONFIG_SIGNATURE_CHECK the local index is signed with the local key. Local public key is added with the ADD_LOCAL_KEY option. Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
author: Christian Marangi 2024-10-24 18:45:01 +0000
committer: Christian Marangi 2024-10-28 23:07:52 +0000
commit: 578f266ad7236d9d88fa955e63c5e4967e41c3b6 (patch)
tree: e1c0bf2f205da3199f4a486c11f2919d0e277903
parent: a8d17c21e4e8f089f229361c43f1b219cb8f2a96 (diff)
download: openwrt-578f266ad7236d9d88fa955e63c5e4967e41c3b6.tar.gz
2 files changed, 21 insertions, 4 deletions
diff --git a/include/rootfs.mk b/include/rootfs.mk
index c409e442b5..e6cadc531d 100644
--- a/include/rootfs.mk
+++ b/include/rootfs.mk
@@ -47,7 +47,7 @@ apk = \
   IPKG_INSTROOT=$(1) \
   $(FAKEROOT) $(STAGING_DIR_HOST)/bin/apk \
 	--root $(1) \
-	--keys-dir $(TOPDIR) \
+	--keys-dir $(if $(APK_KEYS),$(APK_KEYS),$(TOPDIR)) \
 	--no-cache \
 	--no-logfile \
 	--preserve-env
diff --git a/target/imagebuilder/files/Makefile b/target/imagebuilder/files/Makefile
index 3b1502cf57..24de26c771 100644
--- a/target/imagebuilder/files/Makefile
+++ b/target/imagebuilder/files/Makefile
@@ -83,6 +83,8 @@ help: FORCE
 
 
 # override variables from rules.mk
+BUILD_KEY_APK_SEC=$(TOPDIR)/keys/local-private-key.pem
+BUILD_KEY_APK_PUB=$(TOPDIR)/keys/local-public-key.pem
 export PACKAGE_DIR:=$(TOPDIR)/packages
 LISTS_DIR:=$(subst $(space),/,$(patsubst %,..,$(subst /,$(space),$(TARGET_DIR))))$(DL_DIR)
 export PACKAGE_DIR_ALL:=$(TOPDIR)/packages
@@ -94,6 +96,7 @@ OPKG:=$(call opkg,$(TARGET_DIR)) \
 	--cache $(DL_DIR) \
 	--lists-dir $(LISTS_DIR)
 
+export APK_KEYS:=$(TOPDIR)/keys
 APK:=$(call apk,$(TARGET_DIR)) \
 	--repositories-file $(TOPDIR)/repositories \
 	$(if $(CONFIG_SIGNATURE_CHECK),,--allow-untrusted) \
@@ -180,6 +183,7 @@ ifeq ($(CONFIG_USE_APK),)
 else
 	$(APK) add --initdb
 	(cd $(PACKAGE_DIR); $(APK) mkndx \
+		$(if $(CONFIG_SIGNATURE_CHECK), --keys-dir $(APK_KEYS) --sign $(BUILD_KEY_APK_SEC)) \
 		--allow-untrusted --output packages.adb *.apk) >/dev/null 2>/dev/null || true
 	$(APK) update >&2 || true
 endif
@@ -241,6 +245,13 @@ ifeq ($(CONFIG_USE_APK),)
 			$(SCRIPT_DIR)/opkg-key add $(BUILD_KEY).pub \
 		) \
 	)
+else
+	$(if $(CONFIG_SIGNATURE_CHECK), \
+		$(if $(ADD_LOCAL_KEY), \
+			mkdir -p $(TARGET_DIR)/etc/opkg/keys/; \
+			cp $(BUILD_KEY_APK_PUB) $(TARGET_DIR)/etc/apk/keys/; \
+		) \
+	)
 endif
 	$(call prepare_rootfs,$(TARGET_DIR),$(USER_FILES),$(DISABLED_SERVICES))
 
@@ -288,8 +299,8 @@ ifneq ($(PROFILE),)
 endif
 
 _check_keys: FORCE
-ifeq ($(CONFIG_USE_APK),)
 ifneq ($(CONFIG_SIGNATURE_CHECK),)
+ifeq ($(CONFIG_USE_APK),)
 	@if [ ! -s $(BUILD_KEY) -o ! -s $(BUILD_KEY).pub ]; then \
 		echo Generate local signing keys... >&2; \
 		$(STAGING_DIR_HOST)/bin/usign -G \
@@ -303,9 +314,15 @@ ifneq ($(CONFIG_SIGNATURE_CHECK),)
 			-p $(BUILD_KEY).pub \
 			-s $(BUILD_KEY); \
 	fi
-endif
 else
-	# TODO
+	@if [ ! -s $(BUILD_KEY_APK_SEC) -o ! -s $(BUILD_KEY_APK_PUB) ]; then \
+		echo Generate local signing keys... >&2; \
+		$(STAGING_DIR_HOST)/bin/openssl ecparam -name prime256v1 -genkey -noout -out $(BUILD_KEY_APK_SEC); \
+		sed -i '1s/^/untrusted comment: Local build key\n/' $(BUILD_KEY_APK_SEC); \
+		$(STAGING_DIR_HOST)/bin/openssl ec -in $(BUILD_KEY_APK_SEC) -pubout > $(BUILD_KEY_APK_PUB); \
+		sed -i '1s/^/untrusted comment: Local build key\n/' $(BUILD_KEY_APK_PUB); \
+	fi
+endif
 endif
 
 image:
author	Christian Marangi	2024-10-24 18:45:01 +0000
committer	Christian Marangi	2024-10-28 23:07:52 +0000
commit	578f266ad7236d9d88fa955e63c5e4967e41c3b6 (patch)
tree	e1c0bf2f205da3199f4a486c11f2919d0e277903
parent	a8d17c21e4e8f089f229361c43f1b219cb8f2a96 (diff)
download	openwrt-578f266ad7236d9d88fa955e63c5e4967e41c3b6.tar.gz