base-files: do not strip fwtool signature data during check

[openwrt/openwrt.git] / package / base-files / files / lib / upgrade / fwtool.sh

diff --git a/package/base-files/files/lib/upgrade/fwtool.sh b/package/base-files/files/lib/upgrade/fwtool.sh
index 49f02b7bd9ed735a43a487ea2d7d306a604be6c0..6d7300bad632c76e9d24a4c227a9734b7ad55aac 100644 (file)
--- a/package/base-files/files/lib/upgrade/fwtool.sh
+++ b/package/base-files/files/lib/upgrade/fwtool.sh
@@ -1,5 +1,26 @@
-fwtool_pre_upgrade() {
-       fwtool -q -i /dev/null "$1"
+fwtool_check_signature() {
+       [ $# -gt 1 ] && return 1
+
+       [ ! -x /usr/bin/ucert ] && {
+               if [ "$REQUIRE_IMAGE_SIGNATURE" = 1 ]; then
+                       return 1
+               else
+                       return 0
+               fi
+       }
+
+       if ! fwtool -q -s /tmp/sysupgrade.ucert "$1"; then
+               echo "Image signature not found"
+               [ "$REQUIRE_IMAGE_SIGNATURE" = 1 -a "$FORCE" != 1 ] && {
+                       echo "Use sysupgrade -F to override this check when downgrading or flashing to vendor firmware"
+               }
+               [ "$REQUIRE_IMAGE_SIGNATURE" = 1 ] && return 1
+               return 0
+       fi
+
+       ucert -V -m "$1" -c "/tmp/sysupgrade.ucert" -P /etc/opkg/keys
+
+       return $?
 }
 
 fwtool_check_image() {