base-files: do not strip fwtool signature data during check

[openwrt/openwrt.git] / package / base-files / files / lib / upgrade / fwtool.sh

diff --git a/package/base-files/files/lib/upgrade/fwtool.sh b/package/base-files/files/lib/upgrade/fwtool.sh
index 984c173097e3882e791ecdc5008a46943a128f45..6d7300bad632c76e9d24a4c227a9734b7ad55aac 100644 (file)
--- a/package/base-files/files/lib/upgrade/fwtool.sh
+++ b/package/base-files/files/lib/upgrade/fwtool.sh
@@ -1,5 +1,26 @@
-fwtool_pre_upgrade() {
-       fwtool -q -i /dev/null "$1"
+fwtool_check_signature() {
+       [ $# -gt 1 ] && return 1
+
+       [ ! -x /usr/bin/ucert ] && {
+               if [ "$REQUIRE_IMAGE_SIGNATURE" = 1 ]; then
+                       return 1
+               else
+                       return 0
+               fi
+       }
+
+       if ! fwtool -q -s /tmp/sysupgrade.ucert "$1"; then
+               echo "Image signature not found"
+               [ "$REQUIRE_IMAGE_SIGNATURE" = 1 -a "$FORCE" != 1 ] && {
+                       echo "Use sysupgrade -F to override this check when downgrading or flashing to vendor firmware"
+               }
+               [ "$REQUIRE_IMAGE_SIGNATURE" = 1 ] && return 1
+               return 0
+       fi
+
+       ucert -V -m "$1" -c "/tmp/sysupgrade.ucert" -P /etc/opkg/keys
+
+       return $?
 }
 
 fwtool_check_image() {
@@ -9,6 +30,9 @@ fwtool_check_image() {
 
        if ! fwtool -q -i /tmp/sysupgrade.meta "$1"; then
                echo "Image metadata not found"
+               [ "$REQUIRE_IMAGE_METADATA" = 1 -a "$FORCE" != 1 ] && {
+                       echo "Use sysupgrade -F to override this check when downgrading or flashing to vendor firmware"
+               }
                [ "$REQUIRE_IMAGE_METADATA" = 1 ] && return 1
                return 0
        fi