From f4aaee01faea1998b2403ffe951fe6100fb4e587 Mon Sep 17 00:00:00 2001 From: John Crispin Date: Mon, 21 Oct 2019 16:26:07 +0200 Subject: [PATCH] Revert "build: separate signing logic" This reverts commit 4a45e69d190f72ed94878487b271ed7651dd9efa. This broke the buildbots Signed-off-by: John Crispin --- config/Config-build.in | 12 ++---------- include/image-commands.mk | 13 +++++-------- package/base-files/Makefile | 17 ++++++++--------- 3 files changed, 15 insertions(+), 27 deletions(-) diff --git a/config/Config-build.in b/config/Config-build.in index c6591708a2..872e5c12ab 100644 --- a/config/Config-build.in +++ b/config/Config-build.in @@ -37,21 +37,13 @@ menu "Global build settings" - Enabling per-device rootfs support ... - config INSTALL_LOCAL_KEY - bool "Install local usign key into image" - default n - config SIGNED_PACKAGES bool "Cryptographically signed package lists" - default n - - config SIGNED_IMAGES - bool "Cryptographically signed firmware images" - default n + default y config SIGNATURE_CHECK bool "Enable signature checking in opkg" - default y + default SIGNED_PACKAGES comment "General build options" diff --git a/include/image-commands.mk b/include/image-commands.mk index 3d10b18bc8..5dfd6a2c2f 100644 --- a/include/image-commands.mk +++ b/include/image-commands.mk @@ -373,14 +373,11 @@ metadata_json = \ define Build/append-metadata $(if $(SUPPORTED_DEVICES),-echo $(call metadata_json,$(SUPPORTED_DEVICES)) | fwtool -I - $@) - [ -z "$(SIGNED_IMAGES)" \ - -o ! -s "$(BUILD_KEY)" \ - -o ! -s "$(BUILD_KEY).ucert" \ - -o ! -s "$@" ] || { \ - cp "$(BUILD_KEY).ucert" "$@.ucert" ;\ - usign -S -m "$@" -s "$(BUILD_KEY)" -x "$@.sig" ;\ - ucert -A -c "$@.ucert" -x "$@.sig" ;\ - fwtool -S "$@.ucert" "$@" ;\ + [ ! -s "$(BUILD_KEY)" -o ! -s "$(BUILD_KEY).ucert" -o ! -s "$@" ] || { \ + cp "$(BUILD_KEY).ucert" "$@.ucert" ;\ + usign -S -m "$@" -s "$(BUILD_KEY)" -x "$@.sig" ;\ + ucert -A -c "$@.ucert" -x "$@.sig" ;\ + fwtool -S "$@.ucert" "$@" ;\ } endef diff --git a/package/base-files/Makefile b/package/base-files/Makefile index 588c958f80..f105d2cd27 100644 --- a/package/base-files/Makefile +++ b/package/base-files/Makefile @@ -37,7 +37,7 @@ endif define Package/base-files SECTION:=base CATEGORY:=Base system - DEPENDS:=+netifd +libc +procd +jsonfilter +SIGNATURE_CHECK:usign +SIGNATURE_CHECK:openwrt-keyring +NAND_SUPPORT:ubi-utils +fstools +fwtool + DEPENDS:=+netifd +libc +procd +jsonfilter +SIGNED_PACKAGES:usign +SIGNED_PACKAGES:openwrt-keyring +NAND_SUPPORT:ubi-utils +fstools +fwtool TITLE:=Base filesystem for OpenWrt URL:=http://openwrt.org/ VERSION:=$(PKG_RELEASE)-$(REVISION) @@ -116,6 +116,12 @@ ifdef CONFIG_SIGNED_PACKAGES $(STAGING_DIR_HOST)/bin/ucert -I -c $(BUILD_KEY).ucert -p $(BUILD_KEY).pub -s $(BUILD_KEY) endef + + define Package/base-files/install-key + mkdir -p $(1)/etc/opkg/keys + $(CP) $(BUILD_KEY).pub $(1)/etc/opkg/keys/`$(STAGING_DIR_HOST)/bin/usign -F -p $(BUILD_KEY).pub` + + endef endif ifeq ($(CONFIG_NAND_SUPPORT),) @@ -124,16 +130,9 @@ ifeq ($(CONFIG_NAND_SUPPORT),) endef endif -ifdef CONFIG_INSTALL_LOCAL_KEY - define Package/base-files/install-local-key - mkdir -p $(1)/etc/opkg/keys - $(CP) $(BUILD_KEY).pub $(1)/etc/opkg/keys/`$(STAGING_DIR_HOST)/bin/usign \ - -F -p $(BUILD_KEY).pub` -endef - define Package/base-files/install $(CP) ./files/* $(1)/ - $(Package/base-files/install-local-key) + $(Package/base-files/install-key) $(Package/base-files/nand-support) if [ -d $(GENERIC_PLATFORM_DIR)/base-files/. ]; then \ $(CP) $(GENERIC_PLATFORM_DIR)/base-files/* $(1)/; \ -- 2.30.2