subject:"Re\: \[ptxdist\] \[PATCH 6\/7\] Added option to sign ipkg\-repository"

Re: [ptxdist] [PATCH 6/7] Added option to sign ipkg-repository

2011-04-28 Thread Michael Olbrich

On Wed, Apr 27, 2011 at 08:35:24AM -0500, George McCollister wrote:
 On 04/26/2011 07:03 AM, Michael Olbrich wrote:
 On Mon, Apr 25, 2011 at 01:14:22PM -0500, George McCollister wrote:
[...]
 +config IMAGE_IPKG_SIGN_OPENSSL_SIGNER
 +   string
 +   default 
 +   prompt signer certificate file
 +   help
 + signer certificate file to pass to openssl for signing.
 +
 +config IMAGE_IPKG_SIGN_OPENSSL_KEY
 +   string
 +   default 
 +   prompt private key file
 +   help
 + private key file to pass to openssl.
 Would this be a path below ${PTXDIST_WORKSPACE}? Otherwise, it would make
 sense to add this to 'ptxdist setup'.
 You may want to use different keys for different workspaces.
 Consider this fictional developer's workspaces:
 
 nato_weaponsystem_workspace
 russian_weaponsystem_workspace
 chinese_weaponsystem_workspace
 
 It would be unacceptable to sign the repository for
 nato_weaponsystem_workspace with the same key as
 russian_weaponsystem_workspace :)
 
 I'm actually planning to use these paths:
 
 Private key (not installed on target):
 ${PTXDIST_WORKSPACE}/projectroot/etc/ssl/certs/repo.key
 
 Certificate (installed on target):
 ${PTXDIST_WORKSPACE}/projectroot/etc/ssl/certs/repo.crt

Ok, in this case ptxconfig is the right place. And an option to install the
certificate would definitively make sense.

Michael

-- 
Pengutronix e.K.   | |
Industrial Linux Solutions | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0|
Amtsgericht Hildesheim, HRA 2686   | Fax:   +49-5121-206917- |

-- 
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH 6/7] Added option to sign ipkg-repository

2011-04-26 Thread Michael Olbrich

On Mon, Apr 25, 2011 at 01:14:22PM -0500, George McCollister wrote:
 ipkg-repository can now be signed using openssl. A signature for the
 Packages file is created and stored in Packages.sig. On the target, opkg
 can be configured to enforce verification of the Packages file (which in
 turn contains hashes of each ipk file) by using an /etc/opkg/opkg.conf similar
 to the following:
 src myrepo http://server/ipkg-repository/mydistro/dists/mydistro-3
 option check_signature
 option signature_ca_path /var/keys
 option signature_ca_file /var/keys/selfsigned.crt

H, so you need the public key on the target, right? Wouldn't it make
sense to install it if this option is selected?

 
 Signed-off-by: George McCollister george.mccollis...@gmail.com
 ---
  platforms/image_ipkg.in|   28 
  rules/post/image_ipkg.make |   13 +
  2 files changed, 41 insertions(+), 0 deletions(-)
 
 diff --git a/platforms/image_ipkg.in b/platforms/image_ipkg.in
 index caafb24..20d01cc 100644
 --- a/platforms/image_ipkg.in
 +++ b/platforms/image_ipkg.in
 @@ -24,6 +24,34 @@ config IMAGE_IPKG_FORCED_PUSH
 If this option is checked, this is done by default. This
 is most useful for development purposes.
  
 +menuconfig IMAGE_IPKG_SIGN_OPENSSL
 + depends on IMAGE_IPKG_PUSH_TO_REPOSITORY
 + bool
 + select HOST_OPENSSL
 + prompt sign ipkg-repository with openssl
 + help
 +   Use openssl to to sign the Packages file in the package
 +   repository.
 +
 +
 +if IMAGE_IPKG_SIGN_OPENSSL
 +
 +config IMAGE_IPKG_SIGN_OPENSSL_SIGNER
 + string
 + default 
 + prompt signer certificate file
 + help
 +   signer certificate file to pass to openssl for signing.
 +
 +config IMAGE_IPKG_SIGN_OPENSSL_KEY
 + string
 + default 
 + prompt private key file
 + help
 +   private key file to pass to openssl.

Would this be a path below ${PTXDIST_WORKSPACE}? Otherwise, it would make
sense to add this to 'ptxdist setup'.

Michael

 +
 +endif
 +
  config IMAGE_INSTALL_FROM_IPKG_REPOSITORY
   bool
   select IMAGE_IPKG_PUSH_TO_REPOSITORY
 diff --git a/rules/post/image_ipkg.make b/rules/post/image_ipkg.make
 index 6eb9b1b..70a50aa 100644
 --- a/rules/post/image_ipkg.make
 +++ b/rules/post/image_ipkg.make
 @@ -33,6 +33,19 @@ endif
   --dist $(call 
 remove_quotes,$(PTXCONF_PROJECT)$(PTXCONF_PROJECT_VERSION)) \
   --type $(package_type)
   @echo ipkg-repository updated
 +ifdef PTXCONF_IMAGE_IPKG_SIGN_OPENSSL
 + @echo signing Packages...
 + openssl smime -sign \
 + -in 
 $(PTXCONF_SETUP_IPKG_REPOSITORY)/$(PTXCONF_PROJECT)/dists/$(PTXCONF_PROJECT)$(PTXCONF_PROJECT_VERSION)/Packages
  \
 + -text -binary \
 + -signer $(PTXCONF_IMAGE_IPKG_SIGN_OPENSSL_SIGNER) \
 + -inkey $(PTXCONF_IMAGE_IPKG_SIGN_OPENSSL_KEY) | \
 + (echo -BEGIN PKCS7- ; \
 + sed -e '1,/^Content-Disposition:/d;/^-/d;/^$$/d'; \
 + echo -END PKCS7-)  \
 + 
 $(PTXCONF_SETUP_IPKG_REPOSITORY)/$(PTXCONF_PROJECT)/dists/$(PTXCONF_PROJECT)$(PTXCONF_PROJECT_VERSION)/Packages.sig
 + @echo Packages.sig created
 +endif
   @touch $@
  
  
 -- 
 1.7.1
 
 
 -- 
 ptxdist mailing list
 ptxdist@pengutronix.de
 

-- 
Pengutronix e.K.   | |
Industrial Linux Solutions | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0|
Amtsgericht Hildesheim, HRA 2686   | Fax:   +49-5121-206917- |

-- 
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH 6/7] Added option to sign ipkg-repository

Re: [ptxdist] [PATCH 6/7] Added option to sign ipkg-repository

2 matches

Site Navigation

Mail list logo

Footer information