[PATCH v2] imagebuilder: add package signature verification

Paul Spooren mail at aparcar.org
Thu Oct 1 20:02:08 EDT 2020


On Tue Sep 15, 2020 at 3:24 PM HST, Paul Spooren wrote:
> The ImageBuilder downloads pre-built packages and adds them to images.
> This process uses `opkg` which has the capability to verify package list
> signatures via `usign`, as enabled per default on running OpenWrt
> devices.
>
> Until now this was disabled for ImageBuilders because neither the `opkg`
> keys nor the `opkg-add` script was present during first packagelist
> update.
>
> To harden the ImageBuilder against *drive-by-download-attacks* both keys
> and verification script are added to the ImageBuilder allowing `opkg` to
> verify downloaded package indices.
>
> This commit adds `opkg-add` to the ImageBuilder scripts folder. The keys
> folder is added to ImageBuilder $TOPDIR to have an obvious place for
> users to
> store their own keys. The `option check_signature` is appended to the
> repositories.conf file. All of the above only happens if the Buildbot
> runs with the SIGNATURE_CHECK option.
>
> The keys stored in the ImageBuilder keys/ folder are the same as stored
> within images in `/etc/opkg/keys`.
>
> To allow a local package feed in which the user can add additional
> packages, the local *imagebuilder* feed is set to `src/trusted` which
> skips signature verification only on this particular feed.
>
> Signed-off-by: Paul Spooren <mail at aparcar.org>

I chose a different approach: Generating `usign` keys via the
ImageBuilder, which doesn't require any `opkg` modificatons
(e.g. src/trusted).

This time it's a PR on GitHub:
https://github.com/openwrt/openwrt/pull/3477

> ---
> target/imagebuilder/Makefile | 10 +++++++++-
> target/imagebuilder/files/Makefile | 2 ++
> 2 files changed, 11 insertions(+), 1 deletion(-)
>
> diff --git a/target/imagebuilder/Makefile b/target/imagebuilder/Makefile
> index ad19ab2b53..0cdc1f4d93 100644
> --- a/target/imagebuilder/Makefile
> +++ b/target/imagebuilder/Makefile
> @@ -42,7 +42,7 @@ endif
>  
> echo '' >> $(PKG_BUILD_DIR)/repositories.conf
> echo '## This is the local package repository, do not remove!' >>
> $(PKG_BUILD_DIR)/repositories.conf
> - echo 'src imagebuilder file:packages' >>
> $(PKG_BUILD_DIR)/repositories.conf
> + echo 'src/trusted imagebuilder file:packages' >>
> $(PKG_BUILD_DIR)/repositories.conf
>  
> $(VERSION_SED_SCRIPT) $(PKG_BUILD_DIR)/repositories.conf
>  
> @@ -57,6 +57,14 @@ else
> find $(wildcard $(PACKAGE_SUBDIRS)) -type f -name '*.ipk' -exec $(CP) {}
> $(PKG_BUILD_DIR)/packages/ \;
> endif
>  
> +ifneq ($(CONFIG_SIGNATURE_CHECK),)
> + echo '' >> $(PKG_BUILD_DIR)/repositories.conf
> + echo 'option check_signature' >> $(PKG_BUILD_DIR)/repositories.conf
> + $(INSTALL_DIR) $(PKG_BUILD_DIR)/keys
> + $(CP) -L $(STAGING_DIR_ROOT)/etc/opkg/keys/ $(PKG_BUILD_DIR)/
> + $(CP) -L $(STAGING_DIR_ROOT)/usr/sbin/opkg-key
> $(PKG_BUILD_DIR)/scripts/
> +endif
> +
> $(CP) $(TOPDIR)/target/linux $(PKG_BUILD_DIR)/target/
> if [ -d $(TOPDIR)/staging_dir/host/lib/grub ]; then \
> $(CP) $(TOPDIR)/staging_dir/host/lib/grub/
> $(PKG_BUILD_DIR)/staging_dir/host/lib; \
> diff --git a/target/imagebuilder/files/Makefile
> b/target/imagebuilder/files/Makefile
> index 27d3cfa8df..56b70f16b5 100644
> --- a/target/imagebuilder/files/Makefile
> +++ b/target/imagebuilder/files/Makefile
> @@ -64,8 +64,10 @@ help: FORCE
> # override variables from rules.mk
> PACKAGE_DIR:=$(TOPDIR)/packages
> LISTS_DIR:=$(subst $(space),/,$(patsubst %,..,$(subst
> /,$(space),$(TARGET_DIR))))$(DL_DIR)
> +export OPKG_KEYS:=$(TOPDIR)/keys
> OPKG:=$(call opkg,$(TARGET_DIR)) \
> -f $(TOPDIR)/repositories.conf \
> + --verify-program $(SCRIPT_DIR)/opkg-key \
> --cache $(DL_DIR) \
> --lists-dir $(LISTS_DIR)
>  
> --
> 2.25.1




More information about the openwrt-devel mailing list