From: Paul Spooren Date: Tue, 24 Sep 2019 22:32:56 +0000 (-1000) Subject: build: add script to sign packages X-Git-Tag: v21.02.0-rc1~4757 X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=2ae5100d707057c29ed2ebdd0ae31b50a333f95b;p=openwrt%2Fopenwrt.git build: add script to sign packages This script allows image signing indipendend of the actual build process, to run on a master server after receiving freshly backed images. Idea is to avoid storying private keys on third party builders while still beeing to be able to sign packages. Run ./scripts/sign_images.sh with the following env vars: * TOP_DIR where to search for sysupgrade.bin images * BUILD_KEY place of key-build{,.pub,.ucert} * REMOVE_OTHER_SIGNATURES removes signatures added by e.g. buildbots Only sysupgrade.bin files are touched as factory.bin signatures wouldn't be evaluated on stock from. Signed-off-by: Paul Spooren --- diff --git a/scripts/sign_images.sh b/scripts/sign_images.sh new file mode 100755 index 0000000000..c41b21e091 --- /dev/null +++ b/scripts/sign_images.sh @@ -0,0 +1,27 @@ +#!/bin/sh + +# directory where search for images +TOP_DIR="${TOP_DIR:-./bin/targets}" +# key to sign images +BUILD_KEY="${BUILD_KEY:-key-build}" # TODO unifiy naming? +# remove other signatures (added e.g. by buildbot) +REMOVE_OTER_SIGNATURES="${REMOVE_OTER_SIGNATURES:-1}" + +# find all sysupgrade images in TOP_DIR +# factory images don't need signatures as non OpenWrt system doen't check them anyway +for image in $(find $TOP_DIR -type f -name "*-sysupgrade.bin"); do + # check if image actually support metadata + if fwtool -i /dev/null "$image"; then + # remove all previous signatures + if [ -n "$REMOVE_OTER_SIGNATURES" ]; then + while [ "$?" = 0 ]; do + fwtool -t -s /dev/null "$image" + done + fi + # run same operation as build root does for signing + cp "$BUILD_KEY.ucert" "$image.ucert" + usign -S -m "$image" -s "$BUILD_KEY" -x "$image.sig" + ucert -A -c "$image.ucert" -x "$image.sig" + fwtool -S "$image.ucert" "$image" + fi +done