config: add build config option to sign each .apk packageHEADmaster

Add a build config option to sign each individual .apk package.

If individual .apk files are signed with the build key, they can be
installed with 'apk add' without '--allow-untrusted' to a firmware
compiled by the same buildhost.

Enable the option by default, but disable it for BUILDBOT.

(At the moment, since commit 084697e, only the package index is signed,
which forces users to use '--allow-untrusted' when installing
self-built .apk files.)

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>

2 files changed, 11 insertions, 0 deletions

diff --git a/config/Config-build.in b/config/Config-build.in
index b42fb8bc11..90fe2e5c43 100644
--- a/config/Config-build.in
+++ b/config/Config-build.in
@@ -73,6 +73,16 @@ menu "Global build settings"
 		bool "Use APK instead of OPKG to build distribution"
 		default y
 
+	config SIGN_EACH_PACKAGE
+		bool "Cryptographically sign each package .apk file"
+		depends on USE_APK
+		default n if BUILDBOT
+		default y
+		help
+		  Sign also the individual package .apk file. Removes the need for
+		  --allow-untrusted when installing self-compiled packages to a
+		  firmware compiled by the same buildhost as public key matches.
+
 	comment "General build options"
 
 	config TESTING_KERNEL
diff --git a/include/package-pack.mk b/include/package-pack.mk
index 23bee526a7..f0a5682df9 100644
--- a/include/package-pack.mk
+++ b/include/package-pack.mk
@@ -605,6 +605,7 @@ else
 	  $$(APK_SCRIPTS_$(1)) \
 	  --info "depends:$$(foreach depends,$$(subst $$(comma),$$(space),$$(subst $$(space),,$$(subst $$(paren_right),,$$(subst $$(paren_left),,$$(Package/$(1)/DEPENDS))))),$$(depends))" \
 	  --files "$$(IDIR_$(1))" \
+	  $(if $(CONFIG_SIGN_EACH_PACKAGE),--sign $(BUILD_KEY_APK_SEC),) \
 	  --output "$$(PACK_$(1))"
 endif