Added option to sign ipkg-repository

ipkg-repository can now be signed using openssl. A signature for the
Packages file is created and stored in Packages.sig. On the target, opkg
can be configured to enforce verification of the Packages file (which in
turn contains hashes of each ipk file) by using an /etc/opkg/opkg.conf similar
to the following:
src myrepo http://server/ipkg-repository/mydistro/dists/mydistro-3
option check_signature
option signature_ca_path /var/keys
option signature_ca_file /var/keys/selfsigned.crt

Signed-off-by: George McCollister <george.mccollister@gmail.com>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>

6 files changed, 78 insertions, 0 deletions

diff --git a/generic/etc/opkg/opkg.conf b/generic/etc/opkg/opkg.conf
index e9c75c10b..91730123c 100644
--- a/generic/etc/opkg/opkg.conf
+++ b/generic/etc/opkg/opkg.conf
@@ -10,3 +10,7 @@ dest	root	/
 arch	@ARCH@	10
 arch	all	1
 arch	noarch	1
+
+@CHECKSIG@
+@CAPATH@
+@CAFILE@
diff --git a/platforms/image_ipkg.in b/platforms/image_ipkg.in
index caafb240a..20d01cc2a 100644
--- a/platforms/image_ipkg.in
+++ b/platforms/image_ipkg.in
@@ -24,6 +24,34 @@ config IMAGE_IPKG_FORCED_PUSH
 	  If this option is checked, this is done by default. This
 	  is most useful for development purposes.
 
+menuconfig IMAGE_IPKG_SIGN_OPENSSL
+	depends on IMAGE_IPKG_PUSH_TO_REPOSITORY
+	bool
+	select HOST_OPENSSL
+	prompt "sign ipkg-repository with openssl"
+	help
+	  Use openssl to to sign the Packages file in the package
+	  repository.
+
+
+if IMAGE_IPKG_SIGN_OPENSSL
+
+config IMAGE_IPKG_SIGN_OPENSSL_SIGNER
+	string
+	default ""
+	prompt "signer certificate file"
+	help
+	  signer certificate file to pass to openssl for signing.
+
+config IMAGE_IPKG_SIGN_OPENSSL_KEY
+	string
+	default ""
+	prompt "private key file"
+	help
+	  private key file to pass to openssl.
+
+endif
+
 config IMAGE_INSTALL_FROM_IPKG_REPOSITORY
 	bool
 	select IMAGE_IPKG_PUSH_TO_REPOSITORY
diff --git a/rules/opkg.in b/rules/opkg.in
index e6542a060..cc45f755f 100644
--- a/rules/opkg.in
+++ b/rules/opkg.in
@@ -85,6 +85,17 @@ config OPKG_OPKG_CONF_URL
 
 	  If you don't want to use this feature, keep the whole entry empty.
 
+config OPKG_OPKG_CONF_CHECKSIG
+	bool
+	prompt "enable repository signature checking"
+	depends on OPKG_OPENSSL
+	help
+	  Set the following options in opkg.conf:
+	     option check_signature 1
+	     option signature_ca_path /etc/ssl/certs
+	     option signature_ca_file /etc/ssl/certs/opkg.crt
+	
+	  Repository will only be used if it's signature can be validated.
 endif
 
 endif
diff --git a/rules/opkg.make b/rules/opkg.make
index 68a0ab3c9..982215697 100644
--- a/rules/opkg.make
+++ b/rules/opkg.make
@@ -96,12 +96,31 @@ endif
 
 	@$(call install_lib,  opkg, 0, 0, 0644, libopkg)
 
+ifdef PTXCONF_IMAGE_IPKG_SIGN_OPENSSL
+	@$(call install_copy, opkg, 0, 0, 0644, $(PTXCONF_IMAGE_IPKG_SIGN_OPENSSL_SIGNER), /etc/ssl/certs/opkg.crt)
+endif
+
 ifdef PTXCONF_OPKG_OPKG_CONF
 	@$(call install_alternative, opkg, 0, 0, 0644, /etc/opkg/opkg.conf)
 	@$(call install_replace, opkg, /etc/opkg/opkg.conf, @SRC@, \
 		$(PTXCONF_OPKG_OPKG_CONF_URL))
 	@$(call install_replace, opkg, /etc/opkg/opkg.conf, @ARCH@, \
 		$(PTXDIST_IPKG_ARCH_STRING))
+ifdef PTXCONF_OPKG_OPKG_CONF_CHECKSIG
+	@$(call install_replace, opkg, /etc/opkg/opkg.conf, @CHECKSIG@, \
+		"option check_signature 1")
+	@$(call install_replace, opkg, /etc/opkg/opkg.conf, @CAPATH@, \
+		"option signature_ca_path /etc/ssl/certs")
+	@$(call install_replace, opkg, /etc/opkg/opkg.conf, @CAFILE@, \
+		"option signature_ca_file /etc/ssl/certs/opkg.crt")
+else
+	@$(call install_replace, opkg, /etc/opkg/opkg.conf, @CHECKSIG@, \
+		"option check_signature 0")
+	@$(call install_replace, opkg, /etc/opkg/opkg.conf, @CAPATH@, \
+		"#option signature_ca_path /etc/ssl/certs")
+	@$(call install_replace, opkg, /etc/opkg/opkg.conf, @CAFILE@, \
+		"#option signature_ca_file /etc/ssl/certs/opkg.crt")
+endif
 endif
 
 	@$(call install_finish, opkg)
diff --git a/rules/post/image_ipkg.make b/rules/post/image_ipkg.make
index 9d71bea74..8a309854e 100644
--- a/rules/post/image_ipkg.make
+++ b/rules/post/image_ipkg.make
@@ -27,6 +27,19 @@ endif
 		--dist     $(call remove_quotes,$(PTXCONF_PROJECT)$(PTXCONF_PROJECT_VERSION)) \
 		--type     $(PTXCONF_HOST_PACKAGE_MANAGEMENT)
 	@echo "ipkg-repository updated"
+ifdef PTXCONF_IMAGE_IPKG_SIGN_OPENSSL
+	@echo "signing Packages..."
+	openssl smime -sign \
+		-in $(PTXCONF_SETUP_IPKG_REPOSITORY)/$(PTXCONF_PROJECT)/dists/$(PTXCONF_PROJECT)$(PTXCONF_PROJECT_VERSION)/Packages \
+		-text -binary \
+		-signer $(PTXCONF_IMAGE_IPKG_SIGN_OPENSSL_SIGNER) \
+		-inkey $(PTXCONF_IMAGE_IPKG_SIGN_OPENSSL_KEY) | \
+		(echo -----BEGIN PKCS7----- ; \
+		sed -e '1,/^Content-Disposition:/d;/^-----/d;/^$$/d'; \
+		echo -----END PKCS7-----) > \
+		$(PTXCONF_SETUP_IPKG_REPOSITORY)/$(PTXCONF_PROJECT)/dists/$(PTXCONF_PROJECT)$(PTXCONF_PROJECT_VERSION)/Packages.sig
+	@echo "Packages.sig created"
+endif
 	@touch $@
 
 
diff --git a/scripts/lib/ptxd_make_image_prepare_work_dir.sh b/scripts/lib/ptxd_make_image_prepare_work_dir.sh
index d8f7b1d31..eb2292723 100644
--- a/scripts/lib/ptxd_make_image_prepare_work_dir.sh
+++ b/scripts/lib/ptxd_make_image_prepare_work_dir.sh
@@ -57,6 +57,9 @@ ${list[*]}
 
     ARCH="${PTXDIST_IPKG_ARCH_STRING}" \
     SRC="" \
+    CHECKSIG="" \
+    CAPATH="" \
+    CAFILE="" \
 	ptxd_replace_magic "${ptxd_reply}" >> "${xpkg_conf}" &&
 
     DESTDIR="${image_work_dir}" \