From 4a45e69d190f72ed94878487b271ed7651dd9efa Mon Sep 17 00:00:00 2001 From: Paul Spooren Date: Tue, 24 Sep 2019 12:32:54 -1000 Subject: build: separate signing logic This separates the options for signature creation and verification * SIGNED_PACKAGES create Packages.sig * SIGNED_IMAGES add ucert signature to created images * CHECK_SIGNATURE add verification capabilities to images * INSTALL_LOCAL_KEY add local key-build to /etc/opkg/keys Right now the buildbot.git contains some hacks to create images that have signature verification capabilities while not storing private keys on buildbot slaves. This commit allows to disable these steps for the buildbots and only perform signing on the master. Signed-off-by: Paul Spooren --- include/image-commands.mk | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'include') diff --git a/include/image-commands.mk b/include/image-commands.mk index 5dfd6a2c2f..3d10b18bc8 100644 --- a/include/image-commands.mk +++ b/include/image-commands.mk @@ -373,11 +373,14 @@ metadata_json = \ define Build/append-metadata $(if $(SUPPORTED_DEVICES),-echo $(call metadata_json,$(SUPPORTED_DEVICES)) | fwtool -I - $@) - [ ! -s "$(BUILD_KEY)" -o ! -s "$(BUILD_KEY).ucert" -o ! -s "$@" ] || { \ - cp "$(BUILD_KEY).ucert" "$@.ucert" ;\ - usign -S -m "$@" -s "$(BUILD_KEY)" -x "$@.sig" ;\ - ucert -A -c "$@.ucert" -x "$@.sig" ;\ - fwtool -S "$@.ucert" "$@" ;\ + [ -z "$(SIGNED_IMAGES)" \ + -o ! -s "$(BUILD_KEY)" \ + -o ! -s "$(BUILD_KEY).ucert" \ + -o ! -s "$@" ] || { \ + cp "$(BUILD_KEY).ucert" "$@.ucert" ;\ + usign -S -m "$@" -s "$(BUILD_KEY)" -x "$@.sig" ;\ + ucert -A -c "$@.ucert" -x "$@.sig" ;\ + fwtool -S "$@.ucert" "$@" ;\ } endef -- cgit v1.2.3