diff options
| author | Carlo Landmeter <clandmeter@alpinelinux.org> | 2018-07-04 12:39:50 +0000 |
|---|---|---|
| committer | Carlo Landmeter <clandmeter@alpinelinux.org> | 2018-07-04 12:39:50 +0000 |
| commit | 7d616a95f043795f240479c2c7d4536534c24654 (patch) | |
| tree | 2a7f3fde414e8cc427cdc5b9ac9f07f6573ab124 | |
| parent | 52e7525d2212ba662cabb675b7afcd9a7ae68da5 (diff) | |
| download | alpine-conf-7d616a95f043795f240479c2c7d4536534c24654.tar.bz2 alpine-conf-7d616a95f043795f240479c2c7d4536534c24654.tar.xz | |
Add support for signed modloop images
| -rw-r--r-- | update-kernel.in | 28 |
1 files changed, 26 insertions, 2 deletions
diff --git a/update-kernel.in b/update-kernel.in index 4267042..ef38793 100644 --- a/update-kernel.in +++ b/update-kernel.in @@ -49,6 +49,7 @@ usage() { -f|--flavor <flavor> Install kernel of specified flavor -F|--feature <feature> Enable initfs feature -p|--package <package> Additional module or firmware package + -s|--modloopsign Sign modloop with abuild key -v|--verbose Verbose output -k|--apk-pubkey <key> Include given key in initramfs -K|--hostkeys Include host keys in initramfs @@ -61,8 +62,8 @@ usage() { } QUIET_OPT="--quiet" -OPTS=$(getopt -l arch:,build-dir:,flavor:,feature:,help,package:,verbose,apk-pubkey:,hostkeys,compression:,media,repositories-file: \ - -n $SCRIPT -o a:b:f:F:hp:vk:KC:M -- "$@") || usage 1 +OPTS=$(getopt -l arch:,build-dir:,flavor:,feature:,help,package:,modloopsign,verbose,apk-pubkey:,hostkeys,compression:,media,repositories-file: \ + -n $SCRIPT -o a:b:f:F:hp:svk:KC:M -- "$@") || usage 1 eval set -- "$OPTS" while :; do @@ -91,6 +92,9 @@ while :; do shift PACKAGES="$PACKAGES $1" ;; + -s|--modloopsign) + MODLOOPSIGN=1 + ;; -v|--verbose) QUIET_OPT= ;; @@ -168,6 +172,21 @@ clean_up() { rm -fr $TMPDIR } +sign_modloop() { + local in="$1" + local abuild_conf=${ABUILD_CONF:-"/etc/abuild.conf"} + local abuild_home=${ABUILD_USERDIR:-"$HOME/.abuild"} + local abuild_userconf=${ABUILD_USERCONF:-"$abuild_home/abuild.conf"} + [ -f "$abuild_userconf" ] && . "$abuild_userconf" + local privkey="$PACKAGER_PRIVKEY" + local pubkey=${PACKAGER_PUBKEY:-"${privkey}.pub"} + MODLOOPSIG=${in##*/}.SIGN.RSA.${pubkey##*/} + echo "Signing: $in" + openssl dgst -sha1 -sign "$privkey" \ + -out "$TMPDIR/$MODLOOPSIG" \ + "$in" +} + trap clean_up EXIT $SIGNALS @@ -268,6 +287,11 @@ fi mksquashfs $MODLOOP "$STAGING/$MODIMG" -comp xz -exit-on-error +if [ -n "$MODLOOPSIGN" ]; then + sign_modloop "$STAGING/$MODIMG" + MKINITFS_ARGS="$MKINITFS_ARGS -s $TMPDIR/$MODLOOPSIG" +fi + mkinitfs $MKINITFS_ARGS -q -b $ROOT -F "$features base squashfs" \ -o "$STAGING/initramfs-$FLAVOR" "$KVER" |