* [Buildroot] [PATCH 1/1] package/opkg: enable openssl signature
@ 2022-04-13 7:31 Andreï V. FOMITCHEV-HERVIEU
2022-04-13 21:08 ` Thomas Petazzoni via buildroot
0 siblings, 1 reply; 3+ messages in thread
From: Andreï V. FOMITCHEV-HERVIEU @ 2022-04-13 7:31 UTC (permalink / raw)
To: buildroot; +Cc: Andreï V. FOMITCHEV-HERVIEU
OPKG supports either GPG or OpenSSL signature check. It is already possible
to enable in buildroot the check of GPG signatures. This patch adds similar
configuration to enable the OpenSSL signature checks.
Signed-off-by: Andreï V. FOMITCHEV-HERVIEU <andrei.fomitchevhervieu@getinge.com>
Change-Id: Id2c76b3cb39ba5eed5bd0bef7648f7970033b87b
---
package/opkg/Config.in | 12 ++++++++++++
package/opkg/opkg.mk | 2 ++
2 files changed, 14 insertions(+)
diff --git a/package/opkg/Config.in b/package/opkg/Config.in
index 1f6a39343f..2e3f9fca3e 100644
--- a/package/opkg/Config.in
+++ b/package/opkg/Config.in
@@ -29,5 +29,17 @@ config BR2_PACKAGE_OPKG_GPG_SIGN
help
Enable opkg package signature checking support using
gnupg/libgpgme.
+config BR2_PACKAGE_OPKG_OPENSSL_SIGN
+ bool "openssl support"
+ select BR2_PACKAGE_OPENSSL
+ select BR2_PACKAGE_LIBOPENSSL_ENGINES
+ help
+ Enable opkg package signature checking support using
+ openssl. Example of openssl command to generate opkg
+ signature
+ openssl smime -sign -in Packages -inkey private.key
+ -signer public.pem -binary -outform PEM --nodetach
+ -out Packages.sig
+ Where Packages is the file to sign
endif
diff --git a/package/opkg/opkg.mk b/package/opkg/opkg.mk
index 501edcf8af..583744ec93 100644
--- a/package/opkg/opkg.mk
+++ b/package/opkg/opkg.mk
@@ -23,6 +23,8 @@ OPKG_CONF_ENV += \
ac_cv_path_GPGME_CONFIG=$(STAGING_DIR)/usr/bin/gpgme-config \
ac_cv_path_GPGERR_CONFIG=$(STAGING_DIR)/usr/bin/gpg-error-config
OPKG_DEPENDENCIES += libgpgme libgpg-error
+else ifeq ($(BR2_PACKAGE_OPKG_OPENSSL_SIGN),y)
+OPKG_CONF_OPTS += --disable-gpg --enable-openssl
else
OPKG_CONF_OPTS += --disable-gpg
endif
--
2.25.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/opkg: enable openssl signature
2022-04-13 7:31 [Buildroot] [PATCH 1/1] package/opkg: enable openssl signature Andreï V. FOMITCHEV-HERVIEU
@ 2022-04-13 21:08 ` Thomas Petazzoni via buildroot
2022-04-14 5:53 ` [Buildroot] [EXT] " Andrei FOMITCHEV HERVIEU
0 siblings, 1 reply; 3+ messages in thread
From: Thomas Petazzoni via buildroot @ 2022-04-13 21:08 UTC (permalink / raw)
To: Andreï V. FOMITCHEV-HERVIEU; +Cc: buildroot
Hello Andreï,
On Wed, 13 Apr 2022 09:31:19 +0200
Andreï V. FOMITCHEV-HERVIEU <andrei.fomitchevhervieu@getinge.com> wrote:
> OPKG supports either GPG or OpenSSL signature check. It is already possible
> to enable in buildroot the check of GPG signatures. This patch adds similar
> configuration to enable the OpenSSL signature checks.
>
> Signed-off-by: Andreï V. FOMITCHEV-HERVIEU <andrei.fomitchevhervieu@getinge.com>
> Change-Id: Id2c76b3cb39ba5eed5bd0bef7648f7970033b87b
Nice to see you here, thanks for the contribution!
However, are you sure it makes sense to support this and use this?
Indeed, opkg has deprecated the usage of openssl for signature. From
opkg's configure.ac:
AC_MSG_WARN(OpenSSL signature-checking support is depracted and will be \
removed in future releases. Consider using GPGME (--enable-gpg) instead.)
So, it is really sensible to support this?
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [EXT] Re: [PATCH 1/1] package/opkg: enable openssl signature
2022-04-13 21:08 ` Thomas Petazzoni via buildroot
@ 2022-04-14 5:53 ` Andrei FOMITCHEV HERVIEU
0 siblings, 0 replies; 3+ messages in thread
From: Andrei FOMITCHEV HERVIEU @ 2022-04-14 5:53 UTC (permalink / raw)
To: Thomas Petazzoni; +Cc: buildroot
Hello Thomas,
Thank you for the point. Maybe you remember, I (still) use the version 2021.02 of buildroot and this version integrates the version 0.4.2 of OPKG. The quoted comment in OPKG sources was introduced in v0.4.5 and the reason is "relatively unused feature" of OpenSSL signatures (https://groups.google.com/g/opkg-devel/c/drqw5_HuXuU).
So I agree, the OPKG project plans make my patch to buildroot useless
Best regards
De : Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Envoyé : mercredi 13 avril 2022 23:09
À : Andrei FOMITCHEV HERVIEU <andrei.fomitchevhervieu@getinge.com>
Cc : buildroot@buildroot.org
Objet : [EXT] Re: [Buildroot] [PATCH 1/1] package/opkg: enable openssl signature
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hello Andreï,
On Wed, 13 Apr 2022 09:31:19 +0200
Andreï V. FOMITCHEV-HERVIEU <mailto:andrei.fomitchevhervieu@getinge.com> wrote:
> OPKG supports either GPG or OpenSSL signature check. It is already possible
> to enable in buildroot the check of GPG signatures. This patch adds similar
> configuration to enable the OpenSSL signature checks.
>
> Signed-off-by: Andreï V. FOMITCHEV-HERVIEU <mailto:andrei.fomitchevhervieu@getinge.com>
> Change-Id: Id2c76b3cb39ba5eed5bd0bef7648f7970033b87b
Nice to see you here, thanks for the contribution!
However, are you sure it makes sense to support this and use this?
Indeed, opkg has deprecated the usage of openssl for signature. From
opkg's configure.ac:
AC_MSG_WARN(OpenSSL signature-checking support is depracted and will be \
removed in future releases. Consider using GPGME (--enable-gpg) instead.)
So, it is really sensible to support this?
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-04-14 5:53 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-13 7:31 [Buildroot] [PATCH 1/1] package/opkg: enable openssl signature Andreï V. FOMITCHEV-HERVIEU
2022-04-13 21:08 ` Thomas Petazzoni via buildroot
2022-04-14 5:53 ` [Buildroot] [EXT] " Andrei FOMITCHEV HERVIEU
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.