build: sign our mtree set files for later verification
Right now we trust the mtree file since we can't guarantee consistency after unpack. This way we will be able to warn on unsigned mtree file or when the signature is wrong meaning somebody meddled with the mtree file. Should work for both base and kernel. PR: https://github.com/opnsense/core/issues/3473
This commit is contained in:
parent
b482622e80
commit
1be9ee13c0
|
@ -73,7 +73,7 @@ BASE_SET=${SETSDIR}/base-${REPO_VERSION}-${PRODUCT_ARCH}${PRODUCT_DEVICE+"-${PRO
|
|||
|
||||
setup_set ${STAGEDIR}/work ${BASE_OBJ}
|
||||
|
||||
# XXX needs to be in obsolete file list for control purposes
|
||||
# needs to be in obsolete file list for control purposes
|
||||
mkdir -p ${STAGEDIR}/work/usr/local/opnsense/version
|
||||
touch ${STAGEDIR}/work/usr/local/opnsense/version/base
|
||||
touch ${STAGEDIR}/work/usr/local/opnsense/version/base.arch
|
||||
|
|
|
@ -541,6 +541,9 @@ setup_version()
|
|||
chmod 600 ${VERSIONDIR}/${3}.mtree
|
||||
rm ${1}/mtree.exclude
|
||||
|
||||
# generate a signature for mtree if possible
|
||||
generate_signature ${VERSIONDIR}/${3}.mtree
|
||||
|
||||
# for testing, custom builds, etc.
|
||||
#touch ${VERSIONDIR}/${3}.lock
|
||||
}
|
||||
|
|
|
@ -36,8 +36,8 @@ setup_stage ${STAGEDIR}
|
|||
BASE_SET=$(find ${SETSDIR} -name "base-*-${PRODUCT_ARCH}${PRODUCT_DEVICE+"-${PRODUCT_DEVICE}"}.txz")
|
||||
BASE_OBSOLETE=/usr/local/opnsense/version/base.obsolete
|
||||
|
||||
tar -tf ${BASE_SET} | sed -e 's/^\.//g' -e '/\/$/d' | sort > \
|
||||
${CONFIGDIR}/plist.base.${PRODUCT_ARCH}
|
||||
tar -tf ${BASE_SET} | sed -e 's/^\.//g' -e '/\/$/d' | \
|
||||
grep -v '\.mtree\.sig$' | sort > ${CONFIGDIR}/plist.base.${PRODUCT_ARCH}
|
||||
|
||||
tar -C ${STAGEDIR} -xf ${BASE_SET} .${BASE_OBSOLETE}
|
||||
cp ${STAGEDIR}${BASE_OBSOLETE} ${CONFIGDIR}/plist.obsolete.${PRODUCT_ARCH}
|
||||
|
|
Loading…
Reference in New Issue