build: sign our mtree set files for later verification

Right now we trust the mtree file since we can't guarantee consistency after unpack. This way we will be able to warn on unsigned mtree file or when the signature is wrong meaning somebody meddled with the mtree file. Should work for both base and kernel. PR: https://github.com/opnsense/core/issues/3473
2019-09-25 13:13:37 +02:00 · 2019-09-25 13:13:37 +02:00 · 1be9ee13c0
parent b482622e80
commit 1be9ee13c0
3 changed files with 6 additions and 3 deletions
--- a/build/base.sh
+++ b/build/base.sh
@ -73,7 +73,7 @@ BASE_SET=${SETSDIR}/base-${REPO_VERSION}-${PRODUCT_ARCH}${PRODUCT_DEVICE+"-${PRO

 setup_set ${STAGEDIR}/work ${BASE_OBJ}

-# XXX needs to be in obsolete file list for control purposes
+# needs to be in obsolete file list for control purposes
 mkdir -p ${STAGEDIR}/work/usr/local/opnsense/version
 touch ${STAGEDIR}/work/usr/local/opnsense/version/base
 touch ${STAGEDIR}/work/usr/local/opnsense/version/base.arch
--- a/build/common.sh
+++ b/build/common.sh
@ -541,6 +541,9 @@ setup_version()
 	chmod 600 ${VERSIONDIR}/${3}.mtree
 	rm ${1}/mtree.exclude

+	# generate a signature for mtree if possible
+	generate_signature ${VERSIONDIR}/${3}.mtree
+
 	# for testing, custom builds, etc.
 	#touch ${VERSIONDIR}/${3}.lock
 }
--- a/build/rebase.sh
+++ b/build/rebase.sh
@ -36,8 +36,8 @@ setup_stage ${STAGEDIR}
 BASE_SET=$(find ${SETSDIR} -name "base-*-${PRODUCT_ARCH}${PRODUCT_DEVICE+"-${PRODUCT_DEVICE}"}.txz")
 BASE_OBSOLETE=/usr/local/opnsense/version/base.obsolete

-tar -tf ${BASE_SET} | sed -e 's/^\.//g' -e '/\/$/d' | sort > \
-    ${CONFIGDIR}/plist.base.${PRODUCT_ARCH}
+tar -tf ${BASE_SET} | sed -e 's/^\.//g' -e '/\/$/d' | \
+    grep -v '\.mtree\.sig$' | sort > ${CONFIGDIR}/plist.base.${PRODUCT_ARCH}

 tar -C ${STAGEDIR} -xf ${BASE_SET} .${BASE_OBSOLETE}
 cp ${STAGEDIR}${BASE_OBSOLETE} ${CONFIGDIR}/plist.obsolete.${PRODUCT_ARCH}