build: sign uncompressed images instead of compressed ones; closes #386

Best of both worlds: let the checksums be a quick way to verify the download but offer full integrity using the signatures for the uncompressed images in case the uncompress is buggy.
2023-11-20 11:08:37 +01:00 · 2023-11-20 11:08:37 +01:00 · 86c0bd3fcc
parent 57711c6b20
commit 86c0bd3fcc
9 changed files with 16 additions and 10 deletions
--- a/build/arm.sh
+++ b/build/arm.sh
@ -111,3 +111,5 @@ arm_unmount
 mdconfig -d -u ${DEV}

 echo "done"
+
+sign_image ${ARMIMG}
--- a/build/common.sh
+++ b/build/common.sh
@ -694,12 +694,12 @@ sign_image()
 	fi

 	if [ ! -f "${1}".sig ]; then
-		echo -n ">>> Creating ${PRODUCT_SETTINGS} signature for ${1}: "
+		echo -n ">>> Creating ${PRODUCT_SETTINGS} signature for $(basename ${1}): "

 		openssl dgst -sha256 -sign "${PRODUCT_PRIVKEY}" "${1}" | \
 		    openssl base64 > "${1}".sig
 	else
-		echo -n ">>> Retaining ${PRODUCT_SETTINGS} signature for ${1}: "
+		echo -n ">>> Retaining ${PRODUCT_SETTINGS} signature for $(basename ${1}): "
 	fi

 	openssl base64 -d -in "${1}".sig > "${1}.sig.tmp"
--- a/build/compress.sh
+++ b/build/compress.sh
@ -39,8 +39,6 @@ for ARG in ${@}; do
 			echo -n ">>> Compressing ${ARG} image... "
 			bzip2 ${IMAGE}
 			echo "done"
-
-			sign_image ${IMAGE}.bz2
 		done
 		;;
 	esac
--- a/build/dvd.sh
+++ b/build/dvd.sh
@ -33,7 +33,7 @@ SELF=dvd

 check_image ${SELF} ${@}

-DVDIMAGE="${IMAGESDIR}/${PRODUCT_RELEASE}-dvd-${PRODUCT_ARCH}.iso"
+DVDIMG="${IMAGESDIR}/${PRODUCT_RELEASE}-dvd-${PRODUCT_ARCH}.iso"
 DVDLABEL=$(echo "${PRODUCT_NAME}_Install" | tr '[:lower:]' '[:upper:]')

 sh ./clean.sh ${SELF}
@ -66,6 +66,8 @@ echo -n ">>> Building dvd image... "

 makefs -t cd9660 \
    -o 'bootimage=i386;'"${STAGEDIR}"'/work/boot/cdboot' -o no-emul-boot \
-    ${UEFIBOOT} -o label=${DVDLABEL} -o rockridge ${DVDIMAGE} ${STAGEDIR}/work
+    ${UEFIBOOT} -o label=${DVDLABEL} -o rockridge ${DVDIMG} ${STAGEDIR}/work

 echo "done"
+
+sign_image ${DVDIMG}
--- a/build/nano.sh
+++ b/build/nano.sh
@ -66,3 +66,5 @@ gpart create -s BSD ${DEV}
 gpart bootcode -b ${STAGEDIR}/boot/boot ${DEV}
 gpart add -t freebsd-ufs ${DEV}
 mdconfig -d -u ${DEV}
+
+sign_image ${NANOIMG}
--- a/build/release.sh
+++ b/build/release.sh
@ -76,10 +76,6 @@ if [ -f "${PRODUCT_PRIVKEY}" ]; then
 	    "${STAGEDIR}/${PRODUCT_NAME}${PRODUCT_SUFFIX}-${PRODUCT_SETTINGS}.pub"
 fi

-for IMAGE in $(find ${STAGEDIR} -type f \! -name "*.sig"); do
-	sign_image ${IMAGE}
-done
-
 echo -n ">>> Bundling images for ${PRODUCT_RELEASE}... "
 tar -C ${STAGEDIR} -cf ${RELEASESET} .
 echo "done"
--- a/build/serial.sh
+++ b/build/serial.sh
@ -73,3 +73,5 @@ echo -n ">>> Building serial image... "
    -p freebsd-boot:=work/boot/gptboot ${GPTDUMMY} -p freebsd-ufs:=root.part)

 echo "done"
+
+sign_image ${SERIALIMG}
--- a/build/vga.sh
+++ b/build/vga.sh
@ -72,3 +72,5 @@ echo -n ">>> Building vga image... "
    -p freebsd-boot:=work/boot/gptboot ${GPTDUMMY} -p freebsd-ufs:=root.part)

 echo "done"
+
+sign_image ${VGAIMG}
--- a/build/vm.sh
+++ b/build/vm.sh
@ -190,3 +190,5 @@ echo -n ">>> Building vm image... "
    -p freebsd-${ROOTFS}:=${VMBASE})

 echo "done"
+
+sign_image ${VMIMG}