build/verify: add verification support for signatures
This commit is contained in:
parent
2cfd8ae371
commit
deb4472a22
3
Makefile
3
Makefile
|
@ -1,6 +1,7 @@
|
|||
STEPS= base boot cdrom chroot clean core distfiles \
|
||||
kernel nano plugins ports prefetch print rebase \
|
||||
release rename serial sign skim test vga vm xtools
|
||||
release rename serial sign skim test verify vga \
|
||||
vm xtools
|
||||
.PHONY: ${STEPS}
|
||||
|
||||
PAGER?= less
|
||||
|
|
14
README.md
14
README.md
|
@ -200,15 +200,21 @@ Core packages (pristine copies) can be batch-built using:
|
|||
|
||||
# make core-<repo_branch_or_tag>[,...]
|
||||
|
||||
Package sets (may be signed depending on whether the key is
|
||||
found under /root) ready for web server deployment are automatically
|
||||
generated and modified by ports.sh and core.sh.
|
||||
Package sets ready for web server deployment are automatically
|
||||
generated and modified by ports.sh, plugins.sh and core.sh.
|
||||
If signing keys are available, the packages set will be signed
|
||||
twice, first embedded into repository metadata (inside) and
|
||||
then again as a flat file (outside) to ensure integrity.
|
||||
|
||||
Signing for all sets can be redone or applied to a previous run
|
||||
that did not sign by invoking:
|
||||
|
||||
# make sign
|
||||
|
||||
A verification of all available set signatures is done via:
|
||||
|
||||
# make verify
|
||||
|
||||
Virtual machine images come in varying disk formats and sizes.
|
||||
The default format is vmdk with 20G and 1G swap. If you want
|
||||
to change that you can manually alter the invoke using:
|
||||
|
@ -293,7 +299,7 @@ Should it not fit your needs, you can change the name using:
|
|||
|
||||
# make rename-<set>[,<another_set>] VERSION=<new_name>
|
||||
|
||||
The available targets are: base and kernel.
|
||||
The available targets are: base, kernel and package.
|
||||
|
||||
Last but not least, in case build variables needs to be inspected,
|
||||
they can be printed selectively using:
|
||||
|
|
|
@ -0,0 +1,49 @@
|
|||
#!/bin/sh
|
||||
|
||||
# Copyright (c) 2016 Franco Fichtner <franco@opnsense.org>
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
#
|
||||
# 1. Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
#
|
||||
# 2. Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
# SUCH DAMAGE.
|
||||
|
||||
set -e
|
||||
|
||||
SELF=verify
|
||||
|
||||
. ./common.sh && $(${SCRUB_ARGS})
|
||||
|
||||
setup_stage ${STAGEDIR}
|
||||
setup_base ${STAGEDIR}
|
||||
setup_chroot ${STAGEDIR}
|
||||
|
||||
extract_packages ${STAGEDIR}
|
||||
install_packages ${STAGEDIR} ${PRODUCT_PKGNAME}
|
||||
|
||||
mkdir -p ${STAGEDIR}${SETSDIR}
|
||||
cp ${SETSDIR}/* ${STAGEDIR}${SETSDIR}
|
||||
|
||||
for FILE in $(find ${SETSDIR} -name "*.sig"); do
|
||||
chroot ${STAGEDIR} /bin/sh -es <<EOF
|
||||
echo ">>> Verifying ${FILE%%.sig}:"
|
||||
opnsense-verify ${FILE%%.sig}
|
||||
EOF
|
||||
done
|
Loading…
Reference in New Issue