install_find_pkgs(): Install root key

1 files changed, 30 insertions, 1 deletions

diff --git a/src/install.sh b/src/install.sh
index 8b5291b..246240f 100644
--- a/src/install.sh
+++ b/src/install.sh
@@ -85,6 +85,27 @@ install_system()
 	return 0
 }
 
+_usign_fingerprint()
+{
+	local key_data="${1}"
+	local usign=
+
+	if ${in_place} && ${USIGN_EMBEDDED}; then
+		usign="${builddir}/3rdparty/usign/usign"
+	else
+		usign="${USIGN}"
+	fi
+
+	IFS="${LF}"
+	if printf '%s\n' ${key_data} | "${usign}" -F -p -; then
+		unset IFS
+		return 0
+	else
+		unset IFS
+		return 1
+	fi
+}
+
 install_find_pkgs()
 {
 	local mirror="${1}"
@@ -99,6 +120,7 @@ install_find_pkgs()
 	local base_url=
 	local gzip=
 	local cert_url=
+	local root_key=
 	local cert_fd=
 	local dl_func=
 	local pkgs=
@@ -120,14 +142,21 @@ install_find_pkgs()
 	pkgs_fd=${FD}
 
 	if cert_url="$(profile_get_cert_url "${mirror}")"; then
+		# This is a hack to generate a fake certificate with some valid
+		# (but incorrect) key and the mirror-specific certificate URL to
+		# make opkg-cert download and verify the actual certificate.
 		mkdir -p "${root}/etc/opkg/keys/"
+		root_key="$(profile_get_root_key)"
+		printf '%s\n' "${root_key}"
+			>"${root}/etc/opkg/keys/$(_usign_fingerprint \
+				"${root_key}").root"
 		if ! fopen "${root}/etc/opkg/keys/temp.cert"; then
 			return 1
 		fi
 		cert_fd=${FD}
 		printf '%s\n---' "${cert_url}" >&${cert_fd}
 		IFS="${LF}"
-		printf 'K: %s\n' $(profile_get_root_key) >&${cert_fd}
+		printf 'K: %s\n' ${root_key} >&${cert_fd}
 		unset IFS
 		printf '---' >&${cert_fd}
 		fclose ${cert_fd}