From 6295cab05416b762cb9daeb35de67798a37e03ca Mon Sep 17 00:00:00 2001 From: Patrick McDermott Date: Tue, 16 Apr 2019 22:25:11 -0400 Subject: install_find_pkgs(): Install root key --- diff --git a/src/install.sh b/src/install.sh index 8b5291b..246240f 100644 --- a/src/install.sh +++ b/src/install.sh @@ -85,6 +85,27 @@ install_system() return 0 } +_usign_fingerprint() +{ + local key_data="${1}" + local usign= + + if ${in_place} && ${USIGN_EMBEDDED}; then + usign="${builddir}/3rdparty/usign/usign" + else + usign="${USIGN}" + fi + + IFS="${LF}" + if printf '%s\n' ${key_data} | "${usign}" -F -p -; then + unset IFS + return 0 + else + unset IFS + return 1 + fi +} + install_find_pkgs() { local mirror="${1}" @@ -99,6 +120,7 @@ install_find_pkgs() local base_url= local gzip= local cert_url= + local root_key= local cert_fd= local dl_func= local pkgs= @@ -120,14 +142,21 @@ install_find_pkgs() pkgs_fd=${FD} if cert_url="$(profile_get_cert_url "${mirror}")"; then + # This is a hack to generate a fake certificate with some valid + # (but incorrect) key and the mirror-specific certificate URL to + # make opkg-cert download and verify the actual certificate. mkdir -p "${root}/etc/opkg/keys/" + root_key="$(profile_get_root_key)" + printf '%s\n' "${root_key}" + >"${root}/etc/opkg/keys/$(_usign_fingerprint \ + "${root_key}").root" if ! fopen "${root}/etc/opkg/keys/temp.cert"; then return 1 fi cert_fd=${FD} printf '%s\n---' "${cert_url}" >&${cert_fd} IFS="${LF}" - printf 'K: %s\n' $(profile_get_root_key) >&${cert_fd} + printf 'K: %s\n' ${root_key} >&${cert_fd} unset IFS printf '---' >&${cert_fd} fclose ${cert_fd} -- cgit v0.9.1