diff options
author | ticktock35 <ticktock35@e8e0d7a0-c8d9-11dd-a880-a1081c7ac358> | 2009-10-27 08:45:24 (EDT) |
---|---|---|
committer | ticktock35 <ticktock35@e8e0d7a0-c8d9-11dd-a880-a1081c7ac358> | 2009-10-27 08:45:24 (EDT) |
commit | 587f690ff0ba0ec6b91bd4b83fa39305120e8e93 (patch) | |
tree | 0010f679707962e6636b5dd978c696c738af7a4d /libopkg/opkg_cmd.c | |
parent | 29b3b9d76a8d6b9af6d6465a9f501c2e5066bea0 (diff) |
Opkg support for smime (pkcs7) packages list signing
Thanks to Camille Moncelier <moncelier@devlife.org>
http://groups.google.com/group/opkg-devel/browse_thread/thread/6071ce290d5ceb77?utoken=qjR-TC0AAADKDldt5ZXsDDLs9sWCpWZI1zgeariQUwksg5ob1tmaFTCAL7MTcQRO6S85GfHgQ_k
As promised :) here is a patch allowing opkg to authenticate
a package list using smime and openssl instead of gpgme
Example:
Sign a package list:
openssl smime -sign -in /path/to/repo/Packages \
-signer /root/server.pem -binary \
-outform PEM -out /path/to/repo/Packages.sig
Configuration in /etc/opkg/opkg.conf
option check_signature 1
option signature_ca_file /etc/serverCA.pem
option signature_ca_path /path/to/certs/dir
opkg update
Downloading http://repo:8000/Packages
Updated list of available packages in /usr/lib/opkg/lists/angstrom
Downloading http://repo:8000/Packages.sig
Signature check passed
Package list corruption or MIM:
Downloading http://repo:8000/Packages
Updated list of available packages in /usr/lib/opkg/lists/angstrom
Downloading http://repo:8000/Packages.sig
Signature check failed
Collected errors:
* Verification failure
Camille Moncelier
http://devlife.org/
git-svn-id: http://opkg.googlecode.com/svn/trunk@221 e8e0d7a0-c8d9-11dd-a880-a1081c7ac358
Diffstat (limited to 'libopkg/opkg_cmd.c')
-rw-r--r-- | libopkg/opkg_cmd.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/libopkg/opkg_cmd.c b/libopkg/opkg_cmd.c index 6ac847a..4a0410c 100644 --- a/libopkg/opkg_cmd.c +++ b/libopkg/opkg_cmd.c @@ -259,8 +259,7 @@ static int opkg_update_cmd(opkg_conf_t *conf, int argc, char **argv) list_file_name); } free(url); - -#ifdef HAVE_GPGME +#if defined(HAVE_GPGME) || defined(HAVE_OPENSSL) if (conf->check_signature) { /* download detached signitures to verify the package lists */ /* get the url for the sig file */ @@ -273,7 +272,8 @@ static int opkg_update_cmd(opkg_conf_t *conf, int argc, char **argv) /* create temporary file for it */ char *tmp_file_name; - sprintf_alloc (&tmp_file_name, "%s/%s", tmp, "Packages.sig"); + /* Put the signature in the right place */ + sprintf_alloc (&tmp_file_name, "%s/%s.sig", lists_dir, src->name); err = opkg_download(conf, url, tmp_file_name, NULL, NULL); if (err) { @@ -287,7 +287,8 @@ static int opkg_update_cmd(opkg_conf_t *conf, int argc, char **argv) else opkg_message (conf, OPKG_NOTICE, "Signature check failed\n"); } - unlink (tmp_file_name); + /* We shouldn't unlink the signature ! */ + // unlink (tmp_file_name); free (tmp_file_name); free (url); } |