diff --git a/package/base-files/files/etc/uci-defaults/50-root-passwd b/package/base-files/files/etc/uci-defaults/50-root-passwd index 9eddf1559b..f0bb519aec 100644 --- a/package/base-files/files/etc/uci-defaults/50-root-passwd +++ b/package/base-files/files/etc/uci-defaults/50-root-passwd @@ -3,10 +3,16 @@ json_init json_load "$(cat /etc/board.json)" -json_select credentials - json_get_vars root_password_hash root_password_hash - [ -z "$root_password_hash" ] || sed -i "s|^root:[^:]*|root:$root_password_hash|g" /etc/shadow +if json_is_a credentials object; then + json_select credentials + json_get_vars root_password_hash root_password_hash + if [ -n "$root_password_hash" ]; then + sed -i "s|^root:[^:]*|root:$root_password_hash|g" /etc/shadow + fi - json_get_vars root_password_plain root_password_plain - [ -z "$root_password_plain" ] || { (echo "$root_password_plain"; sleep 1; echo "$root_password_plain") | passwd root } -json_select .. + json_get_vars root_password_plain root_password_plain + if [ -n "$root_password_plain" ]; then + (echo "$root_password_plain"; sleep 1; echo "$root_password_plain") | passwd root + fi + json_select .. +fi diff --git a/package/system/apk/Makefile b/package/system/apk/Makefile index 418fcde6b9..1d660b92d4 100644 --- a/package/system/apk/Makefile +++ b/package/system/apk/Makefile @@ -5,9 +5,9 @@ PKG_RELEASE:=1 PKG_SOURCE_URL=https://gitlab.alpinelinux.org/alpine/apk-tools.git PKG_SOURCE_PROTO:=git -PKG_SOURCE_DATE:=2024-11-08 -PKG_SOURCE_VERSION:=d9c24813d983df9524fa7a2b78fc3132c159a20f -PKG_MIRROR_HASH:=3d1a79c08ef8c8b9404f9287d9acda6468b8b1c2a99dd384287f522ed3b1a047 +PKG_SOURCE_DATE:=2024-11-13 +PKG_SOURCE_VERSION:=417a93ceae540444fdbd3f76d1dadf0e15621fdc +PKG_MIRROR_HASH:=3888aa506f0ce808cbe0287b98abfb7ba92e68b1eb17516fef4b58068bc72131 PKG_VERSION=3.0.0_pre$(subst -,,$(PKG_SOURCE_DATE)) diff --git a/scripts/download-check-artifact.sh b/scripts/download-check-artifact.sh new file mode 100755 index 0000000000..bc0918b214 --- /dev/null +++ b/scripts/download-check-artifact.sh @@ -0,0 +1,159 @@ +#!/usr/bin/env bash +# Script to perform verified file downloads. +# Exit codes: +# 0 - File downloaded successfully and verified +# 1 - Failed to download requested file +# 2 - Failed to download sha256sums file +# 3 - Failed to download sha256sums.gpg file +# 4 - GnuPG is available but fails to verify the signature (missing pubkey, file integrity error, ...) +# 5 - The checksums do not match +# 6 - Unable to copy the requested file to its final destination +# 254 - The script got interrupted by a signal +# 255 - A suitable download or checksum utility is missing + +[ -n "$1" ] || { + echo "$0 - Download and verify build artifacts" + echo "Usage: $0 " >&2 + exit 1 +} + +finish() { + [ -e "/tmp/verify.$$" ] && { + echo "Cleaning up." + rm -r "/tmp/verify.$$" + } + exit "$1" +} + +trap "finish 254" INT TERM + +destdir="$(pwd)" +image_url="$1" +image_file="${image_url##*/}" +sha256_url="${image_url%/*}/sha256sums" +gpgsig_url="${image_url%/*}/sha256sums.asc" +keyserver_url="hkp://keyserver.ubuntu.com" + +# Find a suitable download utility +if which curl >/dev/null; then + download() { curl --progress-bar -o "$1" "$2"; } +elif which wget >/dev/null; then + download() { wget -O "$1" "$2"; } +elif which fetch >/dev/null; then + download() { fetch -o "$1" "$2"; } +else + echo "No suitable download utility found, cannot download files!" >&2 + finish 255 +fi + +# Find a suitable checksum utility +if which sha256sum >/dev/null; then + checksum() { sha256sum -c --ignore-missing "sha256sums"; } +elif which shasum >/dev/null; then + checksum() { + local sum + sum="$(shasum -a 256 "$image_file")"; + grep -xF "${sum%% *} *$image_file" "sha256sums"; + } +else + echo "No SHA256 checksum executable installed, cannot verify checksums!" >&2 + finish 255 +fi + +# Check for gpg availability +if which gpg >/dev/null; then + runpgp() { gpg "$@"; } +else + runpgp() { + echo "WARNING: No GnuPG installed, cannot verify digital signature!" >&2 + return 0 + } +fi + +tmpdir="$(mktemp -d)" +cd "$tmpdir" || { + echo "Failed to create temporary directory!" >&2 + finish 255 +} + +echo "" +echo "1) Downloading artifact file" +echo "=========================" +download "$image_file" "$image_url" || { + echo "Failed to download image file!" >&2 + finish 1 +} + +echo "" +echo "2) Downloading checksum file" +echo "============================" +download "sha256sums" "$sha256_url" || { + echo "Failed to download checksum file!" >&2 + finish 2 +} + +echo "" +echo "3) Downloading the GPG signature" +echo "================================" +download "sha256sums.gpg" "$gpgsig_url" || { + echo "Failed to download GPG signature!" >&2 + finish 3 +} + +echo "" +echo "4) Verifying GPG signature" +echo "==========================" +missing_key=$(runpgp --status-fd 1 --with-fingerprint --verify \ + "sha256sums.gpg" "sha256sums" 2>/dev/null | sed -ne 's!^.* NO_PUBKEY !!p') + +if [ -n "$missing_key" ]; then + echo "The signature was signed by a public key with the id $missing_key" >&2 + echo "which is not present on this system." >&2 + echo "" >&2 + + echo "Provide a public keyserver url below or press enter to accept the" >&2 + echo "default suggestion. Hit Ctrl-C to abort the operation." >&2 + echo "" >&2 + + while true; do + printf 'Keyserver to use? [%s] > ' "$keyserver_url" + read -r url; case "${url:-$keyserver_url}" in + hkp://*) + gpg --keyserver "${url:-$keyserver_url}" --recv-keys "$missing_key" || { + echo "Failed to download public key." >&2 + finish 7 + } + break + ;; + *) + echo "Expecting a key server url in the form 'hkp://hostname'." >&2 + ;; + esac + done +fi + +runpgp --with-fingerprint --verify "sha256sums.gpg" "sha256sums" || { + echo "Failed to verify checksum file with GPG signature!" >&2 + finish 4 +} + +echo "" +echo "5) Verifying SHA256 checksum" +echo "============================" +checksum || { + echo "Checksums do not match!" >&2 + finish 5 +} + +cp "$image_file" "$destdir/$image_file" || { + echo "Failed to write '$destdir/$image_file'" >&2 + finish 6 +} + +echo "" +echo "Verification done!" +echo "==================" +echo "Downloaded artifact placed in '$destdir/$image_file'." +echo "" + +finish 0 diff --git a/target/imagebuilder/files/Makefile b/target/imagebuilder/files/Makefile index d94ad3b5b2..dac5665d97 100644 --- a/target/imagebuilder/files/Makefile +++ b/target/imagebuilder/files/Makefile @@ -249,7 +249,7 @@ ifeq ($(CONFIG_USE_APK),) else $(if $(CONFIG_SIGNATURE_CHECK), \ $(if $(ADD_LOCAL_KEY), \ - mkdir -p $(TARGET_DIR)/etc/opkg/keys/; \ + mkdir -p $(TARGET_DIR)/etc/apk/keys/; \ cp $(BUILD_KEY_APK_PUB) $(TARGET_DIR)/etc/apk/keys/; \ ) \ )