From b902284290b846423ca30d8f4f69eda6bb2c9ee2 Mon Sep 17 00:00:00 2001 From: John Crispin Date: Tue, 12 Nov 2024 07:49:22 +0100 Subject: [PATCH 1/5] base-files: improve default root-passwd script The script was not exiting cleanly causing it to not be removed from the uci-defaults folder. Signed-off-by: John Crispin --- .../files/etc/uci-defaults/50-root-passwd | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/package/base-files/files/etc/uci-defaults/50-root-passwd b/package/base-files/files/etc/uci-defaults/50-root-passwd index 9eddf1559b..f0bb519aec 100644 --- a/package/base-files/files/etc/uci-defaults/50-root-passwd +++ b/package/base-files/files/etc/uci-defaults/50-root-passwd @@ -3,10 +3,16 @@ json_init json_load "$(cat /etc/board.json)" -json_select credentials - json_get_vars root_password_hash root_password_hash - [ -z "$root_password_hash" ] || sed -i "s|^root:[^:]*|root:$root_password_hash|g" /etc/shadow +if json_is_a credentials object; then + json_select credentials + json_get_vars root_password_hash root_password_hash + if [ -n "$root_password_hash" ]; then + sed -i "s|^root:[^:]*|root:$root_password_hash|g" /etc/shadow + fi - json_get_vars root_password_plain root_password_plain - [ -z "$root_password_plain" ] || { (echo "$root_password_plain"; sleep 1; echo "$root_password_plain") | passwd root } -json_select .. + json_get_vars root_password_plain root_password_plain + if [ -n "$root_password_plain" ]; then + (echo "$root_password_plain"; sleep 1; echo "$root_password_plain") | passwd root + fi + json_select .. +fi From 93d005e6bc571e062b3dd263c06b2d9957552e9c Mon Sep 17 00:00:00 2001 From: Kuan-Yi Li Date: Thu, 14 Nov 2024 00:29:21 +0800 Subject: [PATCH 2/5] imagebuilder: fix APK keys dir creation Make keys directory for APK instead of OPKG while adding local key. Signed-off-by: Kuan-Yi Li Link: https://github.com/openwrt/openwrt/pull/16942 Signed-off-by: Christian Marangi --- target/imagebuilder/files/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target/imagebuilder/files/Makefile b/target/imagebuilder/files/Makefile index c92ab74306..56f761e966 100644 --- a/target/imagebuilder/files/Makefile +++ b/target/imagebuilder/files/Makefile @@ -249,7 +249,7 @@ ifeq ($(CONFIG_USE_APK),) else $(if $(CONFIG_SIGNATURE_CHECK), \ $(if $(ADD_LOCAL_KEY), \ - mkdir -p $(TARGET_DIR)/etc/opkg/keys/; \ + mkdir -p $(TARGET_DIR)/etc/apk/keys/; \ cp $(BUILD_KEY_APK_PUB) $(TARGET_DIR)/etc/apk/keys/; \ ) \ ) From c6a3a11c07fdd85baf9ae43d718eb7a317995ed8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0tetiar?= Date: Wed, 13 Nov 2024 08:11:38 +0000 Subject: [PATCH 3/5] apk: update to Git 417a93ceae540444fdbd3f76d1dadf0e15621fdc (2024-11-13) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit c1a3e69f24e2 db: validate package arch against compatible arches 2a3dbfc9db58 db: add and use apk_db_parse_file helper to parse files line by line b231eacd8121 db: simplify add_repos_from_file 98d7196a48d4 db: fix permissions of arch file d2aaf13ee488 commit: sort matched dependencies on error analysis c259642c006d tests: rework solver tests to not require apk-test binary 08b4d21f922e tests: move solver test data to separate directory 563d36481166 tests: minor updates to root tests a236fdd39040 pkg: use memfd_create only if target root has dev/fd working a5aeb3db113f test: unify makefile and meson tests d86afdef88b0 db: print message when a file is written to .apk-new 5dd91e3c387d db: consider --force-no-chroot when determining /dev/fd availability 5add6fce22d4 apk-tools-3.0.0_pre4 8a13ed96d1d5 test: fix solver.sh for parallel use fcd4defc18e6 test: move vertest to cmocka based unit testing infrastructure e38d5b5a9d04 test: add missing alpine tests makefile 19b1df79ebca blob: refactor apk_blob_for_each_segment into apk_blob_foreach_word 76970a938dd7 package: move the location of executable package scripts 1e0411568dad package: respect libexecdir instead of hard-coding /usr/libexec a4837ae8ffe2 package: don't call make_device_tree when APK_NO_CHROOT is set ade0be3449e4 db, extract: handle file/directory extraction errors more consistently 4050f9e69d2e db: fix hardlink handling: root directory and v3 checksums 89e4bf1db040 db, fs: do not extract devices in --usermode 64ff8c72d9fb db: allow files starting with a dot in the root directory of apk3 packages d26b65d30f55 db, audit: remove support for files without embedded checksum 417a93ceae54 pkg: truncate apkv3 description to 256 bytes Fixes: #16929 Signed-off-by: Petr Štetiar --- package/system/apk/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package/system/apk/Makefile b/package/system/apk/Makefile index 2d637fa180..e911f4ae4b 100644 --- a/package/system/apk/Makefile +++ b/package/system/apk/Makefile @@ -5,9 +5,9 @@ PKG_RELEASE:=1 PKG_SOURCE_URL=https://gitlab.alpinelinux.org/alpine/apk-tools.git PKG_SOURCE_PROTO:=git -PKG_SOURCE_DATE:=2024-11-08 -PKG_SOURCE_VERSION:=d9c24813d983df9524fa7a2b78fc3132c159a20f -PKG_MIRROR_HASH:=3d1a79c08ef8c8b9404f9287d9acda6468b8b1c2a99dd384287f522ed3b1a047 +PKG_SOURCE_DATE:=2024-11-13 +PKG_SOURCE_VERSION:=417a93ceae540444fdbd3f76d1dadf0e15621fdc +PKG_MIRROR_HASH:=3888aa506f0ce808cbe0287b98abfb7ba92e68b1eb17516fef4b58068bc72131 PKG_VERSION=3.0.0_pre$(subst -,,$(PKG_SOURCE_DATE)) From 4c9031fda271ed7d4503642f63ff824faa6cc3a0 Mon Sep 17 00:00:00 2001 From: "David S. H. Rosenthal" Date: Wed, 6 Nov 2024 10:19:17 +0000 Subject: [PATCH 4/5] scripts: add download-check-artifact.sh script MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit While checking wiki documentation about GPG signatures checking I found this nice script and I've thought, that it would be nice to provide it officially instead of some random internet site. Usage example: $ ./scripts/download-check-artifact.sh https://downloads.openwrt.org/snapshots/targets/mediatek/filogic/openwrt-mediatek-filogic-openwrt_one-squashfs-sysupgrade.itb 1) Downloading image file ========================= ########################################### 100.0% 2) Downloading checksum file ============================ ########################################### 100.0% 3) Downloading the GPG signature ================================ ########################################### 100.0% 4) Verifying GPG signature ========================== gpg: Signature made Tue 05 Nov 2024 05:21:50 PM UTC gpg: using EDDSA key 92C561DE55AE6552F3C736B82B0151090606D1D9 gpg: Good signature from "OpenWrt Build System (Nitrokey3) " [ultimate] Primary key fingerprint: 8A8B C12F 46B8 36C0 F9CD B36F 1D53 D187 7742 E911 Subkey fingerprint: 92C5 61DE 55AE 6552 F3C7 36B8 2B01 5109 0606 D1D9 5) Verifying SHA256 checksum ============================ openwrt-mediatek-filogic-openwrt_one-squashfs-sysupgrade.itb: OK Verification done! ================== Downloaded artifact placed in '/var/home/ynezz/dev/openwrt/openwrt.git/openwrt-mediatek-filogic-openwrt_one-squashfs-sysupgrade.itb' Cleaning up. Adding file in a state as downloaded from https://www.abitare.org/bin/download.sh References: https://openwrt.org/docs/guide-quick-start/verify_firmware_checksum?s[]=gpg#linux Signed-off-by: David S. H. Rosenthal Link: https://github.com/openwrt/openwrt/pull/16871 Signed-off-by: Petr Štetiar --- scripts/download-check-artifact.sh | 154 +++++++++++++++++++++++++++++ 1 file changed, 154 insertions(+) create mode 100755 scripts/download-check-artifact.sh diff --git a/scripts/download-check-artifact.sh b/scripts/download-check-artifact.sh new file mode 100755 index 0000000000..31868da5cd --- /dev/null +++ b/scripts/download-check-artifact.sh @@ -0,0 +1,154 @@ +#!/usr/bin/env bash +# Script to perform verified file downloads. +# Exit codes: +# 0 - File downloaded successfully and verified +# 1 - Failed to download requested file +# 2 - Failed to download sha256sums file +# 3 - Failed to download sha256sums.gpg file +# 4 - GnuPG is available but fails to verify the signature (missing pubkey, file integrity error, ...) +# 5 - The checksums do not match +# 6 - Unable to copy the requested file to its final destination +# 254 - The script got interrupted by a signal +# 255 - A suitable download or checksum utility is missing + +[ -n "$1" ] || { + echo "Usage: $0 " >&2 + exit 1 +} + +finish() { + [ -e "/tmp/verify.$$" ] && { + echo "Cleaning up." + rm -r "/tmp/verify.$$" + } + exit $1 +} + +trap "finish 254" INT TERM + +destdir="$(pwd)" +image_url="$1" +image_file="${image_url##*/}" +sha256_url="${image_url%/*}/sha256sums" +gpgsig_url="${image_url%/*}/sha256sums.asc" +keyserver_url="hkp://keyserver.ubuntu.com" + +# Find a suitable download utility +if which curl >/dev/null; then + download() { curl --progress-bar -o "$1" "$2"; } +elif which wget >/dev/null; then + download() { wget -O "$1" "$2"; } +elif which fetch >/dev/null; then + download() { fetch -o "$1" "$2"; } +else + echo "No suitable download utility found, cannot download files!" >&2 + finish 255 +fi + +# Find a suitable checksum utility +if which sha256sum >/dev/null; then + checksum() { sha256sum -c --ignore-missing "sha256sums"; } +elif which shasum >/dev/null; then + checksum() { + local sum="$(shasum -a 256 "$image_file")"; + grep -xF "${sum%% *} *$image_file" "sha256sums"; + } +else + echo "No SHA256 checksum executable installed, cannot verify checksums!" >&2 + finish 255 +fi + +# Check for gpg availability +if which gpg >/dev/null; then + runpgp() { gpg "$@"; } +else + runpgp() { + echo "WARNING: No GnuPG installed, cannot verify digital signature!" >&2 + return 0 + } +fi + +mkdir -p "/tmp/verify.$$" +cd "/tmp/verify.$$" + +echo "" +echo "1) Downloading image file" +echo "=========================" +download "$image_file" "$image_url" || { + echo "Failed to download image file!" >&2 + finish 1 +} + +echo "" +echo "2) Downloading checksum file" +echo "============================" +download "sha256sums" "$sha256_url" || { + echo "Failed to download checksum file!" >&2 + finish 2 +} + +echo "" +echo "3) Downloading the GPG signature" +echo "================================" +download "sha256sums.gpg" "$gpgsig_url" || { + echo "Failed to download GPG signature!" >&2 + finish 3 +} + +echo "" +echo "4) Verifying GPG signature" +echo "==========================" +missing_key=$(runpgp --status-fd 1 --with-fingerprint --verify \ + "sha256sums.gpg" "sha256sums" 2>/dev/null | sed -ne 's!^.* NO_PUBKEY !!p') + +if [ -n "$missing_key" ]; then + echo "The signature was signed by a public key with the id $missing_key" >&2 + echo "which is not present on this system." >&2 + echo "" >&2 + + echo "Provide a public keyserver url below or press enter to accept the" >&2 + echo "default suggestion. Hit Ctrl-C to abort the operation." >&2 + echo "" >&2 + + while true; do + printf "Keyserver to use? [$keyserver_url] > " + read url; case "${url:-$keyserver_url}" in + hkp://*) + gpg --keyserver "${url:-$keyserver_url}" --recv-keys "$missing_key" || { + echo "Failed to download public key." >&2 + finish 7 + } + break + ;; + *) + echo "Expecting a key server url in the form 'hkp://hostname'." >&2 + ;; + esac + done +fi + +runpgp --with-fingerprint --verify "sha256sums.gpg" "sha256sums" || { + echo "Failed to verify checksum file with GPG signature!" >&2 + finish 4 +} + +echo "" +echo "5) Verifying SHA256 checksum" +echo "============================" +checksum || { + echo "Checksums do not match!" >&2 + finish 5 +} + +cp "$image_file" "$destdir/$image_file" || { + echo "Failed to write '$destdir/$image_file'" >&2 + finish 6 +} + +echo "" +echo "Verification done!" +echo "==================" +echo "Firmware image placed in '$destdir/$image_file'." +echo "" + +finish 0 From 27c2c140b16cb490f20c1c2259b3decf50ae5762 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0tetiar?= Date: Wed, 6 Nov 2024 10:40:37 +0000 Subject: [PATCH 5/5] scripts: download-check-artifact.sh: fix shellcheck and improve MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes following shellcheck's recommendations: In scripts/download-check-artifact.sh line 24: exit $1 ^-- SC2086 (info): Double quote to prevent globbing and word splitting. In scripts/download-check-artifact.sh line 53: local sum="$(shasum -a 256 "$image_file")"; ^-^ SC2155 (warning): Declare and assign separately to avoid masking return values. In scripts/download-check-artifact.sh line 72: cd "/tmp/verify.$$" ^-----------------^ SC2164 (warning): Use 'cd ... || exit' or 'cd ... || return' in case cd fails. In scripts/download-check-artifact.sh line 114: printf "Keyserver to use? [$keyserver_url] > " ^-- SC2059 (info): Don't use variables in the printf format string. Use printf '..%s..' "$foo". In scripts/download-check-artifact.sh line 115: read url; case "${url:-$keyserver_url}" in ^--^ SC2162 (info): read without -r will mangle backslashes. While at it make it clear, that it is possible to download/check any build artifacts like even SDK or ImageBuilder. Link: https://github.com/openwrt/openwrt/pull/16871 Signed-off-by: Petr Štetiar --- scripts/download-check-artifact.sh | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/scripts/download-check-artifact.sh b/scripts/download-check-artifact.sh index 31868da5cd..bc0918b214 100755 --- a/scripts/download-check-artifact.sh +++ b/scripts/download-check-artifact.sh @@ -12,6 +12,7 @@ # 255 - A suitable download or checksum utility is missing [ -n "$1" ] || { + echo "$0 - Download and verify build artifacts" echo "Usage: $0 " >&2 exit 1 } @@ -21,7 +22,7 @@ finish() { echo "Cleaning up." rm -r "/tmp/verify.$$" } - exit $1 + exit "$1" } trap "finish 254" INT TERM @@ -50,7 +51,8 @@ if which sha256sum >/dev/null; then checksum() { sha256sum -c --ignore-missing "sha256sums"; } elif which shasum >/dev/null; then checksum() { - local sum="$(shasum -a 256 "$image_file")"; + local sum + sum="$(shasum -a 256 "$image_file")"; grep -xF "${sum%% *} *$image_file" "sha256sums"; } else @@ -68,11 +70,14 @@ else } fi -mkdir -p "/tmp/verify.$$" -cd "/tmp/verify.$$" +tmpdir="$(mktemp -d)" +cd "$tmpdir" || { + echo "Failed to create temporary directory!" >&2 + finish 255 +} echo "" -echo "1) Downloading image file" +echo "1) Downloading artifact file" echo "=========================" download "$image_file" "$image_url" || { echo "Failed to download image file!" >&2 @@ -111,8 +116,8 @@ if [ -n "$missing_key" ]; then echo "" >&2 while true; do - printf "Keyserver to use? [$keyserver_url] > " - read url; case "${url:-$keyserver_url}" in + printf 'Keyserver to use? [%s] > ' "$keyserver_url" + read -r url; case "${url:-$keyserver_url}" in hkp://*) gpg --keyserver "${url:-$keyserver_url}" --recv-keys "$missing_key" || { echo "Failed to download public key." >&2 @@ -148,7 +153,7 @@ cp "$image_file" "$destdir/$image_file" || { echo "" echo "Verification done!" echo "==================" -echo "Firmware image placed in '$destdir/$image_file'." +echo "Downloaded artifact placed in '$destdir/$image_file'." echo "" finish 0