diff options
| author | Alexander Couzens <lynxis@fe80.eu> | 2017-06-09 01:11:44 +0200 |
|---|---|---|
| committer | Holger Levsen <holger@layer-acht.org> | 2017-06-09 13:55:19 +0200 |
| commit | e495d90c5c07137bc8b17336b864a103f08e55af (patch) | |
| tree | 5feacb3db7c87fcbc21db4be2e804ae0e7e1159a | |
| parent | 0aed29c2c17e5296ea520f31d1e83b523975de24 (diff) | |
| download | jenkins.debian.net-e495d90c5c07137bc8b17336b864a103f08e55af.tar.xz | |
reproducible_lede: create a workaround for signing keys
LEDE signs the release with a signing key, but generate the signing key if not
present. To have a reproducible release we need to take care of signing keys.
LEDE will also put the key-build.pub into the resulting image (pkg: base-files)!
At the end of the build it will use the key-build to sign the Packages repo list.
Use a workaround this problem:
key-build.pub contains the pubkey of LEDE buildbot
key-build contains our build key
Meaning only signed files will be different but not the images.
Packages.sig is unreproducible.
Signed-off-by: Holger Levsen <holger@layer-acht.org>
| -rw-r--r-- | bin/reproducible_lede_common.sh | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/bin/reproducible_lede_common.sh b/bin/reproducible_lede_common.sh index 87a6c53d..529f34b4 100644 --- a/bin/reproducible_lede_common.sh +++ b/bin/reproducible_lede_common.sh @@ -233,6 +233,37 @@ openwrt_compile() { ionice -c 3 $MAKE $OPTIONS } +openwrt_create_signing_keys() { + echo "=============================================================================" + cat <<- EOF +# LEDE signs the release with a signing key, but generate the signing key if not +# present. To have a reproducible release we need to take care of signing keys. + +# LEDE will also put the key-build.pub into the resulting image (pkg: base-files)! +# At the end of the build it will use the key-build to sign the Packages repo list. +# Use a workaround this problem: + +# key-build.pub contains the pubkey of LEDE buildbot +# key-build contains our build key + +# Meaning only signed files will be different but not the images. +# Packages.sig is unreproducible. + +# here is our random signing key +# chosen by fair dice roll. +# guaranteed to be random. + +# private key +EOF + echo -e 'untrusted comment: Local build key\nRWRCSwAAAAB12EzgExgKPrR4LMduadFAw1Z8teYQAbg/EgKaN9SUNrgteVb81/bjFcvfnKF7jS1WU8cDdT2VjWE4Cp4cxoxJNrZoBnlXI+ISUeHMbUaFmOzzBR7B9u/LhX3KAmLsrPc=' | tee key-build + echo "\n# public key" + echo -e 'untrusted comment: Local build key\nRWQ/EgKaN9SUNja2aAZ5VyPiElHhzG1GhZjs8wUewfbvy4V9ygJi7Kz3' | tee key-build.pub + + echo "# override the pubkey with 'LEDE usign key for unattended build jobs' to have the same base-files pkg and images" + echo -e 'untrusted comment: LEDE usign key for unattended build jobs\nRWS1BD5w+adc3j2Hqg9+b66CvLR7NlHbsj7wjNVj0XGt/othDgIAOJS+' | tee key-build.pub + echo "=============================================================================" +} + # called by openwrt_two_times # ssh $GENERIC_NODE1 reproducible_$TYPE node openwrt_download $TYPE $TARGET $CONFIG $TMPDIR openwrt_download() { @@ -250,6 +281,9 @@ openwrt_download() { git clone -b $OPENWRT_GIT_BRANCH $OPENWRT_GIT_REPO source cd source + # otherwise LEDE will generate new release keys every build + openwrt_create_signing_keys + # update feeds ./scripts/feeds update ./scripts/feeds install -a |