diff --git a/.github/workflows/build-gluon.yml b/.github/workflows/build-gluon.yml index dd260045..664ef7f2 100644 --- a/.github/workflows/build-gluon.yml +++ b/.github/workflows/build-gluon.yml @@ -28,6 +28,18 @@ jobs: with: name: ar71xx-generic_logs path: openwrt/logs + - name: Archive build seckey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: ar71xx-generic_pubkey + path: openwrt/key-build.pub + - name: Archive build pubkey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: ar71xx-generic_seckey + path: openwrt/key-build - name: Archive build output uses: actions/upload-artifact@v1 with: @@ -49,6 +61,18 @@ jobs: with: name: ar71xx-tiny_logs path: openwrt/logs + - name: Archive build seckey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: ar71xx-tiny_pubkey + path: openwrt/key-build.pub + - name: Archive build pubkey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: ar71xx-tiny_seckey + path: openwrt/key-build - name: Archive build output uses: actions/upload-artifact@v1 with: @@ -70,6 +94,18 @@ jobs: with: name: ar71xx-nand_logs path: openwrt/logs + - name: Archive build seckey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: ar71xx-nand_pubkey + path: openwrt/key-build.pub + - name: Archive build pubkey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: ar71xx-nand_seckey + path: openwrt/key-build - name: Archive build output uses: actions/upload-artifact@v1 with: @@ -91,6 +127,18 @@ jobs: with: name: ath79-generic_logs path: openwrt/logs + - name: Archive build seckey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: ath79-generic_pubkey + path: openwrt/key-build.pub + - name: Archive build pubkey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: ath79-generic_seckey + path: openwrt/key-build - name: Archive build output uses: actions/upload-artifact@v1 with: @@ -112,6 +160,18 @@ jobs: with: name: brcm2708-bcm2708_logs path: openwrt/logs + - name: Archive build seckey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: brcm2708-bcm2708_pubkey + path: openwrt/key-build.pub + - name: Archive build pubkey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: brcm2708-bcm2708_seckey + path: openwrt/key-build - name: Archive build output uses: actions/upload-artifact@v1 with: @@ -133,6 +193,18 @@ jobs: with: name: brcm2708-bcm2709_logs path: openwrt/logs + - name: Archive build seckey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: brcm2708-bcm2709_pubkey + path: openwrt/key-build.pub + - name: Archive build pubkey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: brcm2708-bcm2709_seckey + path: openwrt/key-build - name: Archive build output uses: actions/upload-artifact@v1 with: @@ -154,6 +226,18 @@ jobs: with: name: ipq40xx-generic_logs path: openwrt/logs + - name: Archive build seckey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: ipq40xx-generic_pubkey + path: openwrt/key-build.pub + - name: Archive build pubkey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: ipq40xx-generic_seckey + path: openwrt/key-build - name: Archive build output uses: actions/upload-artifact@v1 with: @@ -175,6 +259,18 @@ jobs: with: name: ipq806x-generic_logs path: openwrt/logs + - name: Archive build seckey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: ipq806x-generic_pubkey + path: openwrt/key-build.pub + - name: Archive build pubkey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: ipq806x-generic_seckey + path: openwrt/key-build - name: Archive build output uses: actions/upload-artifact@v1 with: @@ -196,6 +292,18 @@ jobs: with: name: lantiq-xrx200_logs path: openwrt/logs + - name: Archive build seckey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: lantiq-xrx200_pubkey + path: openwrt/key-build.pub + - name: Archive build pubkey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: lantiq-xrx200_seckey + path: openwrt/key-build - name: Archive build output uses: actions/upload-artifact@v1 with: @@ -217,6 +325,18 @@ jobs: with: name: lantiq-xway_logs path: openwrt/logs + - name: Archive build seckey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: lantiq-xway_pubkey + path: openwrt/key-build.pub + - name: Archive build pubkey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: lantiq-xway_seckey + path: openwrt/key-build - name: Archive build output uses: actions/upload-artifact@v1 with: @@ -238,6 +358,18 @@ jobs: with: name: mpc85xx-generic_logs path: openwrt/logs + - name: Archive build seckey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: mpc85xx-generic_pubkey + path: openwrt/key-build.pub + - name: Archive build pubkey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: mpc85xx-generic_seckey + path: openwrt/key-build - name: Archive build output uses: actions/upload-artifact@v1 with: @@ -259,6 +391,18 @@ jobs: with: name: mpc85xx-p1020_logs path: openwrt/logs + - name: Archive build seckey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: mpc85xx-p1020_pubkey + path: openwrt/key-build.pub + - name: Archive build pubkey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: mpc85xx-p1020_seckey + path: openwrt/key-build - name: Archive build output uses: actions/upload-artifact@v1 with: @@ -280,6 +424,18 @@ jobs: with: name: ramips-mt7620_logs path: openwrt/logs + - name: Archive build seckey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: ramips-mt7620_pubkey + path: openwrt/key-build.pub + - name: Archive build pubkey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: ramips-mt7620_seckey + path: openwrt/key-build - name: Archive build output uses: actions/upload-artifact@v1 with: @@ -301,6 +457,18 @@ jobs: with: name: ramips-mt7621_logs path: openwrt/logs + - name: Archive build seckey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: ramips-mt7621_pubkey + path: openwrt/key-build.pub + - name: Archive build pubkey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: ramips-mt7621_seckey + path: openwrt/key-build - name: Archive build output uses: actions/upload-artifact@v1 with: @@ -322,6 +490,18 @@ jobs: with: name: ramips-mt76x8_logs path: openwrt/logs + - name: Archive build seckey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: ramips-mt76x8_pubkey + path: openwrt/key-build.pub + - name: Archive build pubkey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: ramips-mt76x8_seckey + path: openwrt/key-build - name: Archive build output uses: actions/upload-artifact@v1 with: @@ -343,6 +523,18 @@ jobs: with: name: ramips-rt305x_logs path: openwrt/logs + - name: Archive build seckey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: ramips-rt305x_pubkey + path: openwrt/key-build.pub + - name: Archive build pubkey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: ramips-rt305x_seckey + path: openwrt/key-build - name: Archive build output uses: actions/upload-artifact@v1 with: @@ -364,6 +556,18 @@ jobs: with: name: sunxi-cortexa7_logs path: openwrt/logs + - name: Archive build seckey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: sunxi-cortexa7_pubkey + path: openwrt/key-build.pub + - name: Archive build pubkey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: sunxi-cortexa7_seckey + path: openwrt/key-build - name: Archive build output uses: actions/upload-artifact@v1 with: @@ -385,6 +589,18 @@ jobs: with: name: x86-generic_logs path: openwrt/logs + - name: Archive build seckey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: x86-generic_pubkey + path: openwrt/key-build.pub + - name: Archive build pubkey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: x86-generic_seckey + path: openwrt/key-build - name: Archive build output uses: actions/upload-artifact@v1 with: @@ -406,6 +622,18 @@ jobs: with: name: x86-geode_logs path: openwrt/logs + - name: Archive build seckey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: x86-geode_pubkey + path: openwrt/key-build.pub + - name: Archive build pubkey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: x86-geode_seckey + path: openwrt/key-build - name: Archive build output uses: actions/upload-artifact@v1 with: @@ -427,6 +655,18 @@ jobs: with: name: x86-64_logs path: openwrt/logs + - name: Archive build seckey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: x86-64_pubkey + path: openwrt/key-build.pub + - name: Archive build pubkey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: x86-64_seckey + path: openwrt/key-build - name: Archive build output uses: actions/upload-artifact@v1 with: @@ -448,6 +688,18 @@ jobs: with: name: ar71xx-mikrotik_logs path: openwrt/logs + - name: Archive build seckey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: ar71xx-mikrotik_pubkey + path: openwrt/key-build.pub + - name: Archive build pubkey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: ar71xx-mikrotik_seckey + path: openwrt/key-build - name: Archive build output uses: actions/upload-artifact@v1 with: @@ -469,6 +721,18 @@ jobs: with: name: brcm2708-bcm2710_logs path: openwrt/logs + - name: Archive build seckey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: brcm2708-bcm2710_pubkey + path: openwrt/key-build.pub + - name: Archive build pubkey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: brcm2708-bcm2710_seckey + path: openwrt/key-build - name: Archive build output uses: actions/upload-artifact@v1 with: @@ -490,6 +754,18 @@ jobs: with: name: mvebu-cortexa9_logs path: openwrt/logs + - name: Archive build seckey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: mvebu-cortexa9_pubkey + path: openwrt/key-build.pub + - name: Archive build pubkey + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v1 + with: + name: mvebu-cortexa9_seckey + path: openwrt/key-build - name: Archive build output uses: actions/upload-artifact@v1 with: diff --git a/contrib/actions/generate-actions.py b/contrib/actions/generate-actions.py index d0a82dfd..c5b4c47d 100755 --- a/contrib/actions/generate-actions.py +++ b/contrib/actions/generate-actions.py @@ -34,6 +34,18 @@ ACTIONS_TARGET=""" with: name: {target_name}_logs path: openwrt/logs + - name: Archive build seckey + if: ${{{{ !cancelled() }}}} + uses: actions/upload-artifact@v1 + with: + name: {target_name}_pubkey + path: openwrt/key-build.pub + - name: Archive build pubkey + if: ${{{{ !cancelled() }}}} + uses: actions/upload-artifact@v1 + with: + name: {target_name}_seckey + path: openwrt/key-build - name: Archive build output uses: actions/upload-artifact@v1 with: diff --git a/patches/openwrt/0010-base-files-ucert-loop.patch b/patches/openwrt/0010-base-files-ucert-loop.patch new file mode 100644 index 00000000..8b9aa50b --- /dev/null +++ b/patches/openwrt/0010-base-files-ucert-loop.patch @@ -0,0 +1,18 @@ +From: Matthias Schiffer +Date: Fri, 15 May 2020 21:07:21 +0200 +Subject: base-files: ucert loop + +diff --git a/package/base-files/Makefile b/package/base-files/Makefile +index c30694cfdd70dfcb95fc9e8cc0ebbf77c92236a4..f0b15fdc1db5776774cefef6350d5f0f69a56c83 100644 +--- a/package/base-files/Makefile ++++ b/package/base-files/Makefile +@@ -112,8 +112,7 @@ ifdef CONFIG_SIGNED_PACKAGES + [ -s $(BUILD_KEY) -a -s $(BUILD_KEY).pub ] || \ + $(STAGING_DIR_HOST)/bin/usign -G -s $(BUILD_KEY) -p $(BUILD_KEY).pub -c "Local build key" + +- [ -s $(BUILD_KEY).ucert ] || \ +- $(STAGING_DIR_HOST)/bin/ucert -I -c $(BUILD_KEY).ucert -p $(BUILD_KEY).pub -s $(BUILD_KEY) ++ for i in `seq 1 1000`; do rm -f $(BUILD_KEY).ucert; $(STAGING_DIR_HOST)/bin/ucert -I -c $(BUILD_KEY).ucert -p $(BUILD_KEY).pub -s $(BUILD_KEY) || exit 1; done + + endef + diff --git a/patches/openwrt/0011-ucert-add-test-patch.patch b/patches/openwrt/0011-ucert-add-test-patch.patch new file mode 100644 index 00000000..d93e6ae5 --- /dev/null +++ b/patches/openwrt/0011-ucert-add-test-patch.patch @@ -0,0 +1,77 @@ +From: Matthias Schiffer +Date: Tue, 12 May 2020 19:29:50 +0200 +Subject: ucert: add test patch + +Signed-off-by: Matthias Schiffer + +diff --git a/package/system/ucert/patches/test.patch b/package/system/ucert/patches/test.patch +new file mode 100644 +index 0000000000000000000000000000000000000000..c9123054895650a9c2755f20b79c02fc82ab13b4 +--- /dev/null ++++ b/package/system/ucert/patches/test.patch +@@ -0,0 +1,65 @@ ++diff --git a/ucert.c b/ucert.c ++index d822199eb7f8..1fc0c629c271 100644 ++--- a/ucert.c +++++ b/ucert.c ++@@ -431,24 +431,34 @@ static int cert_issue(const char *certfile, const char *pubkeyfile, const char * ++ char tmpdir[] = "/tmp/ucert-XXXXXX"; ++ ++ pkf = fopen(pubkeyfile, "r"); ++- if (!pkf) +++ if (!pkf) { +++ fprintf(stderr, "failed to open pubkeyfile '%s'\n", pubkeyfile); ++ return -1; +++ } ++ ++ pklen = fread(pkb, 1, 512, pkf); ++- pkb[pklen] = '\0'; +++ fprintf(stderr, "read pubkeyfile: %d\n", pklen); +++ +++ fseek(pkf, 0, SEEK_END); +++ fprintf(stderr, "size pubkeyfile: %ld\n", ftell(pkf)); ++ ++ if (pklen < 32) ++ return -1; +++ pkb[pklen] = '\0'; ++ ++ fclose(pkf); ++ ++- if (usign_f_pubkey(pkfp, pubkeyfile)) +++ if (usign_f_pubkey(pkfp, pubkeyfile)) { +++ fprintf(stderr, "failed to parse pubkeyfile\n"); ++ return -1; +++ } ++ ++ gettimeofday(&tv, NULL); ++ ++- if (mkdtemp(tmpdir) == NULL) +++ if (mkdtemp(tmpdir) == NULL) { +++ fprintf(stderr, "failed to mkdtemp: %m\n"); ++ return errno; +++ } ++ ++ while (revoker >= 0) { ++ blob_buf_init(&payloadbuf, 0); ++diff --git a/usign-exec.c b/usign-exec.c ++index 85e5f956ee1f..c7f52d3a59cf 100644 ++--- a/usign-exec.c +++++ b/usign-exec.c ++@@ -147,13 +147,16 @@ static int usign_f(char *fingerprint, const char *pubkeyfile, const char *seckey ++ #else ++ execv(usign_argv[0], (char *const *)usign_argv) ++ #endif ++- ) +++ ) { +++ perror("exec"); ++ return -1; +++ } ++ ++ break; ++ ++ default: ++ waitpid(pid, &status, 0); +++ fprintf(stderr, "ucert: %d (%d)\n", WIFEXITED(status), WIFEXITED(status) ? WEXITSTATUS(status) : WTERMSIG(status)); ++ status = WEXITSTATUS(status); ++ if (fingerprint && !WEXITSTATUS(status)) { ++ ssize_t r;