Invoke bundle-libraries.sh with any buildroot related directory entries
removed from $PATH to avoid picking up cross versions of utilities like
ldd which will not properly work when used against host executables.
This should fix executable bundling for glibc-target imagebuilders.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
When building images with the imagebuilder, the partition signature
never changes. The signature is generated by hashing SOURCE_DATE_EPOCH
and LINUX_VERMAGIC which are undefined. Prepopulate these variables, as
done by the SDK.
Signed-off-by: Matthew Gyurgyik <matthew@gyurgyik.io>
The ImageBuilder downloads pre-built packages and adds them to images.
This process uses `opkg` which has the capability to verify package list
signatures via `usign`, as enabled per default on running OpenWrt
devices.
Until now this was disabled for ImageBuilders because neither the `opkg`
keys nor the `opkg-add` script was present during first packagelist
update.
To harden the ImageBuilder against *drive-by-download-attacks* both keys
and verification script are added to the ImageBuilder allowing `opkg` to
verify downloaded package indices.
This commit adds `opkg-add` to the ImageBuilder scripts folder. The keys
folder is added to ImageBuilder $TOPDIR to have an obvious place for users to
store their own keys. The `option check_signature` is appended to the
repositories.conf file. All of the above only happens if the Buildbot
runs with the SIGNATURE_CHECK option.
The keys stored in the ImageBuilder keys/ are the same as included in
the openwrt-keyring package. To avoid the chicken-egg problem of
downloading and verifying a package, containing signing keys, the keys
are added during the ImageBuilder generation. They are same as in
shipped images (stored at `/etc/opkg/keys/`).
To allow a local package feed in which the user can add additional
packages, a local set of `usign` and `ucert` keys is generated, same as
building OpenWrt from source. The private key signs the local repository
inside the packages/ folder. The local public key is added to the keys/
folder to be considered by `opkg` when updating repositories. This way a
local package feed can be modified while requiring `opkg` to check
signatures for remote feed, making HTTPS optional.
The new option `ADD_LOCAL_KEY` allows to add the local key inside the
created images, adding the advantage that sysupgrades can validate the
ImageBuilders local key.
Signed-off-by: Paul Spooren <mail@aparcar.org>
Without an absolute path to staging_dir/host/bin/sstrip the Makefile
tries to run a host installed version of sstrip, which is likely not
available.
Signed-off-by: Paul Spooren <mail@aparcar.org>
The buildbots generate a kmod archive which should be used instead of a
local copy. This is possible due to the introduction of a kernelversion
specific feed.
This commit adds the ability of using only signed package feeds.
Signed-off-by: Paul Spooren <mail@aparcar.org>
The `libfakeroot` files are currently missing in the ImageBuilder. As
`fakeroot` is always built, copy those files unconditionally.
Signed-off-by: Paul Spooren <mail@aparcar.org>
This speeds up the packing of the imagebuilder a lot:
imagebuilder-T0.tar.xz real 0m25.199s user 2m45.967s sys 0m1.218s
imagebuilder-T1.tar.xz real 2m02.543s user 2m02.418s sys 0m1.653s
imagebuilder-T2.tar.xz real 1m03.684s user 1m59.931s sys 0m0.587s
imagebuilder-T3.tar.xz real 0m48.033s user 2m02.904s sys 0m0.637s
imagebuilder-T4.tar.xz real 0m38.963s user 2m15.521s sys 0m0.783s
imagebuilder-T5.tar.xz real 0m37.994s user 2m21.461s sys 0m0.919s
imagebuilder-T6.tar.xz real 0m39.524s user 2m48.115s sys 0m1.279s
imagebuilder-T7.tar.xz real 0m34.061s user 2m45.097s sys 0m1.174s
imagebuilder-T8.tar.xz real 0m27.286s user 2m55.449s sys 0m1.329s
imagebuilder-T9.tar.xz real 0m25.205s user 2m44.894s sys 0m1.208s
To keep the output reproducible in any case, we enforce a minimum amount
of 2 threads.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
[refactored into reusable NPROC var, more verbose commit message]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
