Complete support for local signing keys for APK.
A local key will be always generated, mkndx is always called with
--allow-untrusted as it needs to replace the sign key with the new local
one.
With CONFIG_SIGNATURE_CHECK the local index is signed with the local
key. Local public key is added with the ADD_LOCAL_KEY option.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
To better support imagebuilder declaring --repositories-file on calling
apk macro, detach this and --repository from rootfs.mk macro and move it
to package Makefile and image.mk where they are used to permit a more
generic usage.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Rework handling of post-install scripts for APK. As we do with OPKG,
lets just iterate between each post-install package so we can actually
check if something fail in applying them.
To do this we first extract each .post-install script in APK
scripts.tar.
Also remove these files from final image as they are needed only for the
first installation of the packages.
Link: https://github.com/openwrt/openwrt/pull/15543
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Since we set the root for APK it tries to use those during the build,
which shouldn't happen since local package are used instead.
Disable the repositories by manually setting an empty repository.
Signed-off-by: Paul Spooren <mail@aparcar.org>
Skip removal of APK cache since now deprecated as APK doesn't make use
of cache anymore in our configuration.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Due to missing quotes the script would wrongly assume APK to be enabled
and don't run post install scripts, breaking pretty much everything.
Signed-off-by: Paul Spooren <mail@aparcar.org>
A new option called `USE_APK` is added which generated APK packages
(.apk) instead of OPKG packages (.ipk).
Some features like fstools `snapshot` command are not yet ported
Signed-off-by: Paul Spooren <mail@aparcar.org>
This reverts commit c42b915af0.
Now that rpcd uses the 'Auto-Installed' field to differentiate between
deliberately and implicitely installed packages we can remove the
hotfix.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Commit be9023ed43 ("build: fix opkg flags in rootfs") introduced a
call to 'awk' which removes the 'user' flag from all installed
packages in the opkg status file. While is is somehow desireable when
building images directly within the buildroot, when using the
ImageBuilder dropping the 'user' flag means loosing information about
a package being deliberately selected or just implicitely pulled as a
dependency. And that then break tools like 'auc' which request only
packages having the 'user' flag from the asu server, resulting in
broken images being delivered to users.
Restore the original behavior in case of an image being created using
the ImageBuilder.
Fixes: be9023ed43 ("build: fix opkg flags in rootfs")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
By default opkg sets the "user" flag when a package is installed,
which resulted in most packages in the rootfs having this flag
set incorrectly. This patch removes the "user" flag from all
installed packages when preparing the rootfs image.
Fixes: #14427
Signed-off-by: Justin Klaassen <justin@tidylabs.app>
Fix shellcheck SC2230
> which is non-standard. Use builtin 'command -v' instead.
Using `command -v` is POSIX compliant while `which` is not. Also to
mention, `command -v` is a shell builtin whereas `which` is a separate
busybox applet.
Once applied to everything concerning OpenWrt we can disable the busybox
feature `which` and save 3.8kB.
Acked-by: Stijn Tintel <stijn@linux-ipv6.be>
Signed-off-by: Paul Spooren <mail@aparcar.org>
[also replace cases in zram-swap]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Some tools doesn't support SOURCE_DATE_EPOCH (e.g. initramfs images).
Ensure all files of a root filesystem are set to SOURCE_DATE_EPOCH.
Make initramfs builds reproducible (for ramips).
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
Adds a new variable DISABLED_SERVICES to ImageBuilder Makefile, which
defines a list of services (installed as /etc/init.d/*) to be disabled
during the build of a custom image (normally all are enabled).
It comes handy when a particular service should not be run under normal
circumstances, but should be ready in the image for situations when it
might be needed.
Signed-off-by: Richard Musil <risa2000x@gmail.com>
Currently every file in boot directory is copied over target /boot on
root file system and is usually inaccessible because appropriate boot
file system is mounted on top of it. Therefore remove /boot, which in
result will also save space on target root file system.
Signed-off-by: Tomasz Maciej Nowak <tomek_n@o2.pl>
In addition to removing redundant code, this fixes various issues in
IB-generated images that have been fixed in prepare_rootfs before,
including better handling of CONFIG_CLEAN_IPKG and enabling of initscripts
from FILES.
We also reuse the opkg macro and remove --force-... flags that have been
removed from rootfs.mk as well.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
/usr/lib/opkg/status must not be removed completely, otherwise the
packages' conffile lists will be missing. Replace it with a reduced version
only containing the conffile entries.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
When a user removes a preinstalled opkg package, the package's prerm script
(and in particular our default_prerm) should run.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
This fixes the following errors when doing "make package/install"
/home/yousong/git-repo/lede-project/lede/build_dir/target-mips_24kc_musl/root-malta/lib/functions/procd.sh: line 47: /home/yousong/git-repo/l
ede-project/lede/build_dir/target-mips_24kc_musl/root-malta/var/lock/procd_urandom_seed.lock: No such file or directory
flock: 1000: Bad file descriptor
Fixes FS#1260
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Require-User is handled by /etc/uci-defaults/13_fix_group_user on first
boot, so we need to keep these when removing all opkg data with
CONFIG_CLEAN_IPKG.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
If a package nonshared status is changed, a stale .ipk file might still
be present in the old package directory. Remove the .ipk file from all
package directories when building a new one (or explicitly running
clean)
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The Gluon firmware framework [1] uses postinst scripts for sanity checks.
Make the build fail when a postinst script exits with an error to make
these sanity checks effective.
All postinst scripts in packages from the LEDE core and the packages feed
seem to work correctly with this change and will always return 0 unless
something is very broken.
[1] https://github.com/freifunk-gluon/gluon
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Especially --force-overwrite and --force-depends will often lead to broken
images; it's better to fail the build in such cases than to silently ignore
the errors.
Instead, ignore errors in the per-device rootfs opkg remove command, so
the build doesn't break when packages can't be removed because of
dependencies.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Running prepare_rootfs on TARGET_DIR deletes the opkg state when
CONFIG_CLEAN_IPKG is enabled, making the per-device rootfs package install
fail.
To avoid this, create a copy of the TARGET_DIR before prepare_rootfs is run
and use this as basis for per-device rootfs generation.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
opkg's -l option is always interpreted relative to the installation root.
This leads to very weird paths inside the rootfs (containing the whole path
to the LEDE tree on the build machine) and causes the subsequent deletion
of the list directory to fail (cluttering the resulting images).
Instead, use the default list directory and remove its contents in
prepare_rootfs.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>