diff --git a/basic.sh b/basic.sh index 89910e6..eb89cb6 100755 --- a/basic.sh +++ b/basic.sh @@ -4,7 +4,7 @@ set -e SOURCE_DIR=$(realpath $(dirname "${0}"))/basic # Install packages -apk --no-cache add ca-certificates curl bridge e2fsprogs-extra gettext iptables kbd-misc libcap libressl libseccomp postfix python3 py3-bcrypt py3-cffi py3-dnspython py3-jinja2 py3-requests py3-six py3-werkzeug nginx util-linux +apk --no-cache add ca-certificates curl bridge e2fsprogs-extra gettext iptables kbd-misc libcap libressl libseccomp postfix python3 py3-bcrypt py3-cffi py3-cryptography py3-dnspython py3-jinja2 py3-requests py3-six py3-werkzeug nginx util-linux if [ ${DEBUG:-0} -eq 1 ]; then # Install some utilities for DEBUG mode apk --no-cache add git file htop less openssh-server openssh-sftp-server tar xz diff --git a/zz-extra/lxc-pack b/zz-extra/lxc-pack index 8bc2740..41ca130 100755 --- a/zz-extra/lxc-pack +++ b/zz-extra/lxc-pack @@ -6,13 +6,20 @@ import os import subprocess import sys +from cryptography.hazmat.backends import default_backend +from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives.asymmetric import ec +from cryptography.hazmat.primitives.serialization import load_pem_private_key + BUILD_ROOT = '/root/buildroot' LXC_ROOT = '/var/lib/lxc' -def pack(meta_file): +def pack(pkg_file): + if os.path.is_dir(pkg_file): + pkg_file = os.path.join(pkg_file, 'pkg') # Prepare metadata meta = {} - with open(meta_file) as fd: + with open(pkg_file) as fd: for line in fd: line = [l.strip() for l in line.split(':', 1)] meta[line[0]] = line[1] @@ -35,7 +42,7 @@ def pack(meta_file): subprocess.run(['tar', 'cpf', tar_path, meta['lxcpath']], cwd=LXC_ROOT) if '/' not in meta['lxcpath']: print('Archiving setup files') - cwd = os.path.dirname(os.path.abspath(meta_file)) + cwd = os.path.dirname(os.path.abspath(pkg_file)) subprocess.run(['tar', 'rpf', tar_path, 'setup', 'setup.sh'], cwd=cwd) print('Compressing', tar_path) subprocess.run(['xz', '-9', tar_path]) @@ -55,7 +62,12 @@ def pack(meta_file): # Sign packages print('Signing packages') - subprocess.run(['openssl', 'dgst', '-sha512', '-sign', 'packages.key', '-out', 'packages.sha512', 'packages'], cwd=BUILD_ROOT) + with open(os.path.join(BUILD_ROOT, 'packages.key'), 'rb') as fd: + priv_key = load_pem_private_key(fd.read(), None, default_backend()) + with open(os.path.join(BUILD_ROOT, 'packages'), 'rb') as fd: + data = fd.read() + with open(os.path.join(BUILD_ROOT, 'packages.sha512'), 'wb') as fd: + fd.write(priv_key.sign(data, ec.ECDSA(hashes.SHA512()))) def hash_file(file_path): sha512 = hashlib.sha512()