Pass `--checksum md5` and `--checksum sha256` to opkg-make-index.
Sha256 checksum enables more reliable install-time validation of IPKs.
This is particularly useful when installing from signed feeds --
I.e. feeds using signed Packages index files that deliver otherwise
unsigned IPKs. Such feeds rely on hash validation of enclosed IPKs to
thwart tampering. After download, opkg verifies IPK's checksum against
the (signed) Packages index file. Weak hashes like md5 are prone to
collision and therefore tampering.
The md5 checksum is purely for backward compatibility. Sha256 validation
was recently added to opkg. Newer builds of opkg will use it. Older
builds still look for an md5 checksum. Md5 is deprecated and should be
removed once old build are phased out.
Testing: I ran `bitbake package-index` after building a few IPKs and
verified MD5Sum and SHA256sum attributes are present in Packages.
Using opkg-utils 0.4.0.
Performance Impact: It takes about 40 seconds to cleanly re-index 8000
IPKs on an Intel Xeon E5-1620 machine. This was previously about
20 seconds.
NOTE: It's recommended to delete all Packages* files after applying this
patch. Otherwise, some IPKs won't have sha256.
Signed-off-by: Haris Okanovic <haris.okanovic@ni.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
if not os.path.exists(pkgs_file):
open(pkgs_file, "w").close()
- index_cmds.add('%s -r %s -p %s -m %s' %
+ index_cmds.add('%s --checksum md5 --checksum sha256 -r %s -p %s -m %s' %
(opkg_index_cmd, pkgs_file, pkgs_file, pkgs_dir))
index_sign_files.add(pkgs_file)
