diff options
Diffstat (limited to 'linux')
| -rw-r--r-- | linux/.config | 10 | ||||
| -rw-r--r-- | linux/makepkg/PKGBUILD | 39 | 
2 files changed, 37 insertions, 12 deletions
| diff --git a/linux/.config b/linux/.config index b483d41..6ba6018 100644 --- a/linux/.config +++ b/linux/.config @@ -70,6 +70,16 @@ CONFIG_PROFILE_DEFAULT=""  CONFIG_PROFILE_DEFAULT_SEARCH="https://duckduckgo.com/?q=%1&ia=web"  CONFIG_PROFILE_DEFAULT_HOMEPAGE="about:blank"  CONFIG_PROFILE_DEFAULT_NEWTAB="about:blank" +CONFIG_USEPLUGINS=y + +# +# Plugin Settings +# +# CONFIG_PLUGIN_SIGNATURE_IGNORED is not set +# CONFIG_PLUGIN_SIGNATURE_NONFATAL is not set +CONFIG_PLUGIN_SIGNATURE_CHECKED=y +# CONFIG_PLUGIN_SIGNATURE_ENFORCED is not set +CONFIG_PLUGIN_SIGNATURE_HASH="SHA256"  # CONFIG_USEPLASMA is not set  # CONFIG_USEBREAKPAD is not set diff --git a/linux/makepkg/PKGBUILD b/linux/makepkg/PKGBUILD index 3907ff8..badf319 100644 --- a/linux/makepkg/PKGBUILD +++ b/linux/makepkg/PKGBUILD @@ -26,6 +26,18 @@ sha512sums=('SKIP'  #validgpgkeys=(# Aqua-sama <aqua@iserlohn-fortress.net>  #              BB1C090188E3E32B375C13FD095DE26BC16D2E98) +## Build Options + +# Run menuconfig +#_menuconfig= + +# Enable plugin signing: +# - generate a 4096-bit RSA key and embed the public key into the binary +# - apply the plugin signing patch to the config, enabling PluginLoader::verify +# - sign the plugins with the private key, and install the signatures +# Because this embeds the public key into the executable, enabling this option will break reproducible builds. +_signPlugins= +  prepare() {      cd $srcdir/smolbote @@ -33,16 +45,18 @@ prepare() {      git config submodule.3rd-party/SingleApplication/SingleApplication.git.url $srcdir/SingleApplication      git submodule update 3rd-party/SingleApplication/SingleApplication.git -    msg "Creating OpenSSL signing key" -    mkdir $srcdir/signing -    cd $srcdir/signing -    # generate rsa keypair -    openssl genrsa -out privateKey.pem 4096 -    msg2 "RSA/4096 key created in $srcdir/signing/privateKey.pem. Keep this key if you want to sign additional plugins." - -    openssl rsa -in privateKey.pem -pubout -out publicKey.pem -    xxd -i publicKey.pem $srcdir/smolbote/src/plugin/publicKey.h -    msg2 "Public key exported, and will be embedded into the resulting application. This will break reproducible builds." +    if [ -n $_signPlugins ]; then +        msg "Creating OpenSSL signing key" +        mkdir $srcdir/signing +        cd $srcdir/signing +        # generate rsa keypair +        openssl genrsa -out privateKey.pem 4096 +        msg2 "Keypair written to $srcdir/signing/privateKey.pem." + +        openssl rsa -in privateKey.pem -pubout -out publicKey.pem +        ./tools/hexdump.py --name='publicKey_pem' publicKey.pem $srcdir/smolbote/src/plugin/publicKey.h +        msg2 "Public key exported to $srcdir/signing/publicKey.pem." +    fi  }  pkgver() { @@ -71,7 +85,7 @@ build() {      # b_lto: Use link time optimization      meson --buildtype=plain --prefix=/usr/local --auto-features=disabled \          -Db_pie=true -Db_lto=true -Dcpp_link_args="-fuse-ld=gold" \ -        -DPlasma=enabled -Dmanpage=enabled \ +        -Dmanpage=enabled \          $srcdir/build      # Run menuconfig @@ -87,9 +101,10 @@ package() {      cd $srcdir/build      DESTDIR="$pkgdir" ninja install -    msg Signing plugins +    msg "Signing plugins"      for so in $pkgdir/usr/local/lib/smolbote/plugins/*.so; do          openssl dgst -sha256 -sign $srcdir/signing/privateKey.pem -out $so.sig $so +        install -m644 $so.sig $pkgdir/usr/lib/smolbote/plugins/$so.sig      done  } | 
