aboutsummaryrefslogtreecommitdiff
path: root/linux
diff options
context:
space:
mode:
Diffstat (limited to 'linux')
-rw-r--r--linux/.config10
-rw-r--r--linux/makepkg/PKGBUILD39
2 files changed, 37 insertions, 12 deletions
diff --git a/linux/.config b/linux/.config
index b483d41..6ba6018 100644
--- a/linux/.config
+++ b/linux/.config
@@ -70,6 +70,16 @@ CONFIG_PROFILE_DEFAULT=""
CONFIG_PROFILE_DEFAULT_SEARCH="https://duckduckgo.com/?q=%1&ia=web"
CONFIG_PROFILE_DEFAULT_HOMEPAGE="about:blank"
CONFIG_PROFILE_DEFAULT_NEWTAB="about:blank"
+CONFIG_USEPLUGINS=y
+
+#
+# Plugin Settings
+#
+# CONFIG_PLUGIN_SIGNATURE_IGNORED is not set
+# CONFIG_PLUGIN_SIGNATURE_NONFATAL is not set
+CONFIG_PLUGIN_SIGNATURE_CHECKED=y
+# CONFIG_PLUGIN_SIGNATURE_ENFORCED is not set
+CONFIG_PLUGIN_SIGNATURE_HASH="SHA256"
# CONFIG_USEPLASMA is not set
# CONFIG_USEBREAKPAD is not set
diff --git a/linux/makepkg/PKGBUILD b/linux/makepkg/PKGBUILD
index 3907ff8..badf319 100644
--- a/linux/makepkg/PKGBUILD
+++ b/linux/makepkg/PKGBUILD
@@ -26,6 +26,18 @@ sha512sums=('SKIP'
#validgpgkeys=(# Aqua-sama <aqua@iserlohn-fortress.net>
# BB1C090188E3E32B375C13FD095DE26BC16D2E98)
+## Build Options
+
+# Run menuconfig
+#_menuconfig=
+
+# Enable plugin signing:
+# - generate a 4096-bit RSA key and embed the public key into the binary
+# - apply the plugin signing patch to the config, enabling PluginLoader::verify
+# - sign the plugins with the private key, and install the signatures
+# Because this embeds the public key into the executable, enabling this option will break reproducible builds.
+_signPlugins=
+
prepare() {
cd $srcdir/smolbote
@@ -33,16 +45,18 @@ prepare() {
git config submodule.3rd-party/SingleApplication/SingleApplication.git.url $srcdir/SingleApplication
git submodule update 3rd-party/SingleApplication/SingleApplication.git
- msg "Creating OpenSSL signing key"
- mkdir $srcdir/signing
- cd $srcdir/signing
- # generate rsa keypair
- openssl genrsa -out privateKey.pem 4096
- msg2 "RSA/4096 key created in $srcdir/signing/privateKey.pem. Keep this key if you want to sign additional plugins."
-
- openssl rsa -in privateKey.pem -pubout -out publicKey.pem
- xxd -i publicKey.pem $srcdir/smolbote/src/plugin/publicKey.h
- msg2 "Public key exported, and will be embedded into the resulting application. This will break reproducible builds."
+ if [ -n $_signPlugins ]; then
+ msg "Creating OpenSSL signing key"
+ mkdir $srcdir/signing
+ cd $srcdir/signing
+ # generate rsa keypair
+ openssl genrsa -out privateKey.pem 4096
+ msg2 "Keypair written to $srcdir/signing/privateKey.pem."
+
+ openssl rsa -in privateKey.pem -pubout -out publicKey.pem
+ ./tools/hexdump.py --name='publicKey_pem' publicKey.pem $srcdir/smolbote/src/plugin/publicKey.h
+ msg2 "Public key exported to $srcdir/signing/publicKey.pem."
+ fi
}
pkgver() {
@@ -71,7 +85,7 @@ build() {
# b_lto: Use link time optimization
meson --buildtype=plain --prefix=/usr/local --auto-features=disabled \
-Db_pie=true -Db_lto=true -Dcpp_link_args="-fuse-ld=gold" \
- -DPlasma=enabled -Dmanpage=enabled \
+ -Dmanpage=enabled \
$srcdir/build
# Run menuconfig
@@ -87,9 +101,10 @@ package() {
cd $srcdir/build
DESTDIR="$pkgdir" ninja install
- msg Signing plugins
+ msg "Signing plugins"
for so in $pkgdir/usr/local/lib/smolbote/plugins/*.so; do
openssl dgst -sha256 -sign $srcdir/signing/privateKey.pem -out $so.sig $so
+ install -m644 $so.sig $pkgdir/usr/lib/smolbote/plugins/$so.sig
done
}