diff options
Diffstat (limited to 'linux')
-rw-r--r-- | linux/.config | 10 | ||||
-rw-r--r-- | linux/makepkg/PKGBUILD | 39 |
2 files changed, 37 insertions, 12 deletions
diff --git a/linux/.config b/linux/.config index b483d41..6ba6018 100644 --- a/linux/.config +++ b/linux/.config @@ -70,6 +70,16 @@ CONFIG_PROFILE_DEFAULT="" CONFIG_PROFILE_DEFAULT_SEARCH="https://duckduckgo.com/?q=%1&ia=web" CONFIG_PROFILE_DEFAULT_HOMEPAGE="about:blank" CONFIG_PROFILE_DEFAULT_NEWTAB="about:blank" +CONFIG_USEPLUGINS=y + +# +# Plugin Settings +# +# CONFIG_PLUGIN_SIGNATURE_IGNORED is not set +# CONFIG_PLUGIN_SIGNATURE_NONFATAL is not set +CONFIG_PLUGIN_SIGNATURE_CHECKED=y +# CONFIG_PLUGIN_SIGNATURE_ENFORCED is not set +CONFIG_PLUGIN_SIGNATURE_HASH="SHA256" # CONFIG_USEPLASMA is not set # CONFIG_USEBREAKPAD is not set diff --git a/linux/makepkg/PKGBUILD b/linux/makepkg/PKGBUILD index 3907ff8..badf319 100644 --- a/linux/makepkg/PKGBUILD +++ b/linux/makepkg/PKGBUILD @@ -26,6 +26,18 @@ sha512sums=('SKIP' #validgpgkeys=(# Aqua-sama <aqua@iserlohn-fortress.net> # BB1C090188E3E32B375C13FD095DE26BC16D2E98) +## Build Options + +# Run menuconfig +#_menuconfig= + +# Enable plugin signing: +# - generate a 4096-bit RSA key and embed the public key into the binary +# - apply the plugin signing patch to the config, enabling PluginLoader::verify +# - sign the plugins with the private key, and install the signatures +# Because this embeds the public key into the executable, enabling this option will break reproducible builds. +_signPlugins= + prepare() { cd $srcdir/smolbote @@ -33,16 +45,18 @@ prepare() { git config submodule.3rd-party/SingleApplication/SingleApplication.git.url $srcdir/SingleApplication git submodule update 3rd-party/SingleApplication/SingleApplication.git - msg "Creating OpenSSL signing key" - mkdir $srcdir/signing - cd $srcdir/signing - # generate rsa keypair - openssl genrsa -out privateKey.pem 4096 - msg2 "RSA/4096 key created in $srcdir/signing/privateKey.pem. Keep this key if you want to sign additional plugins." - - openssl rsa -in privateKey.pem -pubout -out publicKey.pem - xxd -i publicKey.pem $srcdir/smolbote/src/plugin/publicKey.h - msg2 "Public key exported, and will be embedded into the resulting application. This will break reproducible builds." + if [ -n $_signPlugins ]; then + msg "Creating OpenSSL signing key" + mkdir $srcdir/signing + cd $srcdir/signing + # generate rsa keypair + openssl genrsa -out privateKey.pem 4096 + msg2 "Keypair written to $srcdir/signing/privateKey.pem." + + openssl rsa -in privateKey.pem -pubout -out publicKey.pem + ./tools/hexdump.py --name='publicKey_pem' publicKey.pem $srcdir/smolbote/src/plugin/publicKey.h + msg2 "Public key exported to $srcdir/signing/publicKey.pem." + fi } pkgver() { @@ -71,7 +85,7 @@ build() { # b_lto: Use link time optimization meson --buildtype=plain --prefix=/usr/local --auto-features=disabled \ -Db_pie=true -Db_lto=true -Dcpp_link_args="-fuse-ld=gold" \ - -DPlasma=enabled -Dmanpage=enabled \ + -Dmanpage=enabled \ $srcdir/build # Run menuconfig @@ -87,9 +101,10 @@ package() { cd $srcdir/build DESTDIR="$pkgdir" ninja install - msg Signing plugins + msg "Signing plugins" for so in $pkgdir/usr/local/lib/smolbote/plugins/*.so; do openssl dgst -sha256 -sign $srcdir/signing/privateKey.pem -out $so.sig $so + install -m644 $so.sig $pkgdir/usr/lib/smolbote/plugins/$so.sig done } |