From: Hannu Nyman <hannu.nyman@iki.fi>
Date: Sun, 26 Apr 2026 18:16:48 +0000 (+0300)
Subject: sdk: add support to sign each .apk package by sdk
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;ds=inline;p=thirdparty%2Fopenwrt.git

sdk: add support to sign each .apk package by sdk

Add support to signing each package's .apk file into SDK.
This adds into SDK the feature added by f20794a to the normal builds.

Currently SDK does not sign the compiled packages, causing untrusted
package errors at package installation. The reason is the logic of
defaulting to 'n' in BUILDBOT and 'y' elsewhere. As downloadable SDKs
are compiled by the buildbot, the option gets 'n' set as the default.
And the option is not among the few build options exposed in the SDK
menuconfig, so the user can't easily change it.

Enable the feature by default:

* Exclude the SIGN_EACH_PACKAGE option from sdk/convert-config.pl
* Default to 'y' and expose the option in the SDK config menu.

(Avoiding untrusted errors naturally requires the user to copy the
public key into the router, quite similar as with full builds.)

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Link: https://github.com/openwrt/openwrt/pull/23104
Signed-off-by: Robert Marko <robert.marko@sartura.hr>
---

diff --git a/target/sdk/convert-config.pl b/target/sdk/convert-config.pl
index 08189df95cb..88eea151af8 100755
--- a/target/sdk/convert-config.pl
+++ b/target/sdk/convert-config.pl
@@ -8,6 +8,7 @@ while (<>) {
 	my $type;
 	chomp;
 	next if /^CONFIG_SIGNED_PACKAGES/;
+	next if /^CONFIG_SIGN_EACH_PACKAGE/;
 
 	if (/^CONFIG_((BINARY)|(DOWNLOAD))_FOLDER=(.*)$/) {
 		# We don't want to preserve the build setting of
diff --git a/target/sdk/files/Config.in b/target/sdk/files/Config.in
index 0cf68faa6e1..422b0bb782a 100644
--- a/target/sdk/files/Config.in
+++ b/target/sdk/files/Config.in
@@ -18,6 +18,15 @@ menu "Global build settings"
 		bool "Cryptographically sign package lists"
 		default y
 
+	config SIGN_EACH_PACKAGE
+		bool "Cryptographically sign each package .apk file"
+		depends on USE_APK
+		default y
+		help
+		  Sign also the individual package .apk file. Removes the need for
+		  --allow-untrusted when installing self-compiled packages to a
+		  firmware compiled by the same buildhost as public key matches.
+
 	comment "General build options"
 
 	config BUILD_PATENTED