APK, unlike OPKG, can sign individual packages and not just indexes.
Since OpenWrt uses a distributed build infrastructure and only the build
master owns the private keys, signing of individual buildworkers doesn't
work. Right now, each buildworker creates a temporary build key to sign
packages, then transmits the package index to the buildmaster for a
signature.
As a result, all individual packages contain a nonsensical signature,
making them harder to reproduce. This commit removes the individual
package signing.
Since APK requires signatures per default, explicitly allow installation
of unsigned packages during the build process.
The config option here is for historical reasons misleading,
SIGNED_PACKAGES refers to the package index, not the individual
packages.
Signed-off-by: Paul Spooren <mail@aparcar.org>
The package bump to version rc6 incorporates two recent changes, first, the
stored `mtime` honors SOURCE_DATE_EPOCH, making a prior "touch" obsolete.
Secondly the order of files added to created packages is now sorted, improving
reproducibility, too.
Signed-off-by: Paul Spooren <mail@aparcar.org>
APK kindly stores the mtime of each containing file in created packages,
breaking reproducibility. As a fix, touch all files of the package with the
timestamp of PKGSOURCE_DATE_EPOCH, which contains the timestamp based on the
last package modification.
Over at OPKG, something similar is done by setting mtime in the tar command,
see the `ipkg-build` script.
To tackle this in APK directly, some changes are suggested. However until this
is merged, we should fix it downstream.
https://gitlab.alpinelinux.org/alpine/apk-tools/-/merge_requests/348
Signed-off-by: Paul Spooren <mail@aparcar.org>
This commit fixes "aff2f096235 include: make APK .list files reproducible"
since it would create the .list file while `find` still runs. This causes the
.list file to be part of itself. As an alternative, write the file to a
temporary folder first and then move it.
Fix: aff2f09623 include: make APK .list files reproducible
Signed-off-by: Paul Spooren <mail@aparcar.org>
OpenWrt library packages are often named using their ABI version,
for example 'libubus20250102'. Updates that cause the ABI version
to change result in changes to the package name. This makes it
impossible for downstream tools to determine when a package update
is available without further information.
The opkg package manager stores the ABI version as part of its
package metadata in the ABIVersion field. This makes extraction
of the canonical name of the package possible, allowing various
versions of a package to be associated with one another, their
versions or build dates compared.
We add a custom tag 'openwrt:abiversion=<ABI version>' to the
apk v3 package metadata, restoring the status quo and making it
functionally backwards compatible with opkg (the tag format was
selected per the guidelines in the apk-tools documentation).
Links: 1925de55be
Signed-off-by: Eric Fahlgren <ericfahlgren@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/19082
Signed-off-by: Robert Marko <robimarko@gmail.com>
Currently, postrm scripts are not being executed when package is removed
with APK since they are not being included at all.
So, lets use APK-s support for post-deinstall scripts and ship our postrm
scripts if packages define them.
Fixes: d788ab376f ("build: add APK package build capabilities")
Link: https://github.com/openwrt/openwrt/pull/17023
Signed-off-by: Robert Marko <robimarko@gmail.com>
Currently, when you install a package that ships uci-defaults scripts they
are not getting executed during package installation.
For example, if you install a new LuCI theme it ships a uci-defaults script
to add it to the UCI LuCI config so the theme is actually selectable but
that does not happen until the device is rebooted so that uci-defaults
script is actually executed.
It turns out that the recipe for post-install is the issue since it will
include contents of postinst-pkg before the call to default_postinist.
This is an issue since postinst-pkg will exit with code 0 before we ever
reach the call to default_postinist.
So, lets simply make the call to default_postinist before postinst-pkg
inclusion which is what OPKG based installation does.
The same issue affects pre-deinstall script but its not actually being hit
since we dont seem to be actually even generating prerm-pkg scripts but
lets fix this theoretical issue as well.
Fixes: #16987
Fixes: d788ab376f ("build: add APK package build capabilities")
Link: https://github.com/openwrt/openwrt/pull/17023
Signed-off-by: Robert Marko <robimarko@gmail.com>
We have a lot of script-only packages that are universal for all arch-s
and those set PKGARCH:=all to indicate it.
Unfortunately, APK expects architecture to be set to "noarch" instead to
indicate that its universal so instead of having to update all packages
that set PKGARCH:=all and thus break OPKG lets simply translate "all" to
"noarch" when generating the APK package.
This will be required as soon we update APK to include [1] as it will start
enforcing package architecture checks.
[1] c1a3e69f24
Suggested-by: Jonas Gorski <jonas.gorski@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/17015
Signed-off-by: Robert Marko <robimarko@gmail.com>
Currently, trying to use APK to install a package that has a dependency on
a virtual package that needs to be resolved via 'provides' it will fail if
package does not have 'DEFAULT_VARIANT:=1' like:
apk add usbutils
ERROR: unable to select packages:
libudev (virtual):
note: please select one of the 'provided by' packages explicitly
provided by: libudev-zero
required by: usbutils-017-r1[libudev]
Issue is that we dont set 'provider_priority' that APK uses to break ties
when choosing a virtual package to satisfy a dependency and thus despite
only one package providing the dependency it will still end up with a tie
and just error out.
So, lets simply fix this by providing a default value for
'provider_priority' when 'DEFAULT_VARIANT' is not set and then APK will
be able to resolve dependencies.
Fixes: #16976
Link: https://github.com/openwrt/openwrt/pull/17008
Signed-off-by: Robert Marko <robimarko@gmail.com>
Escape special char for package description for APK mkpkg as the
description is passed as an args to mkpkg with --info option and can
easily escape from the "".
Currently escaped char `, $, ", \.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Previously APK would complain as it wasn't sure which package to
install by default when multiple packages would provide the same name.
Now, give the package a higher provider priority to make APK
automatically select the "default" package.
Signed-off-by: Paul Spooren <mail@aparcar.org>
Adding a version to the provides causes it to conflict with other
packages that provides the same package, further details are available
here: https://gitlab.alpinelinux.org/alpine/apk-tools/-/blob/master/doc/apk-package.5.scd#L199
This was intitally done, if I remember correctly, to support depending
on the specific kernel modules. Due to patches to APK, versions
containing hashes work now, too, so this is no longer required.
Only add the version to packages that define an ABI version since other
packages depend against the package name plus ABI version.
While at it, format the now rather complex call.
Fixes: https://github.com/openwrt/openwrt/issues/16795
Signed-off-by: Paul Spooren <mail@aparcar.org>
Set missing Maintainer and URL info for .apk creation.
Fixes: d788ab376f ("build: add APK package build capabilities")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Remove whitespace for Description info for .apk creation
Fixes: b6bbc76c0b ("include/package-pack: set missing Description on .apk creation")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Set missing description info on .apk creation. This was probably a TODO
that wasn't notice when the final implementation was pushed.
Fixes: d788ab376f ("build: add APK package build capabilities")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
This reverts commit 25bbefcdd9.
Only the Config-build.in change needed to be merged and this contains
leftover from previous revision of the feature.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
For non-overlay configuration we need checksum for config file that
weren't modified by the user. For OPKG in sysupgrade we check the status
file for the Conffiles: entry of every package. this entry contains
checksum for every static file that the package contains.
Provide the same info for APK by creating a conffiles_static file and
parse this file on sysupgrade for non-overlay configurations.
This is also used by the sysupgrade -u option to exclude non-changed
files from the final backup.
Link: https://github.com/openwrt/openwrt/pull/15543
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Add special handling for CONTROL conffiles. Some packages (base-files)
manually append stuff to the CONTROL directory.
The CONTROL directory is something for OPKG that is added in the root of
the ipkg directory and usually contains postinst, list, and conffiles
file. For APK the implementation is different, to keep compatibility
with this and maybe other packages, apply manual fixup and check for
these corner case.
Also check if the CONTROL directory is present and is empty to make sure
we don't drop other special file while removing any pending CONTROL
directory in the ipkg directory.
Link: https://github.com/openwrt/openwrt/pull/15543
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
A new option called `USE_APK` is added which generated APK packages
(.apk) instead of OPKG packages (.ipk).
Some features like fstools `snapshot` command are not yet ported
Signed-off-by: Paul Spooren <mail@aparcar.org>
