[ci] Publish package checksums #149

[shubhamk0205]

Checklist

• I have read the OpenWISP Contributing Guidelines.
• I have manually tested the changes proposed in this pull request.
• I have written new test cases for new code and/or updated existing tests for changes to existing code.
• I have updated the documentation.

Reference to Existing Issue

Closes #149

Description of Changes

Implements package checksum publishing to enable package verification.

Changes:

• Added make package/index in runbuild to generate Packages file with SHA256 checksums
• Filtered to only include openwisp packages using awk
• Saved as Packages.sha256.checksum following OpenWRT's standard format

Result:
Users can now verify downloaded packages using the published SHA256 checksums.

Note: No tests added as this is a build script change only.

Screenshot

N/A

[nemesifier]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Walkthrough

The build script now ensures the usign signing tool exists (building it if missing), generates an unsigned OpenWrt package index (SIGNED_PACKAGES=), and creates an openwisp subdirectory for built packages. The Packages file is filtered to include only openwisp- packages and a Packages.sha256.checksum is produced via awk. Built openwrt/openwisp package output is moved into a versioned destination directory (VERSIONED_DIR), and the latest symlink is recreated to point to that version.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Pre-merge checks

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: publishing package checksums in the CI process, directly referencing issue #149.
Description check	✅ Passed	The description covers required sections including issue reference, changes made, and results, though test cases section is marked as not applicable for build script changes.
Linked Issues check	✅ Passed	The code changes fully implement the objectives from issue #149: generating and publishing SHA256 checksums for packages, enabling users to verify package authenticity.
Out of Scope Changes check	✅ Passed	All changes in the runbuild script are directly aligned with implementing package checksum publishing as specified in issue #149; no out-of-scope modifications detected.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

runbuild (1)

64-70: Consider validating the filtered output.

The awk script correctly extracts package stanzas, but there's no verification that:

1. The input Packages file exists and is readable
2. Any openwisp packages were found and written to the checksum file

While the earlier make package/index should ensure the Packages file exists, adding validation would make the script more robust and help catch unexpected issues during CI runs.

🔎 Suggested validation

 ' "$BUILD_DIR/openwrt/bin/packages/$COMPILE_TARGET/Packages" \
 	>"$BUILD_DIR/openwrt/bin/packages/$COMPILE_TARGET/openwisp/Packages.sha256.checksum"
+
+# Verify that checksums were generated
+if [ ! -s "$BUILD_DIR/openwrt/bin/packages/$COMPILE_TARGET/openwisp/Packages.sha256.checksum" ]; then
+	echo "Error: No openwisp packages found in Packages file"
+	exit 1
+fi

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 746a34c and a848b45.

📒 Files selected for processing (1)

• runbuild

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build and Upload Packages

🔇 Additional comments (1)

runbuild (1)

61-61: Remove the SIGNED_PACKAGES= variable; set CONFIG_SIGNED_PACKAGES in .config instead.

The SIGNED_PACKAGES= make variable does not override the CONFIG_SIGNED_PACKAGES Kconfig symbol used by OpenWrt's build system. To generate unsigned package indexes, you must disable signing in the .config file before invoking make package/index, either by:

• Setting # CONFIG_SIGNED_PACKAGES is not set in .config, or
• Running make menuconfig and disabling "Signed packages"

The current syntax will not prevent Packages.sig generation if CONFIG_SIGNED_PACKAGES is enabled.

Likely an incorrect or invalid review comment.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, locate and examine the runbuild file
find . -name "runbuild" -type f

Repository: openwisp/openwisp-config

Length of output: 78

---

🏁 Script executed:

# Once found, examine the context around lines 55-70
if [ -f runbuild ]; then
  sed -n '45,75p' runbuild
fi

Repository: openwisp/openwisp-config

Length of output: 1227

---

🌐 Web query:

OpenWrt 24.10 package index generation usign requirement SIGNED_PACKAGES

💡 Result:

Short answer: In OpenWrt 24.10 the SIGNED_PACKAGES build option controls whether the build/system generates signed package indexes (Packages.sig / sha256sums.sig / etc.). When SIGNED_PACKAGES is enabled the build will produce signature files for the Packages index and require a signing key (key-build / usign private key) to sign them; when it is disabled no Packages.sig is created and imagebuilder/SDK behavior falls back to unsigned indexes (or may still verify if opkg on target is configured to check signatures). [1][2][3]

What to do (practical steps)

• To enable signed package indexes: enable SIGNED_PACKAGES in your build (or export SIGNED_PACKAGES=1) and make sure the signing key pair is available to the build:
  • Provide key-build (private) and key-build.pub (public) at the buildroot top-level (or export USIGN_PRIV_KEY and USIGN_PUB_KEY environment variables pointing to the key contents) so the build can create Packages.sig. [2][4]
• If using the ImageBuilder / SDK: either supply the keys (as above) or disable SIGNED_PACKAGES for local image builds; missing key-build will cause "Signing package index..." errors. The ImageBuilder/SDK changes and discussions explain that signing/verification were split so builds can opt in/out and that buildbot/master nodes normally perform signing. [3][5]
• If you want opkg on devices to verify signatures, ensure CHECK_SIGNATURE / installation of the public key under /etc/opkg/keys is configured (this is separate from creating signatures). [5]

References

• Patch/commit discussion of SIGNED_PACKAGES and separation of signing/verification options. [5]
• ImageBuilder/SDK signing discussions (ImageBuilder added package signature verification; errors when no key present). [3][4]
• Example OpenWrt release package directories showing .sig / sha256sums.sig presence for signed package repos. [1]

If you want, tell me whether you’re building in a CI, locally, or using ImageBuilder/SDK and I’ll give the exact Makefile/buildroot variable or example commands to provide the keys.

---

🏁 Script executed:

# Check if usign is used elsewhere in the script after line 70
wc -l runbuild

Repository: openwisp/openwisp-config

Length of output: 79

---

🏁 Script executed:

# View the entire script to see if usign is used after line 70
cat -n runbuild

Repository: openwisp/openwisp-config

Length of output: 2868

---

Remove the usign build or clarify why it's actually needed—the current comment contradicts the actual unsigned package generation.

Line 55's comment claims usign is "required for package index generation," but line 60 explicitly states the generated index is "unsigned - no usign needed." According to OpenWrt 24.10 documentation, when SIGNED_PACKAGES is empty (as in line 61), unsigned package index generation does not require the usign binary. The usign tool is never used elsewhere in the script, making the build at lines 55-58 appear unnecessary for this workflow.

Either remove the usign build entirely, or if it's needed for a hidden reason, clarify the comment to explain the actual requirement. The current comment is factually incorrect.

🤖 Prompt for AI Agents

In file runbuild around lines 55-58: the comment and code build usign even
though downstream the script generates an unsigned package index and
SIGNED_PACKAGES is empty, so the usign build appears unnecessary; either remove
the three-line usign build block entirely (and any dead references) or, if usign
is actually required for a separate hidden step, update the comment to
explicitly state that reason and point to where usign is consumed; before
removing, grep the script and related build steps to confirm usign is not
referenced elsewhere and if removing, also delete the corresponding staging_dir
artifact handling to avoid orphaned logic.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

runbuild (1)

65-72: Consider adding defensive checks for the Packages file and filtered output.

The awk filtering logic is correct—it captures entire package stanzas from "Package: openwisp-" until the blank line separator. However, consider adding checks to fail early with clear error messages:

1. Verify the source Packages file exists before filtering
2. Verify the filtered output is non-empty (at least one openwisp package found)

🔎 Proposed defensive checks

 # Filter Packages file to include only openwisp packages and save as checksum file
+PACKAGES_FILE="$BUILD_DIR/openwrt/bin/packages/$COMPILE_TARGET/Packages"
+if [ ! -f "$PACKAGES_FILE" ]; then
+	echo "ERROR: Packages file not found at $PACKAGES_FILE"
+	exit 1
+fi
+
 mkdir -p "$BUILD_DIR/openwrt/bin/packages/$COMPILE_TARGET/openwisp"
+CHECKSUM_FILE="$BUILD_DIR/openwrt/bin/packages/$COMPILE_TARGET/openwisp/Packages.sha256.checksum"
+
 awk '
 	/^Package: openwisp-/ {flag=1}
 	flag {print}
 	/^$/ {flag=0}
-' "$BUILD_DIR/openwrt/bin/packages/$COMPILE_TARGET/Packages" \
-	>"$BUILD_DIR/openwrt/bin/packages/$COMPILE_TARGET/openwisp/Packages.sha256.checksum"
+' "$PACKAGES_FILE" > "$CHECKSUM_FILE"
+
+if [ ! -s "$CHECKSUM_FILE" ]; then
+	echo "WARNING: No openwisp packages found in Packages file"
+	exit 1
+fi

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a848b45 and 3c69722.

📒 Files selected for processing (1)

• runbuild

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: QA-Checks and Tests

🔇 Additional comments (3)

runbuild (3)

62-63: LGTM! Package index generation command is correct.

The make package/index SIGNED_PACKAGES= command correctly generates an unsigned package index. The empty SIGNED_PACKAGES= value explicitly requests unsigned index generation, which aligns with the PR objectives.

---

74-77: LGTM! Move and symlink operations are correct.

The operations correctly move the openwisp package directory (containing the checksum file) to the versioned directory and update the latest symlink to point to it. The || true on line 76 safely handles the case where the latest symlink doesn't exist yet.

---

55-60: Remove the usign build (lines 55–60)—the "SHA-512 padding workaround" claim contradicts both line 62 and OpenWrt documentation.

The comment on line 56 claims usign is required for a "SHA-512 padding workaround" even for unsigned package indices, but this contradicts the comment on line 62 which explicitly states "(unsigned - no usign needed)". OpenWrt documentation confirms that unsigned package index generation (with SIGNED_PACKAGES=) does not require usign; usign is only needed if you want to sign the index with a detached .sig file.

Since the index is generated unsigned and the comment on line 62 acknowledges no usign is needed, lines 55–60 waste build time. Either remove this unnecessary tool build, or clarify in the code comments why usign is actually required for your use case.

Likely an incorrect or invalid review comment.