From 54a2c8d087e65ce5389586b62b2ec41f00c0c8c0 Mon Sep 17 00:00:00 2001
From: Paul Spooren <mail@aparcar.org>
Date: Wed, 6 Mar 2019 21:43:01 +0100
Subject: [PATCH] attendedsyuspgrade-common: add key and set server

In collaboration with @dangowrt the server makes use of `ucert`.  Active
workers sign created firmware and clients check if the signature is
valid. Certs of *hacked* or inactive workers can be revoked.  Private CA
key is **not** stored on the upgrade server.

Only for devices already supporting ucert via firmware metadata.

Signed-off-by: Paul Spooren <mail@aparcar.org>
---
 utils/attendedsysupgrade-common/Makefile                   | 7 +++++--
 .../files/attendedsysupgrade.defaults                      | 2 +-
 utils/attendedsysupgrade-common/files/c06d891233ba699      | 2 ++
 3 files changed, 8 insertions(+), 3 deletions(-)
 create mode 100644 utils/attendedsysupgrade-common/files/c06d891233ba699

diff --git a/utils/attendedsysupgrade-common/Makefile b/utils/attendedsysupgrade-common/Makefile
index d1419ae1a..52170404b 100644
--- a/utils/attendedsysupgrade-common/Makefile
+++ b/utils/attendedsysupgrade-common/Makefile
@@ -5,8 +5,8 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=attendedsysupgrade-common
-PKG_VERSION:=0.1
-PKG_RELEASE:=2
+PKG_VERSION:=0.2
+PKG_RELEASE:=1
 PKG_LICENSE:=GPL-2.0
 
 include $(INCLUDE_DIR)/package.mk
@@ -51,6 +51,9 @@ endef
 define Package/attendedsysupgrade-common/install
 	$(INSTALL_DIR) $(1)/etc/uci-defaults/
 	$(INSTALL_BIN) ./files/attendedsysupgrade.defaults $(1)/etc/uci-defaults/attendedsysupgrade
+
+	$(INSTALL_DIR) $(1)/etc/opkg/keys/
+	$(INSTALL_BIN) ./files/c06d891233ba699 $(1)/etc/opkg/keys/c06d891233ba699
 endef
 
 $(eval $(call BuildPackage,attendedsysupgrade-common))
diff --git a/utils/attendedsysupgrade-common/files/attendedsysupgrade.defaults b/utils/attendedsysupgrade-common/files/attendedsysupgrade.defaults
index f7fb1ebde..3d65afba3 100644
--- a/utils/attendedsysupgrade-common/files/attendedsysupgrade.defaults
+++ b/utils/attendedsysupgrade-common/files/attendedsysupgrade.defaults
@@ -6,7 +6,7 @@ touch /etc/config/attendedsysupgrade
 
 uci -q batch <<EOF
 set attendedsysupgrade.server=server
-set attendedsysupgrade.server.url='https://example.org'
+set attendedsysupgrade.server.url='https://chef.libremesh.org'
 
 set attendedsysupgrade.client=client
 set attendedsysupgrade.client.upgrade_packages='1'
diff --git a/utils/attendedsysupgrade-common/files/c06d891233ba699 b/utils/attendedsysupgrade-common/files/c06d891233ba699
new file mode 100644
index 000000000..94edfd8e1
--- /dev/null
+++ b/utils/attendedsysupgrade-common/files/c06d891233ba699
@@ -0,0 +1,2 @@
+untrusted comment: public key c06d891233ba699
+RWQMBtiRIzummeTc81jtKdJ3XwnaZGtHLRwjls0ovGsKoTnTmS7fj4Na