chore: bump QDK to 2.3.11

edhongcy · edhongcy · commit b93cf6d4030e · 2020-05-28T10:02:39.000+08:00
diff --git a/QDK_2.x/bin/qbuild b/QDK_2.x/bin/qbuild
@@ -521,9 +521,14 @@ do_code_signing(){
 	fi
 	[ -z "$QNAP_CODE_SIGNING_SERVER_IP" ] && QNAP_CODE_SIGNING_SERVER_IP=$DEFAULT_QNAP_CODE_SIGNING_SERVER_IP
 	[ -z "$QNAP_CODE_SIGNING_SERVER_PORT" ] && QNAP_CODE_SIGNING_SERVER_PORT=$DEFAULT_QNAP_CODE_SIGNING_SERVER_PORT
-	$CS_PYTHON "${QDK_SCRIPTS_DIR}/codesigning_qpkg.py" cwd="`pwd`" buildpath=$build_dir csv="${QNAP_CODE_SIGNING_CSV}" server=${QNAP_CODE_SIGNING_SERVER_IP}:${QNAP_CODE_SIGNING_SERVER_PORT} | tee -a code_signing.log 
-	if [ $? != 0 ]; then
-		err_msg "$QDK_QPKG_FILE: Failed to add anti-tamper support"
+	if [ "$QNAP_CODE_SIGNING_SERVER_IP" = "172.17.21.68" ]; then
+		msg "$QPKG_NAME: Do not used 172.17.21.68:5000 anymore. Please use codesigning.qnap.com.tw:5001. You also need to check the DNS setting on your build environment so that codesigning.qnap.com.tw can be resolved properly"
+		QNAP_CODE_SIGNING_SERVER_IP="codesigning.qnap.com.tw"
+		QNAP_CODE_SIGNING_SERVER_PORT="5001"
+	fi
+	$CS_PYTHON "${QDK_SCRIPTS_DIR}/codesigning_qpkg.py" cwd="`pwd`" buildpath=$build_dir csv="${QNAP_CODE_SIGNING_CSV}" server=${QNAP_CODE_SIGNING_SERVER_IP}:${QNAP_CODE_SIGNING_SERVER_PORT} 2>&1 | tee -a code_signing.log
+	if [ ${PIPESTATUS[0]} != 0 ]; then
+		err_msg "$QPKG_NAME: Failed to add anti-tamper support"
 	fi
 }
 
@@ -934,6 +939,11 @@ add_qpkg_signature(){
 		verbose_msg "Connecting to code signing server to create digital signature..."
 		[ -z "$QNAP_CODE_SIGNING_SERVER_IP" ] && QNAP_CODE_SIGNING_SERVER_IP=$DEFAULT_QNAP_CODE_SIGNING_SERVER_IP
 		[ -z "$QNAP_CODE_SIGNING_SERVER_PORT" ] && QNAP_CODE_SIGNING_SERVER_PORT=$DEFAULT_QNAP_CODE_SIGNING_SERVER_PORT
+		if [ "$QNAP_CODE_SIGNING_SERVER_IP" = "172.17.21.68" ]; then
+			msg "$QPKG_NAME: Do not used 172.17.21.68:5000 anymore. Please use codesigning.qnap.com.tw:5001. You also need to check the DNS setting on your build environment so that codesigning.qnap.com.tw can be resolved properly"
+			QNAP_CODE_SIGNING_SERVER_IP="codesigning.qnap.com.tw"
+			QNAP_CODE_SIGNING_SERVER_PORT="5001"
+		fi
 		openssl dgst -sha1 -binary "${QDK_QPKG_FILE}" > "${QDK_QPKG_FILE}.sha"
 		$CS_PYTHON "${QDK_SCRIPTS_DIR}/codesigning_qpkg_cms.py" \
 			cwd="`pwd`" server=${QNAP_CODE_SIGNING_SERVER_IP}:${QNAP_CODE_SIGNING_SERVER_PORT} \
@@ -1609,12 +1619,17 @@ add_code_signing(){
 	# Source the configuration file to make all its fields available.
 	. "$code_signing_cfg" || err_msg "$code_signing_cfg: corrupt configuration file"
 
-	if [ -z "$PRIVATE_KEY" ]; then
+	if [ "x${QNAP_CODE_SIGNING}" = "x1" ]; then
 		# Connecting to server
 	[ -z "$QNAP_CODE_SIGNING_SERVER_IP" ] && QNAP_CODE_SIGNING_SERVER_IP=$DEFAULT_QNAP_CODE_SIGNING_SERVER_IP
 	[ -z "$QNAP_CODE_SIGNING_SERVER_PORT" ] && QNAP_CODE_SIGNING_SERVER_PORT=$DEFAULT_QNAP_CODE_SIGNING_SERVER_PORT
 		[ -n "$QPKG_NAME" ] || err_msg "$code_signing_cfg: QPKG_NAME not provided"
 		[ -n "$QPKG_VER" ] || err_msg "$code_signing_cfg: QPKG_VER not provided"
+		if [ "$QNAP_CODE_SIGNING_SERVER_IP" = "172.17.21.68" ]; then
+			msg "$QPKG_NAME: Do not used 172.17.21.68:5000 anymore. Please use codesigning.qnap.com.tw:5001. You also need to check the DNS setting on your build environment so that codesigning.qnap.com.tw can be resolved properly"
+			QNAP_CODE_SIGNING_SERVER_IP="codesigning.qnap.com.tw"
+			QNAP_CODE_SIGNING_SERVER_PORT="5001"
+		fi
 	else
 		# 3rd party, not connected to server, sign using local certificate and private key
                 [ -f "$QNAP_CERT" ] || err_msg "$code_signing_cfg: QNAP_CERT $QNAP_CERT cannot be found"
@@ -1636,15 +1651,21 @@ add_code_signing(){
 	#eval "$dd_cmd"
 	openssl dgst -sha1 -binary "${qpkg}.$$" > "${qpkg}.sha"
 
-	if [ -z "$PRIVATE_KEY" ]; then
+	if [ "x${QNAP_CODE_SIGNING}" = "x1" ]; then
 	# Send qpkg digest to server
 		verbose_msg "Connecting to code signing server to create digital signature..."
 		$CS_PYTHON "${QDK_SCRIPTS_DIR}/codesigning_qpkg_cms.py" server=${QNAP_CODE_SIGNING_SERVER_IP}:${QNAP_CODE_SIGNING_SERVER_PORT} qpkgname=${QPKG_NAME} version=${QPKG_VER} in="${qpkg}.sha" out="${qpkg}.msg" 2>&1 | tee -a code_signing.log
 	else
 		# 3rd party, not connected to server, sign using local certificate and private key
 		verbose_msg "Creating code signing digital signature..."
+		if [ -f "${CA_CERTS}" ]; then
 		openssl cms -sign -in "${qpkg}.sha" -binary -nodetach -out "${qpkg}.msg" \
+				-signer ${QNAP_CERT} -inkey ${PRIVATE_KEY} \
+				-certfile ${CA_CERTS} 2>/dev/null
+		else
+			openssl cms -sign -in "${qpkg}.sha" -binary -nodetach -out "${qpkg}.msg" \
 				-signer ${QNAP_CERT} -inkey ${PRIVATE_KEY} 2>/dev/null
+		fi
 		local err_code=$?
 		if [ $err_code = "2" ]; then
 			warn_msg "Failed to open certificate or private key"
@@ -1682,6 +1703,11 @@ verify_code_signing_online(){
 
 	[ -z "$QNAP_CODE_SIGNING_SERVER_IP" ] && QNAP_CODE_SIGNING_SERVER_IP=$DEFAULT_QNAP_CODE_SIGNING_SERVER_IP
 	[ -z "$QNAP_CODE_SIGNING_SERVER_PORT" ] && QNAP_CODE_SIGNING_SERVER_PORT=$DEFAULT_QNAP_CODE_SIGNING_SERVER_PORT
+	if [ "$QNAP_CODE_SIGNING_SERVER_IP" = "172.17.21.68" ]; then
+		msg "$QPKG_NAME: Do not used 172.17.21.68:5000 anymore. Please use codesigning.qnap.com.tw:5001. You also need to check the DNS setting on your build environment so that codesigning.qnap.com.tw can be resolved properly"
+		QNAP_CODE_SIGNING_SERVER_IP="codesigning.qnap.com.tw"
+		QNAP_CODE_SIGNING_SERVER_PORT="5001"
+	fi
 
 	local curl_cmd=
 	local output=
@@ -1771,17 +1797,24 @@ verify_code_signing_offline(){
 	openssl cms -verify -in $1 -CAfile $ca_cert 2>/dev/null > $verify_dgst_file
 	$CMD_CMP $2 $verify_dgst_file 2>/dev/null
 	if [ $? -eq 0 ]; then
-		msg "Code signing digital signature verification successful"
+		msg "Code signing digital signature verification successful (QNAP-issued certificate)"
 		ret=0
 	else
 		openssl cms -verify -in $1 -CAfile $ca_cert_2 2>/dev/null > $verify_dgst_file
 		$CMD_CMP $2 $verify_dgst_file 2>/dev/null
 		if [ $? -eq 0 ]; then
-			msg "Code signing digital signature verification successful"
+			msg "Code signing digital signature verification successful (QNAP-issued certificate)"
 			ret=0
 		else
-			msg "Code signing digital signature verification failed"
-			ret=1
+			openssl cms -verify -purpose any -CApath /etc/ssl/certs/ -in $1 > $verify_dgst_file
+			$CMD_CMP $2 $verify_dgst_file 2>/dev/null
+			if [ $? -eq 0 ]; then
+				msg "Code signing digital signature verification successful (non QNAP-issued certificate)"
+				ret=0
+			else
+			        msg "Code signing digital signature verification failed"
+			        ret=1
+			fi
 		fi
 	fi
 	/bin/rm $verify_dgst_file
@@ -1815,7 +1848,7 @@ verify_code_signing(){
 	openssl dgst -sha1 -binary $qpkg_data_file 2>/dev/null > $dgst_file
 	/bin/dd if=$qpkg bs=1 skip=$code_signing_pos count=$code_signing_len 2>/dev/null > $signature_file
 	local ret=
-	if [ ! -f "private_key" ] && [ -z "$QNAP_CA_CERT" ]; then
+	if [ "x${QNAP_CODE_SIGNING}" = "x1"  ]; then
 		verify_code_signing_online ${signature_file} ${dgst_file}
 		ret=$?
 	else
diff --git a/QDK_2.x/qdk.conf b/QDK_2.x/qdk.conf
@@ -1 +1 @@
-QDK_VERSION=2.3.10
+QDK_VERSION=2.3.11
diff --git a/QDK_2.x/scripts/code_signing.cfg b/QDK_2.x/scripts/code_signing.cfg
@@ -1,4 +1,4 @@
 QPKG_NAME="QDK"
-QPKG_VER="2.3.10"
+QPKG_VER="2.3.11"
 QNAP_CODE_SIGNING_SERVER_IP=codesigning.qnap.com.tw
 QNAP_CODE_SIGNING_SERVER_PORT=5001
diff --git a/QDK_2.x/scripts/qinstall.sh b/QDK_2.x/scripts/qinstall.sh
@@ -5,7 +5,7 @@
 #
 # A QPKG installation script for QDK
 #
-# QDK V.2.3.9
+# QDK V.2.3.11
 #
 # Copyright (C) 2009,2010 QNAP Systems, Inc.
 # Copyright (C) 2010,2011 Michael Nordstrom

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-QDK_VERSION=2.3.10`
	`1`	`+QDK_VERSION=2.3.11`
Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@`
`5`	`5`	`#`
`6`	`6`	`# A QPKG installation script for QDK`
`7`	`7`	`#`
`8`		`-# QDK V.2.3.9`
	`8`	`+# QDK V.2.3.11`
`9`	`9`	`#`
`10`	`10`	`# Copyright (C) 2009,2010 QNAP Systems, Inc.`
`11`	`11`	`# Copyright (C) 2010,2011 Michael Nordstrom`