feat(ota): add OTA signature verification and public key handling

Signed-off-by: luckfox-eng29 <eng29@luckfox.com>
2026-05-27 16:45:08 +02:00 · 2026-05-08 11:27:46 +08:00
parent d47bca1940
commit 233e6e9cd6
6 changed files with 626 additions and 118 deletions
--- a/30
+++ b/30
@@ -2,12 +2,19 @@ BRANCH    ?= $(shell git rev-parse --abbrev-ref HEAD)
 BUILDDATE ?= $(shell date -u +%FT%T%z)
 BUILDTS   ?= $(shell date -u +%s)
 REVISION  ?= $(shell git rev-parse HEAD)
-VERSION_DEV ?= 0.1.2-dev
-VERSION ?= 0.1.2
+VERSION_DEV ?= 0.1.3-dev
+VERSION ?= 0.1.3

 PROMETHEUS_TAG := github.com/prometheus/common/version
 KVM_PKG_NAME := kvm

+# OTA signing key path (Ed25519 private key for auto-signing at build time)
+OTA_SIGNING_KEY ?=
+
+# OTA signing public key (hex-encoded Ed25519 public key, 64 hex chars)
+# Default empty = signature verification disabled (backward compatible)
+OTA_PUBLIC_KEY ?=
+
 GO_BUILD_ARGS := -tags netgo
 GO_RELEASE_BUILD_ARGS := -trimpath $(GO_BUILD_ARGS)
 GO_LDFLAGS := \
@@ -15,7 +22,8 @@ GO_LDFLAGS := \
  -X $(PROMETHEUS_TAG).Branch=$(BRANCH) \
  -X $(PROMETHEUS_TAG).BuildDate=$(BUILDDATE) \
  -X $(PROMETHEUS_TAG).Revision=$(REVISION) \
-  -X $(KVM_PKG_NAME).builtTimestamp=$(BUILDTS)
+  -X $(KVM_PKG_NAME).builtTimestamp=$(BUILDTS) \
+  -X $(KVM_PKG_NAME).builtOtaPublicKey=$(OTA_PUBLIC_KEY)

 GO_CMD := GOOS=linux GOARCH=arm GOARM=7 go
 BIN_DIR := $(shell pwd)/bin
@@ -28,6 +36,12 @@ build_dev:
 		-ldflags="$(GO_LDFLAGS) -X $(KVM_PKG_NAME).builtAppVersion=$(VERSION_DEV)" \
 		$(GO_RELEASE_BUILD_ARGS) \
 		-o $(BIN_DIR)/kvm_app cmd/main.go
+	@if [ -n "$(OTA_SIGNING_KEY)" ]; then \
+		echo "Signing $(BIN_DIR)/kvm_app..."; \
+		go run cmd/main.go cli signer sign --key "$(OTA_SIGNING_KEY)" $(BIN_DIR)/kvm_app; \
+	else \
+		echo "OTA_SIGNING_KEY not set, skipping signing."; \
+	fi

 frontend:
 	cd ui && npm ci && npm run build:device
@@ -38,3 +52,13 @@ build_release: frontend
 		-ldflags="$(GO_LDFLAGS) -X $(KVM_PKG_NAME).builtAppVersion=$(VERSION)" \
 		$(GO_RELEASE_BUILD_ARGS) \
 		-o bin/kvm_app cmd/main.go
+	@if [ -n "$(OTA_SIGNING_KEY)" ]; then \
+		echo "Signing bin/kvm_app..."; \
+		go run cmd/main.go cli signer sign --key "$(OTA_SIGNING_KEY)" bin/kvm_app; \
+	else \
+		echo "OTA_SIGNING_KEY not set, skipping signing."; \
+	fi
+
+sign:
+	@echo "Signing firmware files..."
+	go run cmd/main.go cli signer sign --key $(KEY) $(FILES)