[ci] Publish package checksums #149

[shubhamk0205]

Checklist

• I have read the OpenWISP Contributing Guidelines.
• I have manually tested the changes proposed in this pull request.
• I have written new test cases for new code and/or updated existing tests for changes to existing code.
• I have updated the documentation.

Reference to Existing Issue

Closes #149

Description of Changes

Implements package checksum publishing to enable package verification.

Changes:

• Added make package/index in runbuild to generate Packages file with SHA256 checksums
• Filtered to only include openwisp packages using awk
• Saved as Packages.sha256.checksum following OpenWRT's standard format

Result:
Users can now verify downloaded packages using the published SHA256 checksums.

Note: No tests added as this is a build script change only.

Screenshot

N/A

[nemesifier]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

📝 Walkthrough

Walkthrough

The script updates CI defaults (BUILD_DIR, DOWNLOADS_DIR, CORES), preserves test execution unless CI=1, and defines timestamped VERSIONED_DIR and LATEST_LINK. It disables OpenWrt signed package output by clearing CONFIG_SIGNED_PACKAGES in .config, conditionally installs tools/toolchain when CI_CACHE is unset, builds the openwisp package, runs make package/index to produce Packages.manifest (renamed to sha256.manifest after verification), removes generated JSON/Packages artifacts, moves the openwisp packages directory into the VERSIONED_DIR, and recreates the latest symlink.

Sequence Diagram(s)

sequenceDiagram
  participant CI as runbuild script
  participant Tools as tools/install
  participant Toolchain as toolchain/install
  participant OpenWrt as make (OpenWrt build)
  participant Storage as Filesystem

  CI->>Tools: run if CI_CACHE unset
  CI->>Toolchain: run if CI_CACHE unset
  CI->>OpenWrt: make package/openwisp-config/compile
  OpenWrt->>OpenWrt: make package/index (Packages.manifest)
  OpenWrt->>Storage: write Packages.manifest
  CI->>Storage: verify & rename to sha256.manifest, clean artifacts
  CI->>Storage: move openwisp package dir -> $VERSIONED_DIR
  CI->>Storage: remove & recreate $LATEST_LINK

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

---

Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

• Ignore

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
Bug Fixes	❌ Error	Lines 68-69 lack the -f flag in rm commands. With set -e, the script will fail if .json files don't exist. No regression tests prevent recurrence.	Use rm -f on lines 68-69. Add shell script tests to ensure build succeeds when make package/index generates no .json files.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title follows the required format [ci] with a descriptive summary and includes the issue reference #149, matching the linked issue.
Description check	✅ Passed	The description includes the checklist, issue reference (#149), clear description of changes with technical details, and acknowledges why tests weren't added.
Linked Issues check	✅ Passed	The PR implements the core requirements from #149: publishing checksums for packages to enable verification, disabling package signing, and generating package index metadata.
Out of Scope Changes check	✅ Passed	All changes are scoped to CI/build script modifications (runbuild) directly related to checksum publishing and package index generation required by issue #149.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

runbuild (1)

64-70: Consider validating the filtered output.

The awk script correctly extracts package stanzas, but there's no verification that:

1. The input Packages file exists and is readable
2. Any openwisp packages were found and written to the checksum file

While the earlier make package/index should ensure the Packages file exists, adding validation would make the script more robust and help catch unexpected issues during CI runs.

🔎 Suggested validation

 ' "$BUILD_DIR/openwrt/bin/packages/$COMPILE_TARGET/Packages" \
 	>"$BUILD_DIR/openwrt/bin/packages/$COMPILE_TARGET/openwisp/Packages.sha256.checksum"
+
+# Verify that checksums were generated
+if [ ! -s "$BUILD_DIR/openwrt/bin/packages/$COMPILE_TARGET/openwisp/Packages.sha256.checksum" ]; then
+	echo "Error: No openwisp packages found in Packages file"
+	exit 1
+fi

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 746a34c and a848b45.

📒 Files selected for processing (1)

• runbuild

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build and Upload Packages

🔇 Additional comments (1)

runbuild (1)

61-61: Remove the SIGNED_PACKAGES= variable; set CONFIG_SIGNED_PACKAGES in .config instead.

The SIGNED_PACKAGES= make variable does not override the CONFIG_SIGNED_PACKAGES Kconfig symbol used by OpenWrt's build system. To generate unsigned package indexes, you must disable signing in the .config file before invoking make package/index, either by:

• Setting # CONFIG_SIGNED_PACKAGES is not set in .config, or
• Running make menuconfig and disabling "Signed packages"

The current syntax will not prevent Packages.sig generation if CONFIG_SIGNED_PACKAGES is enabled.

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

runbuild (1)

65-72: Consider adding defensive checks for the Packages file and filtered output.

The awk filtering logic is correct—it captures entire package stanzas from "Package: openwisp-" until the blank line separator. However, consider adding checks to fail early with clear error messages:

1. Verify the source Packages file exists before filtering
2. Verify the filtered output is non-empty (at least one openwisp package found)

🔎 Proposed defensive checks

 # Filter Packages file to include only openwisp packages and save as checksum file
+PACKAGES_FILE="$BUILD_DIR/openwrt/bin/packages/$COMPILE_TARGET/Packages"
+if [ ! -f "$PACKAGES_FILE" ]; then
+	echo "ERROR: Packages file not found at $PACKAGES_FILE"
+	exit 1
+fi
+
 mkdir -p "$BUILD_DIR/openwrt/bin/packages/$COMPILE_TARGET/openwisp"
+CHECKSUM_FILE="$BUILD_DIR/openwrt/bin/packages/$COMPILE_TARGET/openwisp/Packages.sha256.checksum"
+
 awk '
 	/^Package: openwisp-/ {flag=1}
 	flag {print}
 	/^$/ {flag=0}
-' "$BUILD_DIR/openwrt/bin/packages/$COMPILE_TARGET/Packages" \
-	>"$BUILD_DIR/openwrt/bin/packages/$COMPILE_TARGET/openwisp/Packages.sha256.checksum"
+' "$PACKAGES_FILE" > "$CHECKSUM_FILE"
+
+if [ ! -s "$CHECKSUM_FILE" ]; then
+	echo "WARNING: No openwisp packages found in Packages file"
+	exit 1
+fi

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a848b45 and 3c69722.

📒 Files selected for processing (1)

• runbuild

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: QA-Checks and Tests

🔇 Additional comments (3)

runbuild (3)

62-63: LGTM! Package index generation command is correct.

The make package/index SIGNED_PACKAGES= command correctly generates an unsigned package index. The empty SIGNED_PACKAGES= value explicitly requests unsigned index generation, which aligns with the PR objectives.

---

74-77: LGTM! Move and symlink operations are correct.

The operations correctly move the openwisp package directory (containing the checksum file) to the versioned directory and update the latest symlink to point to it. The || true on line 76 safely handles the case where the latest symlink doesn't exist yet.

---

55-60: Remove the usign build (lines 55–60)—the "SHA-512 padding workaround" claim contradicts both line 62 and OpenWrt documentation.

The comment on line 56 claims usign is required for a "SHA-512 padding workaround" even for unsigned package indices, but this contradicts the comment on line 62 which explicitly states "(unsigned - no usign needed)". OpenWrt documentation confirms that unsigned package index generation (with SIGNED_PACKAGES=) does not require usign; usign is only needed if you want to sign the index with a detached .sig file.

Since the index is generated unsigned and the comment on line 62 acknowledges no usign is needed, lines 55–60 waste build time. Either remove this unnecessary tool build, or clarify in the code comments why usign is actually required for your use case.

Likely an incorrect or invalid review comment.

[nemesifier]

I like the approach, I think this is the right way to do it, but I am not sure why unsign is not available and can't get around to finding the time to test this as there's many other more urgent PRs open waiting to be merged. I hope somebody can help us with this.

[Viscous106]

@shubhamk0205 Overall aproach is good , LGTM. But there are some changes that can help the pr progress I have mentioned them Have a look and tell me what do you think

[Viscous106]

The entire usign block and SIGNED_PACKAGES= can be removed once
the CONFIG_SIGNED_PACKAGES fix (that was mentioned in the next one comment by me) is applied.
Also adding defensive checks as suggested by CodeRabbit:

Suggested change

	# Ensure usign tool is available (required for package index generation)
	# Even when generating unsigned indexes, OpenWRT's Makefile needs usign for SHA-512 padding workaround
	if [ ! -f staging_dir/host/bin/usign ]; then
	echo "usign not found, building tools..."
	make -j"$CORES" tools/install || make -j1 V=s tools/install
	fi
	# Generate package index with checksums (unsigned - no usign needed)
	make package/index SIGNED_PACKAGES= V=s
	# Filter Packages file to include only openwisp packages and save as checksum file
	mkdir -p "$BUILD_DIR/openwrt/bin/packages/$COMPILE_TARGET/openwisp"
	awk '
	/^Package: openwisp-/ {flag=1}
	flag {print}
	/^$/ {flag=0}
	' "$BUILD_DIR/openwrt/bin/packages/$COMPILE_TARGET/Packages" \
	>"$BUILD_DIR/openwrt/bin/packages/$COMPILE_TARGET/openwisp/Packages.sha256.checksum"
	# Generate package index with checksums (unsigned)
	make package/index V=s
	# Filter Packages file to include only openwisp packages
	PACKAGES_FILE="$BUILD_DIR/openwrt/bin/packages/$COMPILE_TARGET/Packages"
	if [ ! -f "$PACKAGES_FILE" ]; then
	echo "ERROR: Packages file not found at $PACKAGES_FILE"
	exit 1
	fi
	mkdir -p "$BUILD_DIR/openwrt/bin/packages/$COMPILE_TARGET/openwisp"
	CHECKSUM_FILE="$BUILD_DIR/openwrt/bin/packages/$COMPILE_TARGET/openwisp/Packages.sha256.checksum"
	awk '
	/^Package: openwisp-/ {flag=1}
	flag {print}
	/^$/ {flag=0}
	' "$PACKAGES_FILE" > "$CHECKSUM_FILE"
	if [ ! -s "$CHECKSUM_FILE" ]; then
	echo "ERROR: No openwisp packages found in Packages file"
	exit 1
	fi

[Viscous106]

Have a look at this , SIGNED_PACKAGES= on line 63 does not disable signing "make defconfig" sets the CONFIG_SIGNED_PACKAGES=y ,and the openwrt modules checks that value however that is not being changed by your changes . So signing is always triggered regardless of the runbuild changes.What i want to suggest is try using this

Suggested change

	echo "CONFIG_PACKAGE_openwisp-config=y" >>.config
	echo "# CONFIG_SIGNED_PACKAGES is not set" >> .config

[shubhamk0205]

@shubhamk0205 Overall aproach is good , LGTM. But there are some changes that can help the pr progress I have mentioned them Have a look and tell me what do you think

Sure , let me see and get back to you

[ranJan1228]

Hey @nemesifier , I went through the existing PR (#242) and the review comments.

I noticed that the main issue seems to be around package signing not being properly disabled (CONFIG_SIGNED_PACKAGES), which is causing CI failures even when SIGNED_PACKAGES= is used.

I’d like to try fixing this by:

• explicitly disabling CONFIG_SIGNED_PACKAGES in the build config
• simplifying the pipeline by removing unnecessary usign dependency
• ensuring checksum generation works consistently in CI

If this approach sounds good, I can work on updating the PR or creating a clean fix.

Let me know your thoughts.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@runbuild`:
- Around line 68-69: The two rm invocations using the PACKAGES_DIR variable (rm
"$PACKAGES_DIR"/*.json and rm "$PACKAGES_DIR"/Packages*) can fail when globs are
empty under set -e; change them to use rm -f (e.g., rm -f "$PACKAGES_DIR"/*.json
and rm -f "$PACKAGES_DIR"/Packages*) so missing matches are ignored and the
script won't abort; keep existing quoting of "$PACKAGES_DIR" intact.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d12df23b-0945-4580-a2a7-d7238e2bbf1c

📥 Commits

Reviewing files that changed from the base of the PR and between 3c69722 and 41a3009.

📒 Files selected for processing (1)

• runbuild

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: QA-Checks and Tests

🔇 Additional comments (4)

runbuild (4)

7-7: LGTM!

Also applies to: 15-16, 21-21

---

48-51: LGTM!

---

59-67: LGTM!

---

71-75: LGTM!

[nemesifier]

@coderabbitai resolve

[coderabbitai]

✅ Actions performed

Comments resolved and changes approved.

[nemesifier]

I disabled signing as in openwisp/openwrt-openwisp-monitoring#187 and applied the same changes done to openwisp/openwrt-openwisp-monitoring#188.