build: add APK package build capabilities

A new option called `USE_APK` is added which generated APK packages
(.apk) instead of OPKG packages (.ipk).

Some features like fstools `snapshot` command are not yet ported

Signed-off-by: Paul Spooren <[email protected]>

config/Config-build.in

@@ -68,6 +68,9 @@ menu "Global build settings"
 		bool "Enable TLS certificate verification during package download"
 		default y
 
+	config USE_APK
+		bool "Use APK instead of OPKG to build distribution (EXPERIMENTAL)"
+
 	comment "General build options"
 
 	config TESTING_KERNEL

include/feeds.mk

@@ -18,6 +18,10 @@ opkg_package_files = $(wildcard \
 	$(foreach dir,$(PACKAGE_SUBDIRS), \
 	  $(foreach pkg,$(1), $(dir)/$(pkg)_*.ipk)))
 
+apk_package_files = $(wildcard \
+	$(foreach dir,$(PACKAGE_SUBDIRS), \
+	  $(foreach pkg,$(1), $(dir)/$(pkg)_*.apk)))
+
 # 1: package name
 define FeedPackageDir
 $(strip $(if $(CONFIG_PER_FEED_REPO), \
@@ -28,7 +32,7 @@ $(strip $(if $(CONFIG_PER_FEED_REPO), \
 endef
 
 # 1: destination file
-define FeedSourcesAppend
+define FeedSourcesAppendOPKG
 ( \
   echo 'src/gz %d_core %U/targets/%S/packages'; \
   $(strip $(if $(CONFIG_PER_FEED_REPO), \
@@ -41,6 +45,20 @@ define FeedSourcesAppend
 ) >> $(1)
 endef
 
+# 1: destination file
+define FeedSourcesAppendAPK
+( \
+  echo '%U/targets/%S/packages/packages.adb'; \
+  $(strip $(if $(CONFIG_PER_FEED_REPO), \
+	echo '%U/packages/%A/base/packages.adb'; \
+	$(if $(filter %SNAPSHOT-y,$(VERSION_NUMBER)-$(CONFIG_BUILDBOT)), \
+		echo '%U/targets/%S/kmods/$(LINUX_VERSION)-$(LINUX_RELEASE)-$(LINUX_VERMAGIC)/packages.adb';) \
+	$(foreach feed,$(FEEDS_AVAILABLE), \
+		$(if $(CONFIG_FEED_$(feed)), \
+			echo '$(if $(filter m,$(CONFIG_FEED_$(feed))),# )%U/packages/%A/$(feed)/packages.adb';)))) \
+) >> $(1)
+endef
+
 # 1: package name
 define GetABISuffix
 $(if $(ABIV_$(1)),$(ABIV_$(1)),$(call FormatABISuffix,$(1),$(foreach v,$(wildcard $(STAGING_DIR)/pkginfo/$(1).version),$(shell cat $(v)))))

include/image.mk

@@ -278,8 +278,12 @@ define Image/mkfs/ext4
 endef
 
 define Image/Manifest
-	$(call opkg,$(TARGET_DIR_ORIG)) list-installed > \
-		$(BIN_DIR)/$(IMG_PREFIX)$(if $(PROFILE_SANITIZED),-$(PROFILE_SANITIZED)).manifest
+	$(if $(CONFIG_USE_APK), \
+		$(call apk,$(TARGET_DIR_ORIG)) list --quiet --manifest --no-network | sort | sed 's/ / - /'  > \
+			$(BIN_DIR)/$(IMG_PREFIX)$(if $(PROFILE_SANITIZED),-$(PROFILE_SANITIZED)).manifest, \
+		$(call opkg,$(TARGET_DIR_ORIG)) list-installed > \
+			$(BIN_DIR)/$(IMG_PREFIX)$(if $(PROFILE_SANITIZED),-$(PROFILE_SANITIZED)).manifest \
+	)
 ifneq ($(CONFIG_JSON_CYCLONEDX_SBOM),)
 	$(SCRIPT_DIR)/package-metadata.pl imgcyclonedxsbom \
 		$(if $(IB),$(TOPDIR)/.packageinfo, $(TMP_DIR)/.packageinfo) \
@@ -328,7 +332,20 @@ opkg_target = \
 	$(call opkg,$(mkfs_cur_target_dir)) \
 		-f $(mkfs_cur_target_dir).conf
 
+apk_target = $(call apk,$(mkfs_cur_target_dir)) --no-scripts
+
+
 target-dir-%: FORCE
+ifneq ($(CONFIG_USE_APK),)
+	rm -rf $(mkfs_cur_target_dir)
+	$(CP) $(TARGET_DIR_ORIG) $(mkfs_cur_target_dir)
+	mv $(mkfs_cur_target_dir)/etc/apk/repositories $(mkfs_cur_target_dir).repositories
+	$(if $(mkfs_packages_remove), \
+		$(apk_target) del $(mkfs_packages_remove))
+	$(if $(mkfs_packages_add), \
+		$(apk_target) add $(mkfs_packages_add))
+	mv $(mkfs_cur_target_dir).repositories $(mkfs_cur_target_dir)/etc/apk/repositories
+else
 	rm -rf $(mkfs_cur_target_dir) $(mkfs_cur_target_dir).opkg
 	$(CP) $(TARGET_DIR_ORIG) $(mkfs_cur_target_dir)
 	-mv $(mkfs_cur_target_dir)/etc/opkg $(mkfs_cur_target_dir).opkg
@@ -342,6 +359,7 @@ target-dir-%: FORCE
 			$(call opkg_package_files,$(mkfs_packages_add)))
 	-$(CP) -T $(mkfs_cur_target_dir).opkg/ $(mkfs_cur_target_dir)/etc/opkg/
 	rm -rf $(mkfs_cur_target_dir).opkg $(mkfs_cur_target_dir).conf
+endif
 	$(call prepare_rootfs,$(mkfs_cur_target_dir),$(TOPDIR)/files)
 
 $(KDIR)/root.%: kernel_prepare

include/package-ipkg.mk → include/package-pack.mk

@@ -1,35 +1,32 @@
 # SPDX-License-Identifier: GPL-2.0-only
 #
-# Copyright (C) 2006-2020 OpenWrt.org
+# Copyright (C) 2006-2022 OpenWrt.org
 
 ifndef DUMP
   include $(INCLUDE_DIR)/feeds.mk
 endif
 
-IPKG_REMOVE:= \
-  $(SCRIPT_DIR)/ipkg-remove
-
 IPKG_STATE_DIR:=$(TARGET_DIR)/usr/lib/opkg
 
 # Generates a make statement to return a wildcard for candidate ipkg files
 # 1: package name
-define gen_ipkg_wildcard
+define gen_package_wildcard
   $(1)$$(if $$(filter -%,$$(ABIV_$(1))),,[^a-z-])*
 endef
 
 # 1: package name
 # 2: candidate ipk files
 define remove_ipkg_files
-  $(if $(strip $(2)),$(IPKG_REMOVE) $(1) $(2))
+  $(if $(strip $(2)),$(SCRIPT_DIR)/ipkg-remove $(1) $(2))
 endef
 
 # 1: package name
 # 2: variable name
 # 3: variable suffix
 # 4: file is a script
-define BuildIPKGVariable
+define BuildPackVariable
 ifdef Package/$(1)/$(2)
-  $$(IPKG_$(1)) : VAR_$(2)$(3)=$$(Package/$(1)/$(2))
+  $$(PACK_$(1)) : VAR_$(2)$(3)=$$(Package/$(1)/$(2))
   $(call shexport,Package/$(1)/$(2))
   $(1)_COMMANDS += echo "$$$$$$$$$(call shvar,Package/$(1)/$(2))" > $(2)$(3); $(if $(4),chmod 0755 $(2)$(3);)
 endif
@@ -50,7 +47,7 @@ strip_deps=$(strip $(subst +,,$(filter-out @%,$(1))))
 filter_deps=$(foreach dep,$(call strip_deps,$(1)),$(if $(findstring :,$(dep)),$(call dep_if,$(dep)),$(dep)))
 
 define AddDependency
-  $$(if $(1),$$(if $(2),$$(foreach pkg,$(1),$$(IPKG_$$(pkg))): $$(foreach pkg,$(2),$$(IPKG_$$(pkg)))))
+  $$(if $(1),$$(if $(2),$$(foreach pkg,$(1),$$(PACK_$$(pkg))): $$(foreach pkg,$(2),$$(PACK_$$(pkg)))))
 endef
 
 define FixupReverseDependencies
@@ -101,8 +98,13 @@ ifeq ($(DUMP),)
   define BuildTarget/ipkg
     ABIV_$(1):=$(call FormatABISuffix,$(1),$(ABI_VERSION))
     PDIR_$(1):=$(call FeedPackageDir,$(1))
-    IPKG_$(1):=$$(PDIR_$(1))/$(1)$$(ABIV_$(1))_$(VERSION)_$(PKGARCH).ipk
+ifeq ($(CONFIG_USE_APK),)
+    PACK_$(1):=$$(PDIR_$(1))/$(1)$$(ABIV_$(1))_$(VERSION)_$(PKGARCH).ipk
+else
+    PACK_$(1):=$$(PDIR_$(1))/$(1)$$(ABIV_$(1))-$(VERSION).apk
+endif
     IDIR_$(1):=$(PKG_BUILD_DIR)/ipkg-$(PKGARCH)/$(1)
+    ADIR_$(1):=$(PKG_BUILD_DIR)/apk-$(PKGARCH)/$(1)
     KEEP_$(1):=$(strip $(call Package/$(1)/conffiles))
 
     TARGET_VARIANT:=$$(if $(ALL_VARIANTS),$$(if $$(VARIANT),$$(filter-out *,$$(VARIANT)),$(firstword $(ALL_VARIANTS))))
@@ -117,8 +119,8 @@ ifeq ($(DUMP),)
     ifdef do_install
       ifneq ($(CONFIG_PACKAGE_$(1))$(DEVELOPER),)
         IPKGS += $(1)
-        $(_pkg_target)compile: $$(IPKG_$(1)) $(PKG_INFO_DIR)/$(1).provides $(PKG_BUILD_DIR)/.pkgdir/$(1).installed
-        prepare-package-install: $$(IPKG_$(1))
+        $(_pkg_target)compile: $$(PACK_$(1)) $(PKG_INFO_DIR)/$(1).provides $(PKG_BUILD_DIR)/.pkgdir/$(1).installed
+        prepare-package-install: $$(PACK_$(1))
         compile: $(STAGING_DIR_ROOT)/stamp/.$(1)_installed
       else
         $(if $(CONFIG_PACKAGE_$(1)),$$(info WARNING: skipping $(1) -- package not selected))
@@ -141,11 +143,11 @@ ifeq ($(DUMP),)
     $(FixupDependencies)
     $(FixupReverseDependencies)
 
-    $(eval $(call BuildIPKGVariable,$(1),conffiles))
-    $(eval $(call BuildIPKGVariable,$(1),preinst,,1))
-    $(eval $(call BuildIPKGVariable,$(1),postinst,-pkg,1))
-    $(eval $(call BuildIPKGVariable,$(1),prerm,-pkg,1))
-    $(eval $(call BuildIPKGVariable,$(1),postrm,,1))
+    $(eval $(call BuildPackVariable,$(1),conffiles))
+    $(eval $(call BuildPackVariable,$(1),preinst,,1))
+    $(eval $(call BuildPackVariable,$(1),postinst,-pkg,1))
+    $(eval $(call BuildPackVariable,$(1),prerm,-pkg,1))
+    $(eval $(call BuildPackVariable,$(1),postrm,,1))
 
     $(PKG_BUILD_DIR)/.pkgdir/$(1).installed : export PATH=$$(TARGET_PATH_PKG)
     $(PKG_BUILD_DIR)/.pkgdir/$(1).installed: $(STAMP_BUILT)
@@ -195,14 +197,16 @@ $$(call addfield,Depends,$$(Package/$(1)/DEPENDS)
 Installed-Size: 0
 $(_endef)
 
-    $$(IPKG_$(1)) : export CONTROL=$$(Package/$(1)/CONTROL)
-    $$(IPKG_$(1)) : export DESCRIPTION=$$(Package/$(1)/description)
-    $$(IPKG_$(1)) : export PATH=$$(TARGET_PATH_PKG)
-    $$(IPKG_$(1)) : export PKG_SOURCE_DATE_EPOCH:=$(PKG_SOURCE_DATE_EPOCH)
-    $(PKG_INFO_DIR)/$(1).provides $$(IPKG_$(1)): $(STAMP_BUILT) $(INCLUDE_DIR)/package-ipkg.mk
-	@rm -rf $$(IDIR_$(1)); \
-		$$(call remove_ipkg_files,$(1),$$(call opkg_package_files,$(call gen_ipkg_wildcard,$(1))))
-	mkdir -p $(PACKAGE_DIR) $$(IDIR_$(1))/CONTROL $(PKG_INFO_DIR)
+    $$(PACK_$(1)) : export CONTROL=$$(Package/$(1)/CONTROL)
+    $$(PACK_$(1)) : export DESCRIPTION=$$(Package/$(1)/description)
+    $$(PACK_$(1)) : export PATH=$$(TARGET_PATH_PKG)
+    $$(PACK_$(1)) : export PKG_SOURCE_DATE_EPOCH:=$(PKG_SOURCE_DATE_EPOCH)
+    $(PKG_INFO_DIR)/$(1).provides $$(PACK_$(1)): $(STAMP_BUILT) $(INCLUDE_DIR)/package-pack.mk
+	rm -rf $$(IDIR_$(1))
+ifeq ($$(CONFIG_USE_APK),)
+	$$(call remove_ipkg_files,$(1),$$(call opkg_package_files,$(call gen_package_wildcard,$(1))))
+endif
+	mkdir -p $(PACKAGE_DIR) $$(IDIR_$(1)) $(PKG_INFO_DIR)
 	$(call Package/$(1)/install,$$(IDIR_$(1)))
 	$(if $(Package/$(1)/install-overlay),mkdir -p $(PACKAGE_DIR) $$(IDIR_$(1))/rootfs-overlay)
 	$(call Package/$(1)/install-overlay,$$(IDIR_$(1))/rootfs-overlay)
@@ -228,6 +232,24 @@ $(_endef)
 		) || true \
 	)
     endif
+
+    ifneq ($$(KEEP_$(1)),)
+		@( \
+			keepfiles=""; \
+			for x in $$(KEEP_$(1)); do \
+				[ -f "$$(IDIR_$(1))/$$$$x" ] || keepfiles="$$$${keepfiles:+$$$$keepfiles }$$$$x"; \
+			done; \
+			[ -z "$$$$keepfiles" ] || { \
+				mkdir -p $$(IDIR_$(1))/lib/upgrade/keep.d; \
+				for x in $$$$keepfiles; do echo $$$$x >> $$(IDIR_$(1))/lib/upgrade/keep.d/$(1); done; \
+			}; \
+		)
+    endif
+
+	$(INSTALL_DIR) $$(PDIR_$(1))/tmp
+
+ifeq ($(CONFIG_USE_APK),)
+	mkdir -p $$(IDIR_$(1))/CONTROL
 	(cd $$(IDIR_$(1))/CONTROL; \
 		( \
 			echo "$$$$CONTROL"; \
@@ -251,25 +273,66 @@ $(_endef)
 		$($(1)_COMMANDS) \
 	)
 
-    ifneq ($$(KEEP_$(1)),)
-		@( \
-			keepfiles=""; \
-			for x in $$(KEEP_$(1)); do \
-				[ -f "$$(IDIR_$(1))/$$$$x" ] || keepfiles="$$$${keepfiles:+$$$$keepfiles }$$$$x"; \
-			done; \
-			[ -z "$$$$keepfiles" ] || { \
-				mkdir -p $$(IDIR_$(1))/lib/upgrade/keep.d; \
-				for x in $$$$keepfiles; do echo $$$$x >> $$(IDIR_$(1))/lib/upgrade/keep.d/$(1); done; \
-			}; \
-		)
-    endif
-
-	$(INSTALL_DIR) $$(PDIR_$(1))
 	$(FAKEROOT) $(STAGING_DIR_HOST)/bin/bash $(SCRIPT_DIR)/ipkg-build -m "$(FILE_MODES)" $$(IDIR_$(1)) $$(PDIR_$(1))
-	@[ -f $$(IPKG_$(1)) ]
+else
+	mkdir -p $$(ADIR_$(1))/
+	mkdir -p $$(IDIR_$(1))/lib/apk/packages/
+
+	(cd $$(ADIR_$(1)); $($(1)_COMMANDS))
+
+	( \
+		echo "#!/bin/sh"; \
+		echo "[ \"\$$$${IPKG_NO_SCRIPT}\" = \"1\" ] && exit 0"; \
+		echo "[ -s "\$$$${IPKG_INSTROOT}/lib/functions.sh" ] || exit 0"; \
+		echo ". \$$$${IPKG_INSTROOT}/lib/functions.sh"; \
+		echo 'export root="$$$${IPKG_INSTROOT}"'; \
+		echo 'export pkgname="$(1)"'; \
+		echo "add_group_and_user"; \
+		[ ! -f $$(ADIR_$(1))/postinst-pkg ] || cat "$$(ADIR_$(1))/postinst-pkg"; \
+		echo "default_postinst"; \
+	) > $$(ADIR_$(1))/post-install;
+
+	( \
+		echo "#!/bin/sh"; \
+		echo "[ -s "\$$$${IPKG_INSTROOT}/lib/functions.sh" ] || exit 0"; \
+		echo ". \$$$${IPKG_INSTROOT}/lib/functions.sh"; \
+		echo 'export root="$$$${IPKG_INSTROOT}"'; \
+		echo 'export pkgname="$(1)"'; \
+		[ ! -f $$(ADIR_$(1))/prerm-pkg ] || cat "$$(ADIR_$(1))/prerm-pkg"; \
+		echo "default_prerm"; \
+	) > $$(ADIR_$(1))/pre-deinstall;
+
+	if [ -n "$(USERID)" ]; then echo $(USERID) > $$(IDIR_$(1))/lib/apk/packages/$(1).rusers; fi;
+	if [ -n "$(ALTERNATIVES)" ]; then echo $(ALTERNATIVES) > $$(IDIR_$(1))/lib/apk/packages/$(1).alternatives; fi;
+	(cd $$(IDIR_$(1)) && find . -type f,l -printf "/%P\n" > $$(IDIR_$(1))/lib/apk/packages/$(1).list)
+	if [ -f $$(ADIR_$(1))/conffiles ]; then mv $$(ADIR_$(1))/conffiles $$(IDIR_$(1))/lib/apk/packages/$(1).conffiles; fi;
+
+	$(FAKEROOT) $(STAGING_DIR_HOST)/bin/apk mkpkg \
+	  --info "name:$(1)$$(ABIV_$(1))" \
+	  --info "version:$(VERSION)" \
+	  --info "description:" \
+	  --info "arch:$(PKGARCH)" \
+	  --info "license:$(LICENSE)" \
+	  --info "origin:$(SOURCE)" \
+	  --info "provides:$$(foreach prov,$$(filter-out $(1)$$(ABIV_$(1)),$(PROVIDES)$$(if $$(ABIV_$(1)), \
+		$(1) $(foreach provide,$(PROVIDES),$(provide)$$(ABIV_$(1))))),$$(prov)=$(VERSION) )" \
+	  --script "post-install:$$(ADIR_$(1))/post-install" \
+	  --script "pre-deinstall:$$(ADIR_$(1))/pre-deinstall" \
+	  --info "depends:$$(foreach depends,$$(subst $$(comma),$$(space),$$(subst $$(space),,$$(subst $$(paren_right),,$$(subst $$(paren_left),,$$(Package/$(1)/DEPENDS))))),$$(depends))" \
+	  --files "$$(IDIR_$(1))" \
+	  --output "$$(PACK_$(1))" \
+	  --sign "$(BUILD_KEY_APK_SEC)"
+endif
+
+	@[ -f $$(PACK_$(1)) ]
 
     $(1)-clean:
-	$$(call remove_ipkg_files,$(1),$$(call opkg_package_files,$(call gen_ipkg_wildcard,$(1))))
+ifeq ($(CONFIG_USE_APK),)
+	$$(call remove_ipkg_files,$(1),$$(call opkg_package_files,$(call gen_package_wildcard,$(1))))
+else
+	$$(call remove_ipkg_files,$(1),$$(call apk_package_files,$(call gen_package_wildcard,$(1))))
+endif
+
 
     clean: $(1)-clean
 

include/package.mk

@@ -136,7 +136,7 @@ PKG_INSTALL_STAMP:=$(PKG_INFO_DIR)/$(PKG_DIR_NAME).$(if $(BUILD_VARIANT),$(BUILD
 
 include $(INCLUDE_DIR)/package-defaults.mk
 include $(INCLUDE_DIR)/package-dumpinfo.mk
-include $(INCLUDE_DIR)/package-ipkg.mk
+include $(INCLUDE_DIR)/package-pack.mk
 include $(INCLUDE_DIR)/package-bin.mk
 include $(INCLUDE_DIR)/autotools.mk
 

include/rootfs.mk

@@ -43,6 +43,16 @@ opkg = \
 	--add-arch all:100 \
 	--add-arch $(if $(ARCH_PACKAGES),$(ARCH_PACKAGES),$(BOARD)):200
 
+apk = \
+  IPKG_INSTROOT=$(1) \
+  $(FAKEROOT) $(STAGING_DIR_HOST)/bin/apk \
+	--root $(1) \
+	--keys-dir $(TOPDIR) \
+	--no-cache \
+	--no-logfile \
+	--preserve-env \
+	--repository file://$(PACKAGE_DIR_ALL)/packages.adb
+
 TARGET_DIR_ORIG := $(TARGET_ROOTFS_DIR)/root.orig-$(BOARD)
 
 ifdef CONFIG_CLEAN_IPKG
@@ -68,6 +78,11 @@ define prepare_rootfs
 	@mkdir -p $(1)/var/lock
 	@( \
 		cd $(1); \
+		if [ -n $(CONFIG_USE_APK) ]; then \
+		$(STAGING_DIR_HOST)/bin/tar -xf ./lib/apk/db/scripts.tar --wildcards "*.post-install" -O > script.sh; \
+		chmod +x script.sh; \
+		IPKG_INSTROOT=$(1) $$(command -v bash) script.sh; \
+		else \
 		for script in ./usr/lib/opkg/info/*.postinst; do \
 			IPKG_INSTROOT=$(1) $$(command -v bash) $$script; \
 			ret=$$?; \
@@ -76,6 +91,13 @@ define prepare_rootfs
 				exit 1; \
 			fi; \
 		done; \
+		$(if $(IB),,awk -i inplace \
+			'/^Status:/ { \
+				if ($$3 == "user") { $$3 = "ok" } \
+				else { sub(/,\<user\>|\<user\>,/, "", $$3) } \
+			}1' $(1)/usr/lib/opkg/status) ; \
+		$(if $(SOURCE_DATE_EPOCH),sed -i "s/Installed-Time: .*/Installed-Time: $(SOURCE_DATE_EPOCH)/" $(1)/usr/lib/opkg/status ;) \
+		fi; \
 		for script in ./etc/init.d/*; do \
 			grep '#!/bin/sh /etc/rc.common' $$script >/dev/null || continue; \
 			if ! echo " $(3) " | grep -q " $$(basename $$script) "; then \
@@ -87,13 +109,9 @@ define prepare_rootfs
 			fi; \
 		done || true \
 	)
-	awk -i inplace \
-		'/^Status:/ { \
-			if ($$3 == "user") { $$3 = "ok" } \
-			else { sub(/,\<user\>|\<user\>,/, "", $$3) } \
-		}1' $(1)/usr/lib/opkg/status
-	$(if $(SOURCE_DATE_EPOCH),sed -i "s/Installed-Time: .*/Installed-Time: $(SOURCE_DATE_EPOCH)/" $(1)/usr/lib/opkg/status)
+
 	@-find $(1) -name CVS -o -name .svn -o -name .git -o -name '.#*' | $(XARGS) rm -rf
+	@-find $(1)/usr/cache/apk/ -name '*.apk' -delete
 	rm -rf \
 		$(1)/boot \
 		$(1)/tmp/* \

include/target.mk

@@ -21,12 +21,17 @@ DEFAULT_PACKAGES:=\
 	logd \
 	mtd \
 	netifd \
-	opkg \
 	uci \
 	uclient-fetch \
 	urandom-seed \
 	urngd
 
+ifdef CONFIG_USE_APK
+DEFAULT_PACKAGES+=apk
+else
+DEFAULT_PACKAGES+=opkg
+endif
+
 ifneq ($(CONFIG_SELINUX),)
 DEFAULT_PACKAGES+=busybox-selinux procd-selinux
 else

package/Makefile

@@ -53,20 +53,43 @@ $(curdir)/cleanup: $(TMP_DIR)/.build
 $(curdir)/merge:
 	rm -rf $(PACKAGE_DIR_ALL)
 	mkdir -p $(PACKAGE_DIR_ALL)
+ifneq ($(CONFIG_USE_APK),)
+	-$(foreach pdir,$(PACKAGE_SUBDIRS),$(if $(wildcard $(pdir)/*.apk),ln -s $(pdir)/*.apk $(PACKAGE_DIR_ALL);))
+else
 	-$(foreach pdir,$(PACKAGE_SUBDIRS),$(if $(wildcard $(pdir)/*.ipk),ln -s $(pdir)/*.ipk $(PACKAGE_DIR_ALL);))
+endif
 
 $(curdir)/merge-index: $(curdir)/merge
+ifneq ($(CONFIG_USE_APK),)
+	(cd $(PACKAGE_DIR_ALL) && $(STAGING_DIR_HOST)/bin/apk mkndx \
+			--root $(TOPDIR) \
+			--keys-dir $(TOPDIR) \
+			--sign $(BUILD_KEY_APK_SEC) \
+			--output packages.adb \
+			*.apk; \
+	)
+else
 	(cd $(PACKAGE_DIR_ALL) && $(SCRIPT_DIR)/ipkg-make-index.sh . 2>&1 > Packages; )
+endif
 
 ifndef SDK
   $(curdir)//compile = $(STAGING_DIR)/.prepared $(BIN_DIR)
+ifneq ($(CONFIG_USE_APK),)
+  $(curdir)/compile: $(curdir)/system/apk/host/compile
+else
   $(curdir)/compile: $(curdir)/system/opkg/host/compile
 endif
+endif
 
-$(curdir)/install: $(TMP_DIR)/.build $(curdir)/merge $(if $(CONFIG_TARGET_PER_DEVICE_ROOTFS),$(curdir)/merge-index)
+$(curdir)/install: $(TMP_DIR)/.build $(curdir)/merge $(curdir)/merge-index
 	- find $(STAGING_DIR_ROOT) -type d | $(XARGS) chmod 0755
 	rm -rf $(TARGET_DIR) $(TARGET_DIR_ORIG)
 	mkdir -p $(TARGET_DIR)/tmp
+ifneq ($(CONFIG_USE_APK),)
+	$(file >$(TMP_DIR)/apk_install_list,\
+	    $(foreach pkg,$(shell cat $(PACKAGE_INSTALL_FILES) 2>/dev/null),$(pkg)$(call GetABISuffix,$(pkg))))
+	$(call apk,$(TARGET_DIR)) add --initdb --no-scripts --arch $(ARCH_PACKAGES) $$(cat $(TMP_DIR)/apk_install_list)
+else
 	$(file >$(TMP_DIR)/opkg_install_list,\
 	  $(call opkg_package_files,\
 	    $(foreach pkg,$(shell cat $(PACKAGE_INSTALL_FILES) 2>/dev/null),$(pkg)$(call GetABISuffix,$(pkg)))))
@@ -77,6 +100,7 @@ $(curdir)/install: $(TMP_DIR)/.build $(curdir)/merge $(if $(CONFIG_TARGET_PER_DE
 			$(call opkg,$(TARGET_DIR)) flag $$flag `cat $$file`; \
 		done; \
 	done || true
+endif
 
 	$(CP) $(TARGET_DIR) $(TARGET_DIR_ORIG)
 
@@ -84,6 +108,19 @@ $(curdir)/install: $(TMP_DIR)/.build $(curdir)/merge $(if $(CONFIG_TARGET_PER_DE
 
 $(curdir)/index: FORCE
 	@echo Generating package index...
+ifneq ($(CONFIG_USE_APK),)
+	@for d in $(PACKAGE_SUBDIRS); do \
+		mkdir -p $$d; \
+		cd $$d || continue; \
+		ls *.apk >/dev/null 2>&1 || continue; \
+		$(STAGING_DIR_HOST)/bin/apk mkndx \
+			--root $(TOPDIR) \
+			--keys-dir $(TOPDIR) \
+			--sign $(BUILD_KEY_APK_SEC) \
+			--output packages.adb \
+			*.apk; \
+	done
+else
 	@for d in $(PACKAGE_SUBDIRS); do ( \
 		mkdir -p $$d; \
 		cd $$d || continue; \
@@ -115,6 +152,7 @@ ifdef CONFIG_JSON_CYCLONEDX_SBOM
 		$(SCRIPT_DIR)/package-metadata.pl pkgcyclonedxsbom Packages.manifest > Packages.bom.cdx.json || true; \
 	); done
 endif
+endif
 
 $(curdir)/flags-install:= -j1
 

package/base-files/Makefile

@@ -116,6 +116,13 @@ define Build/Compile/Default
 endef
 Build/Compile = $(Build/Compile/Default)
 
+ifneq ($(CONFIG_USE_APK),)
+  define Build/Configure
+	[ -s $(BUILD_KEY_APK_SEC) -a -s $(BUILD_KEY_APK_PUB) ] || \
+		$(STAGING_DIR_HOST)/bin/openssl ecparam -name prime256v1 -genkey -noout -out $(BUILD_KEY_APK_SEC); \
+		$(STAGING_DIR_HOST)/bin/openssl ec -in $(BUILD_KEY_APK_SEC) -pubout > $(BUILD_KEY_APK_PUB)
+  endef
+else
 ifdef CONFIG_SIGNED_PACKAGES
   define Build/Configure
 	[ -s $(BUILD_KEY) -a -s $(BUILD_KEY).pub ] || \
@@ -131,9 +138,13 @@ ifndef CONFIG_BUILDBOT
 	mkdir -p $(1)/etc/opkg/keys
 	$(CP) $(BUILD_KEY).pub $(1)/etc/opkg/keys/`$(STAGING_DIR_HOST)/bin/usign -F -p $(BUILD_KEY).pub`
 
+	mkdir -p $(1)/etc/apk/keys
+	$(CP) $(BUILD_KEY_APK_PUB) $(1)/etc/apk/keys/
+
   endef
 endif
 endif
+endif
 
 ifeq ($(CONFIG_NAND_SUPPORT),)
   define Package/base-files/nand-support
@@ -234,15 +245,21 @@ endif
 		cat $(BIN_DIR)/feeds.buildinfo >>$(1)/etc/build.feeds; \
 		cat $(BIN_DIR)/version.buildinfo >>$(1)/etc/build.version)
 
+	$(if $(CONFIG_TARGET_PREINIT_DISABLE_FAILSAFE), \
+		rm -f $(1)/etc/banner.failsafe,)
+
+ifneq ($(CONFIG_USE_APK),)
+	mkdir -p $(1)/etc/apk/
+	$(call FeedSourcesAppendAPK,$(1)/etc/apk/repositories)
+	$(VERSION_SED_SCRIPT) $(1)/etc/apk/repositories
+else
 	$(if $(CONFIG_CLEAN_IPKG),, \
 		mkdir -p $(1)/etc/opkg; \
-		$(call FeedSourcesAppend,$(1)/etc/opkg/distfeeds.conf); \
+		$(call FeedSourcesAppendOPKG,$(1)/etc/opkg/distfeeds.conf); \
 		$(VERSION_SED_SCRIPT) $(1)/etc/opkg/distfeeds.conf)
 	$(if $(CONFIG_IPK_FILES_CHECKSUMS),, \
 		rm -f $(1)/sbin/pkg_check)
-
-	$(if $(CONFIG_TARGET_PREINIT_DISABLE_FAILSAFE), \
-		rm -f $(1)/etc/banner.failsafe,)
+endif
 endef
 
 ifneq ($(DUMP),1)

package/system/apk/patches/0002-mbedtls-support.patch

@@ -1,51 +1,16 @@
-From 74ea482102e1a7c1845b3eec19cbdb21264836d4 Mon Sep 17 00:00:00 2001
+From 68352e0cb94fe08b220d4befec828171ec871154 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <[email protected]>
 Date: Fri, 5 Apr 2024 12:06:56 +0300
-Subject: [PATCH 1/4] add alternate url wget implementation
+Subject: [PATCH 1/2] add alternate url wget implementation
 
 ---
- .gitlab-ci.yml    |  16 ++++-
  meson.build       |   6 +-
  meson_options.txt |   1 +
- src/io_url_wget.c | 150 ++++++++++++++++++++++++++++++++++++++++++++++
- src/meson.build   |   4 +-
- 5 files changed, 173 insertions(+), 4 deletions(-)
+ src/io_url_wget.c | 137 ++++++++++++++++++++++++++++++++++++++++++++++
+ src/meson.build   |   8 ++-
+ 4 files changed, 150 insertions(+), 2 deletions(-)
  create mode 100644 src/io_url_wget.c
 
-diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
-index 7fc86563..b7e00008 100644
---- a/.gitlab-ci.yml
-+++ b/.gitlab-ci.yml
-@@ -24,7 +24,19 @@ test:alpine:
-     script:
-         - apk update
-         - apk add make gcc git musl-dev openssl-dev linux-headers zlib-dev zstd-dev lua5.3-dev lua5.3-lzlib meson zlib-static zstd-static openssl-libs-static
--        - meson build
-+        - meson setup build -Dstatic_apk=true
-+        - ninja -C build
-+    tags:
-+        - docker-alpine
-+        - x86_64
-+
-+test:alpine-alt-config:
-+    image: alpine
-+    stage: test
-+    script:
-+        - apk update
-+        - apk add make gcc git musl-dev openssl-dev linux-headers zlib-dev lua5.3-dev lua5.3-lzlib meson
-+        - meson setup build -Durl_backend=wget -Dzstd=false
-         - ninja -C build
-     tags:
-         - docker-alpine
-@@ -38,7 +50,7 @@ test:debian:
-         - apt-get install -y make gcc git libssl-dev zlib1g-dev libzstd-dev lua5.3-dev lua5.2 lua-zlib-dev sudo meson
-         - unlink /bin/sh
-         - ln -s /bin/bash /bin/sh
--        - meson build
-+        - meson setup build
-         - ninja -C build
-     tags:
-         - docker-alpine
 diff --git a/meson.build b/meson.build
 index 1a44c11f..9a14cac0 100644
 --- a/meson.build
@@ -63,26 +28,26 @@ index 1a44c11f..9a14cac0 100644
  subdir('src')
  subdir('tests')
 diff --git a/meson_options.txt b/meson_options.txt
-index 693f46ec..940fe9a4 100644
+index 693f46ec..44b88b32 100644
 --- a/meson_options.txt
 +++ b/meson_options.txt
 @@ -5,5 +5,6 @@ option('help', description: 'Build help into apk binaries, needs lua', type: 'fe
  option('lua', description: 'Build luaapk (lua bindings)', type: 'feature', value: 'auto')
  option('lua_version', description: 'Lua version to build against', type: 'string', value: '5.3')
  option('static_apk', description: 'Also build apk.static', type: 'boolean', value: false)
-+option('url_backend', description: 'URL backend', type: 'combo', choices: ['libfetch', 'wget'], value: 'libfetch')
++option('url_backend', description: 'URL backend', type: 'string', value: 'libfetch')
  option('uvol_db_target', description: 'Default target for uvol database layer', type: 'string')
  option('zstd', description: 'Build with zstd support', type: 'boolean', value: true)
 diff --git a/src/io_url_wget.c b/src/io_url_wget.c
 new file mode 100644
-index 00000000..9a929222
+index 00000000..d8885a4f
 --- /dev/null
 +++ b/src/io_url_wget.c
-@@ -0,0 +1,150 @@
+@@ -0,0 +1,137 @@
 +/* io_url_wget.c - Alpine Package Keeper (APK)
 + *
 + * Copyright (C) 2005-2008 Natanael Copa <[email protected]>
-+ * Copyright (C) 2008-2011 Timo Teräs <[email protected]>
++ * Copyright (C) 2008-2011 Timo Teräs <[email protected]>
 + * All rights reserved.
 + *
 + * SPDX-License-Identifier: GPL-2.0-only
@@ -93,9 +58,6 @@ index 00000000..9a929222
 +#include <sys/wait.h>
 +#include "apk_io.h"
 +
-+static char wget_timeout[16];
-+static char wget_no_check_certificate;
-+
 +static int wget_translate_status(int status)
 +{
 +	if (!WIFEXITED(status)) return -EFAULT;
@@ -118,19 +80,11 @@ index 00000000..9a929222
 +
 +static int wget_spawn(const char *url, pid_t *pid, int *fd)
 +{
-+	int i = 0, r, pipefds[2];
++	int r, pipefds[2];
 +	posix_spawn_file_actions_t act;
-+	char *argv[16];
-+
-+	argv[i++] = "wget";
-+	argv[i++] = "-q";
-+	argv[i++] = "-T";
-+	argv[i++] = wget_timeout;
-+	if (wget_no_check_certificate) argv[i++] = "--no-check-certificate";
-+	argv[i++] = (char *) url;
-+	argv[i++] = "-O";
-+	argv[i++] = "-";
-+	argv[i++] = 0;
++	char *argv[] = {
++		(char*)"wget", "-q", (char*) url, "-O", "-", 0
++	};
 +
 +	if (pipe2(pipefds, O_CLOEXEC) != 0) return -errno;
 +
@@ -214,12 +168,10 @@ index 00000000..9a929222
 +
 +void apk_io_url_no_check_certificate(void)
 +{
-+	wget_no_check_certificate = 1;
 +}
 +
 +void apk_io_url_set_timeout(int timeout)
 +{
-+	snprintf(wget_timeout, sizeof wget_timeout, "%d", timeout);
 +}
 +
 +void apk_io_url_set_redirect_callback(void (*cb)(int, const char *))
@@ -230,97 +182,39 @@ index 00000000..9a929222
 +{
 +}
 diff --git a/src/meson.build b/src/meson.build
-index c1aae550..38e9d3b0 100644
+index c1aae550..28bfce7e 100644
 --- a/src/meson.build
 +++ b/src/meson.build
-@@ -1,3 +1,5 @@
-+url_backend = get_option('url_backend')
-+
- libapk_so_version = '2.99.0'
- libapk_src = [
- 	'adb.c',
-@@ -22,8 +24,8 @@ libapk_src = [
+@@ -22,7 +22,6 @@ libapk_src = [
  	'fs_uvol.c',
  	'hash.c',
  	'io.c',
 -	'io_url_libfetch.c',
  	'io_gunzip.c',
-+	'io_url_@[email protected]'.format(url_backend),
  	'package.c',
  	'pathbuilder.c',
- 	'print.c',
--- 
-GitLab
-
-
-From b9fe78fbf19bb10e1d0b8eb1cb1de123bee2ed7e Mon Sep 17 00:00:00 2001
-From: Christian Marangi <[email protected]>
-Date: Tue, 16 Apr 2024 17:55:15 +0200
-Subject: [PATCH 2/4] add option to configure url backend in legacy make build
- system
-
-Can be configured by setting URL_BACKEND. If not set libfetch is
-selected by default.
-
-Signed-off-by: Christian Marangi <[email protected]>
----
- src/Makefile | 20 ++++++++++++++------
- 1 file changed, 14 insertions(+), 6 deletions(-)
-
-diff --git a/src/Makefile b/src/Makefile
-index f7873cb1..efdc68df 100644
---- a/src/Makefile
-+++ b/src/Makefile
-@@ -9,8 +9,8 @@ else
- $(error Lua interpreter not found. Please specify LUA interpreter, or use LUA=no to build without help.)
- endif
- 
--OPENSSL_CFLAGS		:= $(shell $(PKG_CONFIG) --cflags openssl)
--OPENSSL_LIBS		:= $(shell $(PKG_CONFIG) --libs openssl)
-+OPENSSL_CFLAGS         := $(shell $(PKG_CONFIG) --cflags openssl)
-+OPENSSL_LIBS           := $(shell $(PKG_CONFIG) --libs openssl)
- 
- ZLIB_CFLAGS		:= $(shell $(PKG_CONFIG) --cflags zlib)
- ZLIB_LIBS		:= $(shell $(PKG_CONFIG) --libs zlib)
-@@ -21,10 +21,18 @@ libapk_so		:= $(obj)/libapk.so.$(libapk_soname)
- libapk.so.$(libapk_soname)-objs := \
- 	adb.o adb_comp.o adb_walk_adb.o adb_walk_genadb.o adb_walk_gentext.o adb_walk_text.o apk_adb.o \
- 	atom.o blob.o commit.o common.o context.o crypto.o crypto_openssl.o ctype.o database.o hash.o \
--	extract_v2.o extract_v3.o fs_fsys.o fs_uvol.o io.o io_gunzip.o io_url_libfetch.o \
--	tar.o package.o pathbuilder.o print.o solver.o trust.o version.o
-+	extract_v2.o extract_v3.o fs_fsys.o fs_uvol.o io.o io_gunzip.o tar.o package.o pathbuilder.o \
-+	print.o solver.o trust.o version.o
+@@ -87,6 +86,13 @@ apk_src = [
+ 	'applet.c',
+ ]
  
--libapk.so.$(libapk_soname)-libs := libfetch/libfetch.a
-+libapk.so.$(libapk_soname)-libs :=
-+
-+ifeq ($(URL_BACKEND),wget)
-+libapk.so.$(libapk_soname)-objs += io_url_wget.o
-+else
-+CFLAGS_ALL += -Ilibfetch
-+libapk.so.$(libapk_soname)-objs += io_url_libfetch.o
-+libapk.so.$(libapk_soname)-libs += libfetch/libfetch.a
++url_backend = get_option('url_backend')
++if url_backend == 'libfetch'
++	libapk_src += [	'io_url_libfetch.c' ]
++elif url_backend == 'wget'
++	libapk_src += [	'io_url_wget.c' ]
 +endif
- 
- # ZSTD support can be disabled
- ifneq ($(ZSTD),no)
-@@ -79,7 +87,7 @@ LIBS_apk		:= -lapk
- LIBS_apk-test		:= -lapk
- LIBS_apk.so		:= -L$(obj) -lapk
- 
--CFLAGS_ALL		+= -D_ATFILE_SOURCE -Ilibfetch -Iportability
-+CFLAGS_ALL		+= -D_ATFILE_SOURCE -Iportability
- CFLAGS_apk.o		:= -DAPK_VERSION=\"$(VERSION)\"
- CFLAGS_apk-static.o	:= -DAPK_VERSION=\"$(VERSION)\" -DOPENSSL_NO_ENGINE
- CFLAGS_apk-test.o	:= -DAPK_VERSION=\"$(VERSION)\" -DOPENSSL_NO_ENGINE -DTEST_MODE
++
+ if lua_bin.found()
+ 	genhelp_script = files('genhelp.lua')
+ 	genhelp_args = [lua_bin, genhelp_script, '@INPUT@']
 -- 
 GitLab
 
 
-From 0418b684898403c49905c1f0e4b7c5ca522b2d50 Mon Sep 17 00:00:00 2001
+From dc7ff789a45522eb847118a29b60b896de55d083 Mon Sep 17 00:00:00 2001
 From: Jonas Jelonek <[email protected]>
 Date: Sun, 14 Apr 2024 00:20:14 +0200
-Subject: [PATCH 3/4] crypto: add support for mbedtls as backend
+Subject: [PATCH 2/2] crypto: add support for mbedtls as backend
 
 backend is selected at compile-time with crypto_backend option
 
@@ -331,16 +225,11 @@ Signed-off-by: Jonas Jelonek <[email protected]>
  libfetch/meson.build     |   2 +-
  meson.build              |  14 +-
  meson_options.txt        |   1 +
- portability/getrandom.c  |  19 +++
- portability/meson.build  |   3 +-
- portability/sys/random.h |   6 +
  src/apk_crypto.h         |   5 +
- src/apk_crypto_mbedtls.h |  30 +++++
- src/crypto_mbedtls.c     | 285 +++++++++++++++++++++++++++++++++++++++
- src/meson.build          |  21 ++-
- 10 files changed, 373 insertions(+), 13 deletions(-)
- create mode 100644 portability/getrandom.c
- create mode 100644 portability/sys/random.h
+ src/apk_crypto_mbedtls.h |  26 ++++
+ src/crypto_mbedtls.c     | 305 +++++++++++++++++++++++++++++++++++++++
+ src/meson.build          |  23 ++-
+ 7 files changed, 364 insertions(+), 12 deletions(-)
  create mode 100644 src/apk_crypto_mbedtls.h
  create mode 100644 src/crypto_mbedtls.c
 
@@ -388,66 +277,17 @@ index 9a14cac0..3a83f4e1 100644
  add_project_arguments('-D_GNU_SOURCE', language: 'c')
  
 diff --git a/meson_options.txt b/meson_options.txt
-index 940fe9a4..df0b07dc 100644
+index 44b88b32..2b1d24ce 100644
 --- a/meson_options.txt
 +++ b/meson_options.txt
-@@ -1,4 +1,5 @@
- option('arch_prefix', description: 'Define a custom arch prefix for default arch', type: 'string')
-+option('crypto_backend', description: 'Crypto backend', type: 'combo', choices: ['openssl', 'mbedtls'], value: 'openssl')
- option('compressed-help', description: 'Compress help database, needs lua-zlib', type: 'boolean', value: true)
- option('docs', description: 'Build manpages with scdoc', type: 'feature', value: 'auto')
- option('help', description: 'Build help into apk binaries, needs lua', type: 'feature', value: 'auto')
-diff --git a/portability/getrandom.c b/portability/getrandom.c
-new file mode 100644
-index 00000000..b2f4a07c
---- /dev/null
-+++ b/portability/getrandom.c
-@@ -0,0 +1,19 @@
-+#include <sys/random.h>
-+#include <sys/types.h>
-+#include <unistd.h>
-+#include <fcntl.h>
-+
-+ssize_t getrandom(void *buf, size_t buflen, unsigned int flags)
-+{
-+	int fd;
-+	ssize_t ret;
-+
-+	fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC);
-+	if (fd < 0)
-+		return -1;
-+
-+	ret = read(fd, buf, buflen);
-+	close(fd);
-+	return ret;
-+}
-+
-diff --git a/portability/meson.build b/portability/meson.build
-index 89957c3c..3172044e 100644
---- a/portability/meson.build
-+++ b/portability/meson.build
-@@ -3,7 +3,8 @@ cc = meson.get_compiler('c')
- libportability_src = []
- 
- check_symbols = [
--	['memrchr', 'memrchr.c', 'NEED_MEMRCHR', 'string.h'],
-+	['getrandom', 'getrandom.c', 'NEED_GETRANDOM', 'sys/random.h'],
-+        ['memrchr', 'memrchr.c', 'NEED_MEMRCHR', 'string.h'],
- 	['mknodat', 'mknodat.c', 'NEED_MKNODAT', 'sys/stat.h'],
- 	['pipe2', 'pipe2.c', 'NEED_PIPE2', 'unistd.h'],
- 	['qsort_r', 'qsort_r.c', 'NEED_QSORT_R', 'stdlib.h'],
-diff --git a/portability/sys/random.h b/portability/sys/random.h
-new file mode 100644
-index 00000000..02d5b1ca
---- /dev/null
-+++ b/portability/sys/random.h
-@@ -0,0 +1,6 @@
-+#include_next <sys/random.h>
-+#include <sys/types.h>
-+
-+#ifdef NEED_GETRANDOM
-+ssize_t getrandom(void *buf, size_t buflen, unsigned int flags);
-+#endif
+@@ -5,6 +5,7 @@ option('help', description: 'Build help into apk binaries, needs lua', type: 'fe
+ option('lua', description: 'Build luaapk (lua bindings)', type: 'feature', value: 'auto')
+ option('lua_version', description: 'Lua version to build against', type: 'string', value: '5.3')
+ option('static_apk', description: 'Also build apk.static', type: 'boolean', value: false)
++option('crypto_backend', description: 'SSL backend', type: 'string', value: 'openssl')
+ option('url_backend', description: 'URL backend', type: 'string', value: 'libfetch')
+ option('uvol_db_target', description: 'Default target for uvol database layer', type: 'string')
+ option('zstd', description: 'Build with zstd support', type: 'boolean', value: true)
 diff --git a/src/apk_crypto.h b/src/apk_crypto.h
 index 7de88dfc..5cae3bfe 100644
 --- a/src/apk_crypto.h
@@ -467,10 +307,10 @@ index 7de88dfc..5cae3bfe 100644
  
 diff --git a/src/apk_crypto_mbedtls.h b/src/apk_crypto_mbedtls.h
 new file mode 100644
-index 00000000..5481d149
+index 00000000..e379535b
 --- /dev/null
 +++ b/src/apk_crypto_mbedtls.h
-@@ -0,0 +1,30 @@
+@@ -0,0 +1,26 @@
 +/* apk_crypto_mbedtls.h - Alpine Package Keeper (APK)
 + *
 + * Copyright (C) 2024
@@ -484,45 +324,36 @@ index 00000000..5481d149
 +
 +#include <mbedtls/md.h>
 +#include <mbedtls/pk.h>
-+#include <mbedtls/bignum.h>
 +
 +struct apk_pkey {
 +	uint8_t id[16];
-+	mbedtls_pk_context key;
++	mbedtls_pk_context *key;
 +};
 +
 +struct apk_digest_ctx {
-+	mbedtls_md_context_t mdctx;
++	mbedtls_md_context_t *mdctx;
 +	struct apk_pkey *sigver_key;
 +	uint8_t alg;
 +};
 +
-+/* based on mbedtls' internal pkwrite.h calculations */
-+#define APK_ENC_KEY_MAX_LENGTH          (38 + 2 * MBEDTLS_MPI_MAX_SIZE)
-+
 +#endif
 diff --git a/src/crypto_mbedtls.c b/src/crypto_mbedtls.c
 new file mode 100644
-index 00000000..73d60e9d
+index 00000000..9ce148b5
 --- /dev/null
 +++ b/src/crypto_mbedtls.c
-@@ -0,0 +1,285 @@
+@@ -0,0 +1,305 @@
 +#include <errno.h>
 +#include <stdio.h>
 +#include <stdlib.h>
 +#include <fcntl.h>
 +#include <sys/random.h>
-+#include <sys/stat.h>
-+#include <unistd.h>
 +
 +#include <mbedtls/platform.h>
 +#include <mbedtls/md.h>
 +#include <mbedtls/pk.h>
 +#include <mbedtls/entropy.h>
-+
-+#ifdef MBEDTLS_PSA_CRYPTO_C
 +#include <psa/crypto.h>
-+#endif
 +
 +#include "apk_crypto.h"
 +
@@ -559,11 +390,14 @@ index 00000000..73d60e9d
 +int apk_digest_ctx_init(struct apk_digest_ctx *dctx, uint8_t alg)
 +{
 +	dctx->alg = alg;
++	dctx->mdctx = malloc(sizeof(mbedtls_md_context_t));
++
++	if (!dctx->mdctx) return -ENOMEM;
 +
-+	mbedtls_md_init(&dctx->mdctx);
++	mbedtls_md_init(dctx->mdctx);
 +	if (alg == APK_DIGEST_NONE) return 0;
-+	if (mbedtls_md_setup(&dctx->mdctx, apk_digest_alg_to_mdinfo(alg), 0) ||
-+		mbedtls_md_starts(&dctx->mdctx))
++	if (mbedtls_md_setup(dctx->mdctx, apk_digest_alg_to_mdinfo(alg), 0) ||
++		mbedtls_md_starts(dctx->mdctx))
 +		return -APKE_CRYPTO_ERROR;
 +
 +	return 0;
@@ -572,77 +406,105 @@ index 00000000..73d60e9d
 +int apk_digest_ctx_reset(struct apk_digest_ctx *dctx)
 +{
 +	if (dctx->alg == APK_DIGEST_NONE) return 0;
-+	if (mbedtls_md_starts(&dctx->mdctx)) return -APKE_CRYPTO_ERROR;
++	if (mbedtls_md_starts(dctx->mdctx)) return -APKE_CRYPTO_ERROR;
 +	return 0;
 +}
 +
 +int apk_digest_ctx_reset_alg(struct apk_digest_ctx *dctx, uint8_t alg)
 +{
-+	mbedtls_md_free(&dctx->mdctx);
++	mbedtls_md_free(dctx->mdctx);
 +
 +	dctx->alg = alg;
 +	if (alg == APK_DIGEST_NONE) return 0;
-+	if (mbedtls_md_setup(&dctx->mdctx, apk_digest_alg_to_mdinfo(alg), 0) ||
-+		mbedtls_md_starts(&dctx->mdctx))
++	if (mbedtls_md_setup(dctx->mdctx, apk_digest_alg_to_mdinfo(alg), 0) ||
++		mbedtls_md_starts(dctx->mdctx))
 +		return -APKE_CRYPTO_ERROR;
-+
++	
 +	return 0;
 +}
 +
 +void apk_digest_ctx_free(struct apk_digest_ctx *dctx)
 +{
-+	mbedtls_md_free(&dctx->mdctx);
++	free(dctx->mdctx);
++	dctx->mdctx = 0;
 +}
 +
 +int apk_digest_ctx_update(struct apk_digest_ctx *dctx, const void *ptr, size_t sz)
 +{
 +	if (dctx->alg == APK_DIGEST_NONE) return 0;
-+	return mbedtls_md_update(&dctx->mdctx, ptr, sz) == 0 ? 0 : -APKE_CRYPTO_ERROR;
++	return mbedtls_md_update(dctx->mdctx, ptr, sz) == 0 ? 0 : -APKE_CRYPTO_ERROR;
 +}
 +
 +int apk_digest_ctx_final(struct apk_digest_ctx *dctx, struct apk_digest *d)
 +{
-+	if (mbedtls_md_finish(&dctx->mdctx, d->data)) {
++	if (mbedtls_md_finish(dctx->mdctx, d->data)) {
 +		apk_digest_reset(d);
 +		return -APKE_CRYPTO_ERROR;
 +	}
 +
++	mbedtls_md_free(dctx->mdctx);
++
 +	d->alg = dctx->alg;
 +	d->len = apk_digest_alg_len(d->alg);
 +	return 0;
 +}
 +
-+static int apk_load_file_at(int dirfd, const char *fn, unsigned char **buf, size_t *n)
++// Entropy function adopted from ustream-ssl to avoid using the bloated mbedtls'
++// mbedtls_entropy_context and mbedtls_ctr_drbg_context.
++static int _apk_random(void *ctx, unsigned char *out, size_t len)
 +{
-+	struct stat stats;
-+	size_t size;
-+	int fd;
++	static FILE *f;
 +
-+	if ((fd = openat(dirfd, fn, O_RDONLY|O_CLOEXEC)) < 0)
-+		return -errno;
++	if (!f)
++		f = fopen("/dev/urandom", "r");
++	if (fread(out, len, 1, f) != 1)
++		return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
 +
-+	if (fstat(fd, &stats)) {
-+		close(fd);
-+		return -errno;
++	return 0;
++}
++
++// adopted from mbedtls_pk_load_file
++static int apk_load_file_fd(int fd, unsigned char **buf, size_t *n)
++{
++	FILE *f;
++	long size;
++
++	if ((f = fdopen(fd, "rb")) == NULL) {
++		return MBEDTLS_ERR_PK_FILE_IO_ERROR;
++	}
++
++#if (MBEDTLS_VERSION_NUMBER >= 0x03000000)
++	/* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
++	mbedtls_setbuf(f, NULL);
++#endif
++
++	fseek(f, 0, SEEK_END);
++	if ((size = ftell(f)) == -1) {
++		fclose(f);
++		return MBEDTLS_ERR_PK_FILE_IO_ERROR;
 +	}
++	fseek(f, 0, SEEK_SET);
 +
-+	size = (size_t)stats.st_size;
-+	*n = size;
++	*n = (size_t) size;
 +
-+	if (size == 0 || (*buf = mbedtls_calloc(1, size + 1)) == NULL)
++	if (*n + 1 == 0 ||
++		(*buf = mbedtls_calloc(1, *n + 1)) == NULL) {
++		fclose(f);
 +		return MBEDTLS_ERR_PK_ALLOC_FAILED;
++	}
 +
-+	if (read(fd, *buf, size) != size) {
-+		close(fd);
++	if (fread(*buf, 1, *n, f) != *n) {
++		fclose(f);
 +
-+		mbedtls_platform_zeroize(*buf, size);
++		mbedtls_platform_zeroize(*buf, *n);
 +		mbedtls_free(*buf);
 +
 +		return MBEDTLS_ERR_PK_FILE_IO_ERROR;
 +	}
-+	close(fd);
 +
-+	(*buf)[size] = '\0';
++	fclose(f);
++
++	(*buf)[*n] = '\0';
 +
 +	if (strstr((const char *) *buf, "-----BEGIN ") != NULL) {
 +		++*n;
@@ -651,79 +513,68 @@ index 00000000..73d60e9d
 +	return 0;
 +}
 +
-+static int apk_pkey_init(struct apk_pkey *pkey)
++static int apk_pkey_init(struct apk_pkey *pkey, mbedtls_pk_context *key)
 +{
-+	unsigned char dig[APK_DIGEST_MAX_LENGTH];
-+	unsigned char pub[APK_ENC_KEY_MAX_LENGTH] = {};
++	unsigned char dig[APK_DIGEST_MAX_LENGTH], *pub = NULL;
 +	unsigned char *c;
-+	int len, r = -APKE_CRYPTO_ERROR;
++	int len, publen, r = -APKE_CRYPTO_ERROR;
 +
-+	c = pub + APK_ENC_KEY_MAX_LENGTH;
++	// Assume byte len is always * 2 + NULL terminated
++	publen = mbedtls_pk_get_len(key) * 2 + 1;
++	pub = malloc(publen);
++	if (!pub)
++		return -ENOMEM;
++	c = pub + publen;
 +
-+	// key is written backwards into pub starting at c!
-+	if ((len = mbedtls_pk_write_pubkey(&c, pub, &pkey->key)) < 0) return -APKE_CRYPTO_ERROR;
-+	if (!mbedtls_md(apk_digest_alg_to_mdinfo(APK_DIGEST_SHA512), c, len, dig)) {
++	if ((len = mbedtls_pk_write_pubkey(&c, pub, key)) < 0) return -APKE_CRYPTO_ERROR;
++	if (!mbedtls_md(apk_digest_alg_to_mdinfo(APK_DIGEST_SHA512), pub, len, dig)) {
 +		memcpy(pkey->id, dig, sizeof pkey->id);
 +		r = 0;
 +	}
-+
++ 
++	free(pub);
++	pkey->key = key;
++ 
 +	return r;
 +}
 +
 +void apk_pkey_free(struct apk_pkey *pkey)
 +{
-+	mbedtls_pk_free(&pkey->key);
-+}
-+
-+static int apk_random(void *ctx, unsigned char *out, size_t len)
-+{
-+	return (int)getrandom(out, len, 0);
++	mbedtls_pk_free(pkey->key);
 +}
 +
-+#if MBEDTLS_VERSION_NUMBER >= 0x03000000
-+static inline int apk_mbedtls_parse_privkey(struct apk_pkey *pkey, const unsigned char *buf, size_t blen)
-+{
-+	return mbedtls_pk_parse_key(&pkey->key, buf, blen, NULL, 0, apk_random, NULL);
-+}
-+static inline int apk_mbedtls_sign(struct apk_digest_ctx *dctx, struct apk_digest *dig,
-+				   unsigned char *sig, size_t *sig_len)
-+{
-+	return mbedtls_pk_sign(&dctx->sigver_key->key, apk_digest_alg_to_mbedtls_type(dctx->alg),
-+			       (const unsigned char *)&dig->data, dig->len, sig, sizeof *sig, sig_len,
-+			       apk_random, NULL);
-+}
-+#else
-+static inline int apk_mbedtls_parse_privkey(struct apk_pkey *pkey, const unsigned char *buf, size_t blen)
-+{
-+	return mbedtls_pk_parse_key(&pkey->key, buf, blen, NULL, 0);
-+}
-+static inline int apk_mbedtls_sign(struct apk_digest_ctx *dctx, struct apk_digest *dig,
-+				   unsigned char *sig, size_t *sig_len)
-+{
-+	return mbedtls_pk_sign(&dctx->sigver_key->key, apk_digest_alg_to_mbedtls_type(dctx->alg),
-+			       (const unsigned char *)&dig->data, dig->len, sig, sig_len, apk_random, NULL);
-+}
-+#endif
-+
 +int apk_pkey_load(struct apk_pkey *pkey, int dirfd, const char *fn)
 +{
-+	unsigned char *buf = NULL;
-+	size_t blen = 0;
-+	int ret;
++	mbedtls_pk_context *key;
++	unsigned char *buf;
++	size_t blen;
++	int ret, fd;
 +
-+	if (apk_load_file_at(dirfd, fn, &buf, &blen))
-+		return -APKE_CRYPTO_ERROR;
++	fd = openat(dirfd, fn, O_RDONLY|O_CLOEXEC);
++	if (fd < 0)
++		return -errno;
 +
-+	mbedtls_pk_init(&pkey->key);
-+	if ((ret = mbedtls_pk_parse_public_key(&pkey->key, buf, blen)) != 0)
-+		ret = apk_mbedtls_parse_privkey(pkey, buf, blen);
++	key = malloc(sizeof *key);
++	if (!key)
++		return -ENOMEM;
++	
++	mbedtls_pk_init(key);
++	if (apk_load_file_fd(fd, &buf, &blen))
++		return -APKE_CRYPTO_ERROR;
 +
++	if ((ret = mbedtls_pk_parse_public_key(key, buf, blen)) != 0) {
++#if (MBEDTLS_VERSION_NUMBER >= 0x03000000)
++		ret = mbedtls_pk_parse_key(key, buf, blen, NULL, 0, _apk_random, NULL);
++#else
++		ret = mbedtls_pk_parse_key(key, buf, blen, NULL, 0);
++#endif
++	}
 +	mbedtls_platform_zeroize(buf, blen);
 +	mbedtls_free(buf);
 +	if (ret != 0)
 +		return -APKE_CRYPTO_KEY_FORMAT;
 +
-+	return apk_pkey_init(pkey);
++	return apk_pkey_init(pkey, key);
 +}
 +
 +int apk_sign_start(struct apk_digest_ctx *dctx, uint8_t alg, struct apk_pkey *pkey)
@@ -743,10 +594,16 @@ index 00000000..73d60e9d
 +
 +	if (apk_digest_ctx_final(dctx, &dig))
 +		return -APKE_SIGNATURE_GEN_FAILURE;
-+
-+	if (apk_mbedtls_sign(dctx, &dig, sig, len))
++#if (MBEDTLS_VERSION_NUMBER >= 0x03000000)	
++	if (mbedtls_pk_sign(dctx->sigver_key->key, apk_digest_alg_to_mbedtls_type(dctx->alg),
++						&dig.data, dig.len, sig, sizeof *sig, len, _apk_random, NULL))
++#else
++	if (mbedtls_pk_sign(dctx->sigver_key->key, apk_digest_alg_to_mbedtls_type(dctx->alg),
++						&dig.data, dig.len, sig, len, _apk_random, NULL))
++#endif
 +		r = -APKE_SIGNATURE_GEN_FAILURE;
 +
++
 +	dctx->sigver_key = NULL;
 +	return r;
 +}
@@ -769,8 +626,7 @@ index 00000000..73d60e9d
 +	if (apk_digest_ctx_final(dctx, &dig))
 +		return -APKE_SIGNATURE_GEN_FAILURE;
 +
-+	if (mbedtls_pk_verify(&dctx->sigver_key->key, apk_digest_alg_to_mbedtls_type(dctx->alg),
-+			      (const unsigned char *)&dig.data, dig.len, sig, len))
++	if (mbedtls_pk_verify(dctx->sigver_key->key, apk_digest_alg_to_mbedtls_type(dctx->alg), &dig.data, dig.len, sig, len))
 +		r = -APKE_SIGNATURE_INVALID;
 +
 +	dctx->sigver_key = NULL;
@@ -793,33 +649,26 @@ index 00000000..73d60e9d
 +#endif
 +}
 diff --git a/src/meson.build b/src/meson.build
-index 38e9d3b0..e1204fc0 100644
+index 28bfce7e..4eab6e0d 100644
 --- a/src/meson.build
 +++ b/src/meson.build
-@@ -1,3 +1,4 @@
-+crypto_backend = get_option('crypto_backend')
- url_backend = get_option('url_backend')
- 
- libapk_so_version = '2.99.0'
-@@ -15,7 +16,7 @@ libapk_src = [
+@@ -13,7 +13,6 @@ libapk_src = [
  	'common.c',
  	'context.c',
  	'crypto.c',
 -	'crypto_openssl.c',
-+        'crypto_@[email protected]'.format(crypto_backend),
  	'ctype.c',
  	'database.c',
  	'extract_v2.c',
-@@ -40,7 +41,7 @@ libapk_headers = [
+@@ -37,7 +36,6 @@ libapk_headers = [
  	'apk_atom.h',
  	'apk_blob.h',
  	'apk_crypto.h',
 -	'apk_crypto_openssl.h',
-+        'apk_crypto_@[email protected]'.format(crypto_backend),
  	'apk_ctype.h',
  	'apk_database.h',
  	'apk_defines.h',
-@@ -89,6 +90,17 @@ apk_src = [
+@@ -86,6 +84,11 @@ apk_src = [
  	'applet.c',
  ]
  
@@ -828,16 +677,28 @@ index 38e9d3b0..e1204fc0 100644
 +	'-D_ATFILE_SOURCE',
 +]
 +
+ url_backend = get_option('url_backend')
+ if url_backend == 'libfetch'
+ 	libapk_src += [	'io_url_libfetch.c' ]
+@@ -93,6 +96,17 @@ elif url_backend == 'wget'
+ 	libapk_src += [	'io_url_wget.c' ]
+ endif
+ 
++crypto_backend = get_option('crypto_backend')
 +if crypto_backend == 'openssl'
 +	apk_cargs += [ '-DCRYPTO_USE_OPENSSL' ]
++	libapk_src += [ 'crypto_openssl.c' ]
++	libapk_headers += [ 'apk_crypto_openssl.h' ]
 +elif crypto_backend == 'mbedtls'
 +	apk_cargs += [ '-DCRYPTO_USE_MBEDTLS' ]
++	libapk_src += [ 'crypto_mbedtls.c' ]
++	libapk_headers += [ 'apk_crypto_mbedtls.h' ]
 +endif
 +
  if lua_bin.found()
  	genhelp_script = files('genhelp.lua')
  	genhelp_args = [lua_bin, genhelp_script, '@INPUT@']
-@@ -115,11 +127,6 @@ endif
+@@ -119,11 +133,6 @@ endif
  
  apk_src += [ generated_help ]
  
@@ -852,66 +713,3 @@ index 38e9d3b0..e1204fc0 100644
 -- 
 GitLab
 
-
-From 34bb1021284dccbf97f02b0a0bb9e751b8887cad Mon Sep 17 00:00:00 2001
-From: Christian Marangi <[email protected]>
-Date: Tue, 16 Apr 2024 17:56:45 +0200
-Subject: [PATCH 4/4] add option to configure crypto backend in legacy make
- build system
-
-Define CRYPTO to select mbedtls as alternative crypto backend. By
-default openssl is used.
-
-Signed-off-by: Christian Marangi <[email protected]>
----
- src/Makefile | 20 +++++++++++++++-----
- 1 file changed, 15 insertions(+), 5 deletions(-)
-
-diff --git a/src/Makefile b/src/Makefile
-index efdc68df..97db0e72 100644
---- a/src/Makefile
-+++ b/src/Makefile
-@@ -20,9 +20,9 @@ libapk_soname		:= 2.99.0
- libapk_so		:= $(obj)/libapk.so.$(libapk_soname)
- libapk.so.$(libapk_soname)-objs := \
- 	adb.o adb_comp.o adb_walk_adb.o adb_walk_genadb.o adb_walk_gentext.o adb_walk_text.o apk_adb.o \
--	atom.o blob.o commit.o common.o context.o crypto.o crypto_openssl.o ctype.o database.o hash.o \
--	extract_v2.o extract_v3.o fs_fsys.o fs_uvol.o io.o io_gunzip.o tar.o package.o pathbuilder.o \
--	print.o solver.o trust.o version.o
-+	atom.o blob.o commit.o common.o context.o crypto.o ctype.o database.o hash.o extract_v2.o \
-+	extract_v3.o fs_fsys.o fs_uvol.o io.o io_gunzip.o tar.o package.o pathbuilder.o print.o \
-+	solver.o trust.o version.o
- 
- libapk.so.$(libapk_soname)-libs :=
- 
-@@ -34,6 +34,16 @@ libapk.so.$(libapk_soname)-objs += io_url_libfetch.o
- libapk.so.$(libapk_soname)-libs += libfetch/libfetch.a
- endif
- 
-+ifeq ($(CRYPTO),mbedtls)
-+CRYPTO_CFLAGS		:= $(shell $(PKG_CONFIG) --cflags mbedtls mbedcrypto) -DCRYPTO_USE_MBEDTLS
-+CRYPTO_LIBS		:= $(shell $(PKG_CONFIG) --libs mbedtls mbedcrypto)
-+libapk.so.$(libapk_soname)-objs += crypto_mbedtls.o
-+else
-+CRYPTO_CFLAGS		:= $(shell $(PKG_CONFIG) --cflags openssl) -DCRYPTO_USE_OPENSSL
-+CRYPTO_LIBS		:= $(shell $(PKG_CONFIG) --libs openssl)
-+libapk.so.$(libapk_soname)-objs += crypto_openssl.o
-+endif
-+
- # ZSTD support can be disabled
- ifneq ($(ZSTD),no)
- ZSTD_CFLAGS		:= $(shell $(PKG_CONFIG) --cflags libzstd)
-@@ -100,9 +110,9 @@ LIBS_apk.static		:= -Wl,--as-needed -ldl -Wl,--no-as-needed
- LDFLAGS_apk		+= -L$(obj)
- LDFLAGS_apk-test	+= -L$(obj)
- 
--CFLAGS_ALL		+= $(OPENSSL_CFLAGS) $(ZLIB_CFLAGS) $(ZSTD_CFLAGS)
-+CFLAGS_ALL		+= $(CRYPTO_CFLAGS) $(ZLIB_CFLAGS) $(ZSTD_CFLAGS)
- LIBS			:= -Wl,--as-needed \
--				$(OPENSSL_LIBS) $(ZLIB_LIBS) $(ZSTD_LIBS) \
-+				$(CRYPTO_LIBS) $(ZLIB_LIBS) $(ZSTD_LIBS) \
- 			   -Wl,--no-as-needed
- 
- # Help generation
--- 
-GitLab

rules.mk

@@ -249,6 +249,8 @@ HOST_CFLAGS:=-O2 $(HOST_CPPFLAGS)
 HOST_LDFLAGS:=-L$(STAGING_DIR_HOST)/lib $(if $(IS_PACKAGE_BUILD),-L$(STAGING_DIR_HOSTPKG)/lib -L$(STAGING_DIR)/host/lib)
 
 BUILD_KEY=$(TOPDIR)/key-build
+BUILD_KEY_APK_SEC=$(TOPDIR)/private-key.pem
+BUILD_KEY_APK_PUB=$(TOPDIR)/public-key.pem
 
 FAKEROOT:=$(STAGING_DIR_HOST)/bin/fakeroot
 

scripts/feeds

@@ -865,7 +865,7 @@ sub feed_config() {
 		printf "\t\tdepends on PER_FEED_REPO\n";
 		printf "\t\tdefault y\n" if $installed;
 		printf "\t\thelp\n";
-		printf "\t\t Enable the \\\"%s\\\" feed in opkg distfeeds.conf.\n", $feed->[1];
+		printf "\t\t Enable the \\\"%s\\\" feed in opkg distfeeds.conf and apk repositories.\n", $feed->[1];
 		printf "\t\t Say M to add the feed commented out.\n";
 		printf "\n";
 	}
@@ -884,7 +884,7 @@ Commands:
 	    -s :            List of feed names and their URL.
 	    -r <feedname>:  List packages of specified feed.
 	    -d <delimiter>: Use specified delimiter to distinguish rows (default: spaces)
-	    -f :            List feeds in feeds.conf compatible format (when using -s).
+	    -f :            List feeds in opkg feeds.conf compatible format (when using -s).
 
 	install [options] <package>: Install a package
 	Options:

scripts/package-metadata.pl

@@ -373,7 +373,7 @@ sub and_condition($) {
 
 sub gen_condition ($) {
 	my $condition = shift;
-	# remove '!()', just as include/package-ipkg.mk does
+	# remove '!()', just as include/package-pack.mk does
 	$condition =~ s/[()!]//g;
 	return join("", map(and_condition($_), split('\|\|', $condition)));
 }

target/imagebuilder/Makefile

@@ -22,6 +22,8 @@ IB_IDIR:=$(patsubst $(TOPDIR)/%,$(PKG_BUILD_DIR)/%,$(STAGING_DIR_IMAGE))
 BUNDLER_PATH := $(subst $(space),:,$(filter-out $(TOPDIR)/%,$(subst :,$(space),$(PATH))))
 BUNDLER_COMMAND := PATH=$(BUNDLER_PATH) $(XARGS) $(SCRIPT_DIR)/bundle-libraries.sh $(PKG_BUILD_DIR)/staging_dir/host
 
+PACKAGE_SUFFIX:=$(if $(CONFIG_USE_APK),apk,ipk)
+
 all: compile
 
 $(BIN_DIR)/$(IB_NAME).tar.zst: clean
@@ -35,18 +37,21 @@ $(BIN_DIR)/$(IB_NAME).tar.zst: clean
 		$(INCLUDE_DIR) $(SCRIPT_DIR) \
 		$(TOPDIR)/rules.mk \
 		./files/Makefile \
-		./files/repositories.conf \
 		$(TMP_DIR)/.targetinfo \
 		$(TMP_DIR)/.packageinfo \
 		$(PKG_BUILD_DIR)/
 
+	$(INSTALL_DIR) $(PKG_BUILD_DIR)/packages
+
 ifeq ($(CONFIG_IB_STANDALONE),)
+ifneq ($(CONFIG_USE_APK),)
+	$(call FeedSourcesAppendAPK,$(PKG_BUILD_DIR)/repositories)
+	$(VERSION_SED_SCRIPT) $(PKG_BUILD_DIR)/repositories
+else
 	echo '## Remote package repositories' >> $(PKG_BUILD_DIR)/repositories.conf
-	$(call FeedSourcesAppend,$(PKG_BUILD_DIR)/repositories.conf)
+	$(call FeedSourcesAppendOPKG,$(PKG_BUILD_DIR)/repositories.conf)
 	$(VERSION_SED_SCRIPT) $(PKG_BUILD_DIR)/repositories.conf
-endif
 
-	$(INSTALL_DIR) $(PKG_BUILD_DIR)/packages
 	# create an empty package index so `opkg` doesn't report an error
 	touch $(PKG_BUILD_DIR)/packages/Packages
 	$(INSTALL_DATA) ./files/README.md $(PKG_BUILD_DIR)/packages/
@@ -54,28 +59,32 @@ endif
 	echo ''                                                        >> $(PKG_BUILD_DIR)/repositories.conf
 	echo '## This is the local package repository, do not remove!' >> $(PKG_BUILD_DIR)/repositories.conf
 	echo 'src imagebuilder file:packages'                          >> $(PKG_BUILD_DIR)/repositories.conf
+endif
+endif
 
 ifeq ($(CONFIG_BUILDBOT),)
   ifeq ($(CONFIG_IB_STANDALONE),)
 	$(FIND) $(call FeedPackageDir,libc) -type f \
-		\( -name 'libc_*.ipk' -or -name 'kernel_*.ipk' -or -name 'kmod-*.ipk' \) \
+		\( -name 'libc_*.$(PACKAGE_SUFFIX)' -or -name 'kernel_*.$(PACKAGE_SUFFIX)' -or -name 'kmod-*.$(PACKAGE_SUFFIX)' \) \
 		-exec $(CP) -t $(PKG_BUILD_DIR)/packages {} +
   else
-	$(FIND) $(wildcard $(PACKAGE_SUBDIRS)) -type f -name '*.ipk' \
+	$(FIND) $(wildcard $(PACKAGE_SUBDIRS)) -type f -name '*.$(PACKAGE_SUFFIX)' \
 		-exec $(CP) -t $(PKG_BUILD_DIR)/packages/ {} +
   endif
 else
 	$(FIND) $(call FeedPackageDir,libc) -type f \
-		\( -name 'libc_*.ipk' -or -name 'kernel_*.ipk' \) \
+		\( -name 'libc_*.$(PACKAGE_SUFFIX)' -or -name 'kernel_*.$(PACKAGE_SUFFIX)' \) \
 		-exec $(CP) -t $(IB_LDIR)/ {} +
 endif
 
+ifneq ($(CONFIG_USE_APK),y)
 ifneq ($(CONFIG_SIGNATURE_CHECK),)
 	echo ''                                                        >> $(PKG_BUILD_DIR)/repositories.conf
 	echo 'option check_signature'                                  >> $(PKG_BUILD_DIR)/repositories.conf
 	$(INSTALL_DIR) $(PKG_BUILD_DIR)/keys
 	$(CP) -L $(STAGING_DIR_ROOT)/etc/opkg/keys/ $(PKG_BUILD_DIR)/
 	$(CP) -L $(STAGING_DIR_ROOT)/usr/sbin/opkg-key $(PKG_BUILD_DIR)/scripts/
+endif
 endif
 
 	$(CP) -L $(TOPDIR)/target/linux/Makefile $(PKG_BUILD_DIR)/target/linux

target/imagebuilder/files/Makefile

@@ -85,6 +85,8 @@ help: FORCE
 # override variables from rules.mk
 PACKAGE_DIR:=$(TOPDIR)/packages
 LISTS_DIR:=$(subst $(space),/,$(patsubst %,..,$(subst /,$(space),$(TARGET_DIR))))$(DL_DIR)
+PACKAGE_DIR_ALL:=$(TOPDIR)/packages
+
 export OPKG_KEYS:=$(TOPDIR)/keys
 OPKG:=$(call opkg,$(TARGET_DIR)) \
 	-f $(TOPDIR)/repositories.conf \
@@ -92,6 +94,11 @@ OPKG:=$(call opkg,$(TARGET_DIR)) \
 	--cache $(DL_DIR) \
 	--lists-dir $(LISTS_DIR)
 
+APK:=$(call apk,$(TARGET_DIR)) \
+	--cache-dir $(DL_DIR) \
+	--allow-untrusted
+
+
 include $(INCLUDE_DIR)/target.mk
 -include .profiles.mk
 
@@ -152,20 +159,25 @@ _call_manifest: FORCE
 	mkdir -p $(TARGET_DIR) $(BIN_DIR) $(TMP_DIR) $(DL_DIR)
 	$(MAKE) package_reload >/dev/null
 	$(MAKE) package_install >/dev/null
-	$(OPKG) list-installed $(if $(STRIP_ABI),--strip-abi)
+	$(APK) list --quiet --manifest --no-network
 
 package_index: FORCE
 	@echo >&2
 	@echo Building package index... >&2
 	@mkdir -p $(TMP_DIR) $(TARGET_DIR)/tmp
+ifeq ($(CONFIG_USE_APK),)
 	(cd $(PACKAGE_DIR); $(SCRIPT_DIR)/ipkg-make-index.sh . > Packages && \
 		gzip -9nc Packages > Packages.gz; \
 		$(if $(CONFIG_SIGNATURE_CHECK), \
 			$(STAGING_DIR_HOST)/bin/usign -S -m Packages -s $(BUILD_KEY)) \
 	) >/dev/null 2>/dev/null
 	$(OPKG) update >&2 || true
+else
+	(cd $(PACKAGE_DIR); $(APK) mkndx --output packages.adb *.apk) >&2
+endif
 
 package_reload:
+ifeq ($(CONFIG_USE_APK),)
 	if [ -d "$(PACKAGE_DIR)" ] && ( \
 			[ ! -f "$(PACKAGE_DIR)/Packages" ] || \
 			[ ! -f "$(PACKAGE_DIR)/Packages.gz" ] || \
@@ -176,29 +188,48 @@ package_reload:
 		mkdir -p $(TARGET_DIR)/tmp; \
 		$(OPKG) update >&2 || true; \
 	fi
+else
+	if [ -d "$(PACKAGE_DIR)" ] && ( \
+			[ ! -f "$(PACKAGE_DIR)/packages.adb" ] || \
+			[ "`find $(PACKAGE_DIR) -cnewer $(PACKAGE_DIR)/packages.adb`" ] ); then \
+		echo "Package list missing or not up-to-date, generating it." >&2 ;\
+		$(MAKE) package_index; \
+	else \
+		mkdir -p $(TARGET_DIR)/tmp; \
+		$(APK) update >&2 || true; \
+	fi
+endif
 
 package_list: FORCE
 	@$(MAKE) -s package_reload
-	@$(OPKG) list --size 2>/dev/null
+	@$(APK) list --size 2>/dev/null
 
 package_install: FORCE
 	@echo
 	@echo Installing packages...
+ifeq ($(CONFIG_USE_APK),)
 	$(OPKG) install $(firstword $(wildcard $(LINUX_DIR)/libc_*.ipk $(PACKAGE_DIR)/libc_*.ipk))
 	$(OPKG) install $(firstword $(wildcard $(LINUX_DIR)/kernel_*.ipk $(PACKAGE_DIR)/kernel_*.ipk))
 	$(OPKG) install $(BUILD_PACKAGES)
+else
+	$(APK) add --initdb --no-scripts $(firstword $(wildcard $(LINUX_DIR)/libc-*.apk $(PACKAGE_DIR)/libc_*.apk))
+	$(APK) add --no-scripts $(firstword $(wildcard $(LINUX_DIR)/kernel-*.apk $(PACKAGE_DIR)/kernel_*.apk))
+	$(APK) add --no-scripts $(BUILD_PACKAGES)
+endif
 
 prepare_rootfs: FORCE
 	@echo
 	@echo Finalizing root filesystem...
 
 	$(CP) $(TARGET_DIR) $(TARGET_DIR_ORIG)
+ifeq ($(CONFIG_USE_APK),)
 	$(if $(CONFIG_SIGNATURE_CHECK), \
 		$(if $(ADD_LOCAL_KEY), \
 			OPKG_KEYS=$(TARGET_DIR)/etc/opkg/keys/ \
 			$(SCRIPT_DIR)/opkg-key add $(BUILD_KEY).pub \
 		) \
 	)
+endif
 	$(call prepare_rootfs,$(TARGET_DIR),$(USER_FILES),$(DISABLED_SERVICES))
 
 build_image: FORCE
@@ -245,6 +276,9 @@ ifneq ($(PROFILE),)
 endif
 
 _check_keys: FORCE
+ifeq ($(CONFIG_USE_APK),)
+	# TODO
+else
 ifneq ($(CONFIG_SIGNATURE_CHECK),)
 	@if [ ! -s $(BUILD_KEY) -o ! -s $(BUILD_KEY).pub ]; then \
 		echo Generate local signing keys... >&2; \
@@ -260,6 +294,7 @@ ifneq ($(CONFIG_SIGNATURE_CHECK),)
 			-s $(BUILD_KEY); \
 	fi
 endif
+endif
 
 image:
 	$(MAKE) -s _check_profile
@@ -287,7 +322,11 @@ ifeq ($(PACKAGE),)
 	@exit 1
 endif
 	@$(MAKE) -s package_reload
-	@$(OPKG) whatdepends -A $(PACKAGE)
+ifeq ($(CONFIG_USE_APK),)
+	@$(OPKG) list --depends $(PACKAGE)
+else
+	@$(APK) list --depends $(PACKAGE)
+endif
 
 package_depends: FORCE
 ifeq ($(PACKAGE),)
@@ -295,7 +334,10 @@ ifeq ($(PACKAGE),)
 	@exit 1
 endif
 	@$(MAKE) -s package_reload
+ifeq ($(CONFIG_USE_APK),)
 	@$(OPKG) depends -A $(PACKAGE)
-
+else
+	@$(OPKG) whatdepends -A $(PACKAGE)
+endif
 
 .SILENT: help info image manifest package_whatdepends package_depends