Merge pull request #9 from edhongcy/master

Some enhabcement and bug fix for code signing
qnap-dev · Apr 19, 2019 · 7cc403f · 7cc403f
2 parents 7ec3266 + 2ab3c29
commit 7cc403f
Show file tree

Hide file tree

Showing 7 changed files with 85 additions and 55 deletions.
diff --git a/QDK_2.x/bin/qbuild b/QDK_2.x/bin/qbuild
@@ -32,6 +32,10 @@ PREFIX="App Center"
 ##### Command definitions #####
 CMD_AWK="${CMD_AWK:-$(command -v awk)}"
 CMD_CMP="${CMD_CMP:-$(command -v cmp)}"
+CS_PYTHON="${CS_PYTHON:-$(command -v python2)}"
+if [ ! -e "$CS_PYTHON" ]; then
+CS_PYTHON="$(command -v python)"
+fi
 
 # Cleanup any temporary directories and files at termination.
 trap 'cleanup_all' INT TERM
@@ -513,7 +517,7 @@ do_code_signing(){
 	[ -z "$QNAP_CODE_SIGNING_CSV" ] && QNAP_CODE_SIGNING_CSV="build_sign.csv"
 	[ -z "$QNAP_CODE_SIGNING_SERVER_IP" ] && QNAP_CODE_SIGNING_SERVER_IP=$DEFAULT_QNAP_CODE_SIGNING_SERVER_IP
 	[ -z "$QNAP_CODE_SIGNING_SERVER_PORT" ] && QNAP_CODE_SIGNING_SERVER_PORT=$DEFAULT_QNAP_CODE_SIGNING_SERVER_PORT
-	python "${QDK_SCRIPTS_DIR}/codesigning_qpkg.py" cert="${QDK_SCRIPTS_DIR}/codesigning_cert.pem" cwd="`pwd`" buildpath=$build_dir csv="${QNAP_CODE_SIGNING_CSV}" server=${QNAP_CODE_SIGNING_SERVER_IP}:${QNAP_CODE_SIGNING_SERVER_PORT}  2>&1 | tee -a code_signing.log
+	$CS_PYTHON "${QDK_SCRIPTS_DIR}/codesigning_qpkg.py" cert="${QDK_SCRIPTS_DIR}/codesigning_cert.pem" cwd="`pwd`" buildpath=$build_dir csv="${QNAP_CODE_SIGNING_CSV}" server=${QNAP_CODE_SIGNING_SERVER_IP}:${QNAP_CODE_SIGNING_SERVER_PORT}  2>&1 | tee -a code_signing.log
 }
 
 # Create data package for distribution.
@@ -924,12 +928,14 @@ add_qpkg_signature(){
 		[ -z "$QNAP_CODE_SIGNING_SERVER_IP" ] && QNAP_CODE_SIGNING_SERVER_IP=$DEFAULT_QNAP_CODE_SIGNING_SERVER_IP
 		[ -z "$QNAP_CODE_SIGNING_SERVER_PORT" ] && QNAP_CODE_SIGNING_SERVER_PORT=$DEFAULT_QNAP_CODE_SIGNING_SERVER_PORT
 		openssl dgst -sha1 -binary "${QDK_QPKG_FILE}" > "${QDK_QPKG_FILE}.sha"
-		python "${QDK_SCRIPTS_DIR}/codesigning_qpkg_cms.py" cert="${QDK_SCRIPTS_DIR}/codesigning_cert.pem" cwd="`pwd`" server=${QNAP_CODE_SIGNING_SERVER_IP}:${QNAP_CODE_SIGNING_SERVER_PORT} in="${QDK_QPKG_FILE}.sha" out="${QDK_QPKG_FILE}.msg" 2>&1 | tee -a code_signing.log
+		$CS_PYTHON "${QDK_SCRIPTS_DIR}/codesigning_qpkg_cms.py" cert="${QDK_SCRIPTS_DIR}/codesigning_cert.pem" cwd="`pwd`" server=${QNAP_CODE_SIGNING_SERVER_IP}:${QNAP_CODE_SIGNING_SERVER_PORT} in="${QDK_QPKG_FILE}.sha" out="${QDK_QPKG_FILE}.msg" 2>&1 | tee -a code_signing.log
 		/bin/rm ${QDK_QPKG_FILE}.sha
 		if [ -f "${QDK_QPKG_FILE}.msg" ]; then
 			add_qdk_area_begin
 			add_qdk_area_code_signing ${QDK_QPKG_FILE}.msg
 			add_qdk_area_end
+			SIG=`openssl cms -cmsout -in ${QDK_QPKG_FILE}.msg | tr -d '\n' | tail -c 32`
+			echo "${SIG}" > ${QDK_BUILD_DIR}/${QDK_QPKG_FILE}.codesigning
 			/bin/rm ${QDK_QPKG_FILE}.msg
 		else
 			warn_msg "$QDK_QPKG_FILE: no code signing data added"
@@ -1271,7 +1277,6 @@ cleanup_after_build(){
 	call_teardown
 }
 
-
 # Main build function.
 build_qpkg(){
 	# All build operation should be run in the QDK_ROOT_DIR directory (current
@@ -1310,7 +1315,7 @@ create_env(){
 	edit_qpkg_config QPKG_SERVICE_PROGRAM "${qpkg_name}.sh" "$qpkg_cfg"
 
 	[ -z "$QDK_BUILD_VERSION" ] || edit_qpkg_config QPKG_VER "$QDK_BUILD_VERSION" "$qpkg_cfg"
-	/bin/echo "/${qpkg_name}.sh," > ${qpkg_name}/build_sign.csv
+	/bin/echo ",/${qpkg_name}.sh," > ${qpkg_name}/build_sign.csv
 	verbose_msg "Template QPKG build environment created in $qpkg_name directory"
 }
 
@@ -1561,14 +1566,16 @@ add_code_signing(){
 
 	# Send qpkg digest to server
 	openssl dgst -sha1 -binary "${qpkg}.$$" > "${qpkg}.sha"
-	python "${QDK_SCRIPTS_DIR}/codesigning_qpkg_cms.py" cert="${QDK_SCRIPTS_DIR}/codesigning_cert.pem" server=${QNAP_CODE_SIGNING_SERVER_IP}:${QNAP_CODE_SIGNING_SERVER_PORT} qpkgname=${QPKG_NAME} version=${QPKG_VER} in="${qpkg}.sha" out="${qpkg}.msg" 2>&1 | tee -a code_signing.log
+	$CS_PYTHON "${QDK_SCRIPTS_DIR}/codesigning_qpkg_cms.py" cert="${QDK_SCRIPTS_DIR}/codesigning_cert.pem" server=${QNAP_CODE_SIGNING_SERVER_IP}:${QNAP_CODE_SIGNING_SERVER_PORT} qpkgname=${QPKG_NAME} version=${QPKG_VER} in="${qpkg}.sha" out="${qpkg}.msg" 2>&1 | tee -a code_signing.log
 	/bin/rm ${qpkg}.sha
 
 	# Add code signing data into qpkg
 	if [ -f "${qpkg}.msg" ]; then
 		add_qdk_area_begin ${qpkg}.$$
 		add_qdk_area_code_signing ${qpkg}.msg ${qpkg}.$$
 		add_qdk_area_end ${qpkg}.$$
+		SIG=`openssl cms -cmsout -in ${QDK_QPKG_FILE}.msg | tr -d '\n' | tail -c 32`
+		echo "${SIG}" > ${QDK_BUILD_DIR}/${QDK_QPKG_FILE}.codesigning
 		/bin/rm ${qpkg}.msg
 	else
 		/bin/rm ${qpkg}.$$
@@ -1606,25 +1613,25 @@ verify_code_signing(){
 		https://${QNAP_CODE_SIGNING_SERVER_IP}:${QNAP_CODE_SIGNING_SERVER_PORT}/keys/qnaproot \
 		2>/dev/null"
 	output="$(eval $curl_cmd)" || err_msg "failed to connect to code signing server"
-	server_err=$(echo $output | python -c 'import json,sys;obj=json.load(sys.stdin);print obj["error"]')
+	server_err=$(echo $output | $CS_PYTHON -c 'import json,sys;obj=json.load(sys.stdin);print obj["error"]')
 	if [ $server_err -ne 0 ]; then
-		server_msg=$(echo $output | python -c 'import json,sys;obj=json.load(sys.stdin);print obj["msg"]')
+		server_msg=$(echo $output | $CS_PYTHON -c 'import json,sys;obj=json.load(sys.stdin);print obj["msg"]')
 		err_msg "error from code signing server: $server_msg"
 	fi
-	echo $output | python -c 'import json,sys;obj=json.load(sys.stdin);print obj["certificate"]["pem"]' > $ca_cert_file
+	echo $output | $CS_PYTHON -c 'import json,sys;obj=json.load(sys.stdin);print obj["certificate"]["pem"]' > $ca_cert_file
 
 	# Get ca cert (3rd party)
 	ca_cert3_file="${qpkg}.ca3"
 	curl_cmd="curl -k -X GET -d 'token=${QNAP_CODESIGNING_TOKEN}&third_party=true' \
 		https://${QNAP_CODE_SIGNING_SERVER_IP}:${QNAP_CODE_SIGNING_SERVER_PORT}/keys/qnaproot \
 		2>/dev/null"
 	output="$(eval $curl_cmd)" || err_msg "failed to connect to code signing server"
-	server_err=$(echo $output | python -c 'import json,sys;obj=json.load(sys.stdin);print obj["error"]')
+	server_err=$(echo $output | $CS_PYTHON -c 'import json,sys;obj=json.load(sys.stdin);print obj["error"]')
 	if [ $server_err -ne 0 ]; then
-		server_msg=$(echo $output | python -c 'import json,sys;obj=json.load(sys.stdin);print obj["msg"]')
+		server_msg=$(echo $output | $CS_PYTHON -c 'import json,sys;obj=json.load(sys.stdin);print obj["msg"]')
 		err_msg "error from code signing server: $server_msg"
 	fi
-	echo $output | python -c 'import json,sys;obj=json.load(sys.stdin);print obj["certificate"]["pem"]' > $ca_cert3_file
+	echo $output | $CS_PYTHON -c 'import json,sys;obj=json.load(sys.stdin);print obj["certificate"]["pem"]' > $ca_cert3_file
 
 	# Verify
 	qpkg_data_file="${qpkg}.data"

diff --git a/QDK_2.x/qdk.conf b/QDK_2.x/qdk.conf
@@ -1 +1 @@
-QDK_VERSION=2.3.8
+QDK_VERSION=2.3.9
diff --git a/QDK_2.x/scripts/code_signing.cfg b/QDK_2.x/scripts/code_signing.cfg
@@ -1,4 +1,4 @@
 QPKG_NAME="QDK"
-QPKG_VER="2.3.8"
+QPKG_VER="2.3.9"
 QNAP_CODE_SIGNING_SERVER_IP=172.17.21.68
 QNAP_CODE_SIGNING_SERVER_PORT=5000
diff --git a/QDK_2.x/scripts/codesigning_common.py b/QDK_2.x/scripts/codesigning_common.py
@@ -236,7 +236,7 @@ def sign_files(kwargs):
         url = url + "/" + kwargs["version"]
     elif key_type == "qpkg":
         url = url + "/" + kwargs["qpkgname"] + "/" + kwargs["version"]
-    command = "curl %s --connect-timeout 60 --max-time 600 -X POST -F token=%s -F file=@%s https://%s"
+    command = "curl %s --connect-timeout 60 --max-time 600 --retry 3 -X POST -F token=%s -F file=@%s https://%s"
     if "cert" in kwargs:
         if not os.path.isfile(kwargs["cert"]):
             logging.error("Cannot find certificate file %s" % kwargs["cert"])
@@ -268,7 +268,7 @@ def sign_cms(kwargs):
         url = url + "/" + kwargs["version"]
     elif key_type == "qpkg":
         url = url + "/" + kwargs["qpkgname"] + "/" + kwargs["version"]
-    command = "curl %s --connect-timeout 60 --max-time 600 -X POST -F token=%s -F file=@%s https://%s"
+    command = "curl %s --connect-timeout 60 --max-time 600 --retry 3 -X POST -F token=%s -F file=@%s https://%s"
     if "cert" in kwargs:
         if not os.path.isfile(kwargs["cert"]):
             logging.error("Cannot find certificate file %s" % kwargs["cert"])

diff --git a/QDK_2.x/scripts/codesigning_login.sh b/QDK_2.x/scripts/codesigning_login.sh
@@ -5,6 +5,8 @@ SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )"
 read -p 'username: ' USERNAME
 read -sp 'password: ' PASSWORD
 echo
+USERNAME=$(python -c "import urllib; print urllib.quote('''$USERNAME''')")
+PASSWORD=$(python -c "import urllib; print urllib.quote('''$PASSWORD''')")
 RESPONSE="$(eval "curl -X POST --cacert ${SCRIPTPATH}/codesigning_cert.pem -d \"username=${USERNAME}&password=${PASSWORD}\" \
 	https://${SERVER}:5000/login 2>/dev/null")"
 RET=$?

diff --git a/QDK_2.x/scripts/qinstall.sh b/QDK_2.x/scripts/qinstall.sh
@@ -5,8 +5,11 @@
 #
 # A QPKG installation script for QDK
 #
+# QDK V.2.3.9
+#
 # Copyright (C) 2009,2010 QNAP Systems, Inc.
 # Copyright (C) 2010,2011 Michael Nordstrom
+# Copyright (C) 2013,2018 QNAP Systems, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -57,7 +60,7 @@ CMD_WGET="/usr/bin/wget"
 CMD_WLOG="/sbin/write_log"
 CMD_XARGS="/usr/bin/xargs"
 CMD_7Z="/usr/local/sbin/7z"
-
+CMD_QSH="/usr/local/sbin/qsh"
 
 ##### System definitions #####
 SYS_EXTRACT_DIR="$(pwd)"
@@ -135,6 +138,7 @@ SYS_USB_SHARE=""
 SYS_USB_PATH=""
 SYS_WEB_SHARE=""
 SYS_WEB_PATH=""
+SYS_CODESIGNING_TOKEN=""
 # Path to ipkg or opkg package tool if installed.
 CMD_PKG_TOOL=
 
@@ -154,6 +158,7 @@ fi
 ###########################################
 SYS_MSG_FILE_NOT_FOUND="Data file not found."
 SYS_MSG_FILE_ERROR="[$PREFIX] Failed to install $QPKG_NAME due to data file error."
+SYS_MSG_CODESIGNING_ERROR="[$PREFIX] Failed to install $QPKG_NAME due to anti-tampering file error."
 SYS_MSG_PUBLIC_NOT_FOUND="Public share not found."
 SYS_MSG_FAILED_CONFIG_RESTORE="Failed to restore saved configuration data."
 
@@ -215,32 +220,47 @@ err_log(){
 
 handle_extract_error(){
 	if [ -x "/usr/local/sbin/notify" ]; then
-		/usr/local/sbin/notify send -A A039 -C C001 -M 35 -l error -t 3 "[{0}] {1} install failed du to data file error." "$PREFIX" "$QPKG_DISPLAY_NAME"
+		/usr/local/sbin/notify send -A A039 -C C001 -M 35 -l error -t 3 "[{0}] {1} install failed due to data file error." "$PREFIX" "$QPKG_DISPLAY_NAME"
 		set_progress_fail
 		exit 1
 	else
 		err_log "$SYS_MSG_FILE_ERROR"
 	fi
 }
-TOKEN=""
+
+handle_codesigning_error(){
+	if [ -x "/usr/local/sbin/notify" ]; then
+		/usr/local/sbin/notify send -A A039 -C C001 -M 62 -l error -t 3 "[{0}] Failed to install {1} due to anti-tampering file error." "$PREFIX" "$QPKG_DISPLAY_NAME"
+		set_progress_fail
+		exit 1
+	else
+		err_log "$SYS_MSG_CODESIGNING_ERROR"
+	fi
+}
+
 codesigning_preinstall(){
-	local ret="$($CMD_ECHO -n "$QPKG_NAME:$SYS_QPKG_DIR" | qsh -0e cs_qdaemon.verify_qpkg)"
-	local status=`$CMD_ECHO $ret | awk -F':' '{print $1}'`
-	TOKEN=`$CMD_ECHO $ret | awk -F':' '{print $2}'`
-	echo "verify_qpkg return: $ret, status: $status, token: $TOKEN"
-	if [ "x$status" != "xsuccess" ] || [ "x$TOKEN" = "x" ]; then
-		handle_extract_error
+	local ret="$($CMD_ECHO -n "$QPKG_NAME:$SYS_QPKG_DIR" | $CMD_QSH -0e cs_qdaemon.verify_qpkg)"
+	local status=`$CMD_ECHO $ret | $CMD_AWK -F':' '{print $1}'`
+	SYS_CODESIGNING_TOKEN=`$CMD_ECHO $ret | $CMD_AWK -F':' '{print $2}'`
+	$CMD_ECHO "verify_qpkg return: $ret, status: $status, token: $SYS_CODESIGNING_TOKEN"
+	if [ "x$status" != "xsuccess" ] || [ "x$SYS_CODESIGNING_TOKEN" = "x" ]; then
+		## is it possible to be here after we have already checked cerficiate first?
+		handle_codesigning_error
 	fi
 }
+
 codesigning_postinstall(){
-	echo "codesigning_postinstall token: $TOKEN"
-	if [ "x$TOKEN" != "x" ]; then
-		local ret="$($CMD_ECHO -n "$QPKG_NAME:$TOKEN" | qsh -0e cs_qdaemon.qpkg_finish)"
-		echo "finish return: $ret"
+	local err="${1:-0}"
+	$CMD_ECHO "codesigning_postinstall token: $SYS_CODESIGNING_TOKEN, err: $err"
+	if [ "x$SYS_CODESIGNING_TOKEN" != "x" ]; then
+		local ret="$($CMD_ECHO -n "$QPKG_NAME:$SYS_CODESIGNING_TOKEN:$err" | $CMD_QSH -0e cs_qdaemon.qpkg_finish)"
+		$CMD_ECHO "finish return: $ret"
 	else
-		handle_extract_error
+		## is it possible to be here after we have already checked cerficiate first?
+		handle_codesigning_error
 	fi
 }
+
 codesigning_extract_data(){
 	[ -n "$1" ] || return 1
 	local archive="$1"
@@ -256,11 +276,12 @@ codesigning_extract_data(){
 		*.gz|*.bz2)
 			$CMD_TAR xf "$archive" "./$codesigning_dir" 2>/dev/null
 			if [ $? = 0 ]; then
-				$CMD_MV "$codesigning_dir" "$root_dir/$codesigning_dir"
+				$CMD_CP -arf "$codesigning_dir" "$root_dir/"
 				codesigning_preinstall
 				$CMD_TAR xvf "$archive" --exclude="$codesigning_dir" -C "$root_dir" 2>/dev/null >>$SYS_QPKG_DIR/.list
 				ret=$?
-				codesigning_postinstall
+				codesigning_postinstall $ret
+				$CMD_RM -rf "$codesigning_dir"
 				[ $ret = 0 ] || handle_extract_error
 			else
 				$CMD_TAR xvf "$archive" -C "$root_dir" 2>/dev/null >>$SYS_QPKG_DIR/.list || handle_extract_error
@@ -269,11 +290,12 @@ codesigning_extract_data(){
 		*.7z)
 			$CMD_7Z x -so "$archive" 2>/dev/null | $CMD_TAR x "./$codesigning_dir" 2>/dev/null
 			if [ $? = 0 ]; then
-				$CMD_MV "$codesigning_dir" "$root_dir/$codesigning_dir"
+				$CMD_CP -arf "$codesigning_dir" "$root_dir/"
 				codesigning_preinstall
 				$CMD_7Z x -so "$archive" 2>/dev/null | $CMD_TAR xv -C "$root_dir" --exclude="$codesigning_dir" 2>/dev/null >>$SYS_QPKG_DIR/.list
 				ret=$?
-				codesigning_postinstall
+				codesigning_postinstall $ret
+				$CMD_RM -rf "$codesigning_dir"
 				[ $ret = 0 ] || handle_extract_error
 			else
 				$CMD_7Z x -so "$archive" 2>/dev/null | $CMD_TAR xv -C "$root_dir" 2>/dev/null >>$SYS_QPKG_DIR/.list || handle_extract_error
@@ -283,11 +305,12 @@ codesigning_extract_data(){
 			$CMD_TAR xf "./xz.tgz"
 			LD_LIBRARY_PATH=${PWD}/lib $xz_ld_wrapper bin/xzcat "$archive" 2>/dev/null | $CMD_TAR x "./$codesigning_dir" 2>/dev/null
 			if [ $? = 0 ]; then
-				$CMD_MV "$codesigning_dir" "$root_dir/$codesigning_dir"
+				$CMD_CP -arf "$codesigning_dir" "$root_dir"
 				codesigning_preinstall
 				$CMD_7Z x -so "$archive" 2>/dev/null | $CMD_TAR xv -C "$root_dir" --exclude="$codesigning_dir" 2>/dev/null >>$SYS_QPKG_DIR/.list
 				ret=$?
-				codesigning_postinstall
+				codesigning_postinstall $ret
+				$CMD_RM -rf "$codesigning_dir"
 				[ $ret = 0 ] || handle_extract_error
 			else
 				$CMD_TAR xf "./xz.tgz"
@@ -312,23 +335,17 @@ extract_data(){
 
 	case "$archive" in
 		*.gz|*.bz2)
-			$CMD_TAR xvf "$archive" -C "$root_dir" 2>/dev/null >>$SYS_QPKG_DIR/.list || if [ -x "/usr/local/sbin/notify" ]; then /usr/local/sbin/notify send -A A039 -C C001 -M 35 -l error -t 3 "[{0}] {1} install failed du to data file error." "$PREFIX" "$QPKG_NAME";set_progress_fail;exit 1;else err_log "$SYS_MSG_FILE_ERROR";fi
+			$CMD_TAR xvf "$archive" -C "$root_dir" 2>/dev/null >>$SYS_QPKG_DIR/.list || handle_extract_error
 			;;
 		*.7z)
-			$CMD_7Z x -so "$archive" 2>/dev/null | $CMD_TAR xv -C "$root_dir" 2>/dev/null >>$SYS_QPKG_DIR/.list || if [ -x "/usr/local/sbin/notify" ]; then /usr/local/sbin/notify send -A A039 -C C001 -M 35 -l error -t 3 "[{0}] {1} install failed du to data file error." "$PREFIX" "$QPKG_NAME";set_progress_fail;exit 1;else err_log "$SYS_MSG_FILE_ERROR";fi
+			$CMD_7Z x -so "$archive" 2>/dev/null | $CMD_TAR xv -C "$root_dir" 2>/dev/null >>$SYS_QPKG_DIR/.list || handle_extract_error
 			;;
 		*.xz)
 			$CMD_TAR xf "./xz.tgz"
-			LD_LIBRARY_PATH=${PWD}/lib $xz_ld_wrapper bin/xzcat "$archive" 2>/dev/null | $CMD_TAR xv -C "$root_dir" 2>/dev/null >>$SYS_QPKG_DIR/.list || if [ -x "/usr/local/sbin/notify" ]; then /usr/local/sbin/notify send -A A039 -C C001 -M 35 -l error -t 3 "[{0}] {1} install failed du to data file error." "$PREFIX" "$QPKG_NAME";set_progress_fail;exit 1;else err_log "$SYS_MSG_FILE_ERROR";fi
+			LD_LIBRARY_PATH=${PWD}/lib $xz_ld_wrapper bin/xzcat "$archive" 2>/dev/null | $CMD_TAR xv -C "$root_dir" 2>/dev/null >>$SYS_QPKG_DIR/.list || handle_extract_error
 			;;
 		*)
-			if [ -x "/usr/local/sbin/notify" ]; then
-				/usr/local/sbin/notify send -A A039 -C C001 -M 35 -l error -t 3 "[{0}] {1} install failed du to data file error." "$PREFIX" "$QPKG_NAME"
-				set_progress_fail
-				exit 1
-			else
-				err_log "$SYS_MSG_FILE_ERROR"
-			fi
+			handle_extract_error
 	esac
 }
 
@@ -337,7 +354,7 @@ extract_data(){
 #############################
 extract_config(){
 	if [ -f $SYS_QPKG_DATA_CONFIG_FILE ]; then
-		$CMD_TAR xvf $SYS_QPKG_DATA_CONFIG_FILE -C / 2>/dev/null | $CMD_SED 's/\.//' 2>/dev/null >>$SYS_QPKG_DIR/.list || if [ -x "/usr/local/sbin/notify" ]; then /usr/local/sbin/notify send -A A039 -C C001 -M 35 -l error -t 3 "[{0}] {1} install failed du to data file error." "$PREFIX" "$QPKG_NAME";set_progress_fail;exit 1;else err_log "$SYS_MSG_FILE_ERROR";fi
+		$CMD_TAR xvf $SYS_QPKG_DATA_CONFIG_FILE -C / 2>/dev/null | $CMD_SED 's/\.//' 2>/dev/null >>$SYS_QPKG_DIR/.list || handle_extract_error
 	fi
 }
 
@@ -442,7 +459,7 @@ add_qpkg_config(){
 
 	$CMD_ECHO "$file" >>$SYS_QPKG_DIR/.list
 	$CMD_GETCFG "$QPKG_NAME" "cfg:$file" -f $SYS_QPKG_CONFIG_FILE >/dev/null || \
-		set_qpkg_config $file $md5sum
+	set_qpkg_config $file $md5sum
 }
 
 #################################################
@@ -482,15 +499,15 @@ check_qts_version(){
 
 	if [ ${MINI_VERSION} -gt ${NOW_VERSION} ]; then
 		if [ -x "/usr/local/sbin/notify" ]; then
-			/usr/local/sbin/notify send -A A039 -C C001 -M 40 -l error -t 3 "[{0}] {1} install failed du to the QTS firmware is not compatible, please upgrade QTS to {2} or newer version." "$PREFIX" "$QPKG_DISPLAY_NAME" "$QTS_MINI_VERSION"
+			/usr/local/sbin/notify send -A A039 -C C001 -M 40 -l error -t 3 "[{0}] {1} install failed due to the QTS firmware is not compatible, please upgrade QTS to {2} or newer version." "$PREFIX" "$QPKG_DISPLAY_NAME" "$QTS_MINI_VERSION"
 			set_progress_fail
 			exit 1
 		else
 			err_log "[$PREFIX] Failed to install $QPKG_DISPLAY_NAME. Upgrade QTS to $QTS_MINI_VERSION or a newer compatible version."
 		fi
 	elif [ ${MAX_VERSION} -lt ${NOW_VERSION} ]; then
 		if [ -x "/usr/local/sbin/notify" ]; then
-			/usr/local/sbin/notify send -A A039 -C C001 -M 41 -l error -t 3 "[{0}] {1} install failed du to the QTS firmware is not compatible, please downgrade QTS to {2} or newer version." "$PREFIX" "$QPKG_DISPLAY_NAME" "$QTS_MAX_VERSION"
+			/usr/local/sbin/notify send -A A039 -C C001 -M 41 -l error -t 3 "[{0}] {1} install failed due to the QTS firmware is not compatible, please downgrade QTS to {2} or newer version." "$PREFIX" "$QPKG_DISPLAY_NAME" "$QTS_MAX_VERSION"
 			set_progress_fail
 			exit 1
 		else
@@ -631,9 +648,7 @@ start_service(){
 }
 stop_service(){
 	if [ -x $SYS_INIT_DIR/$QPKG_SERVICE_PROGRAM ]; then
-		# Call old service program
-		#$SYS_INIT_DIR/$QPKG_SERVICE_PROGRAM stop
-		$SYS_INIT_DIR/$QPKG_SERVICE_PROGRAM stop upgrade
+		$SYS_INIT_DIR/$QPKG_SERVICE_PROGRAM stop
 		$CMD_SLEEP 5
 		$CMD_SYNC
 	fi
@@ -659,7 +674,7 @@ disable_qpkg(){
 }
 set_qpkg_name(){
 	[ -z "$QPKG_NAME" ] || set_qpkg_field $SYS_QPKG_CONF_FIELD_NAME "$QPKG_NAME"
-	[ -z "$QPKG_DISPLAY_NAME" ] || set_qpkg_field $SYS_QPKG_CONF_FIELD_DISPLAY_NAME "$QPKG_DISPLAY_NAME"
+   	[ -z "$QPKG_DISPLAY_NAME" ] || set_qpkg_field $SYS_QPKG_CONF_FIELD_DISPLAY_NAME "$QPKG_DISPLAY_NAME"
 }
 set_qpkg_version(){
 	[ -z "$QPKG_VER" ] || set_qpkg_field $SYS_QPKG_CONF_FIELD_VERSION "$QPKG_VER"
@@ -684,7 +699,7 @@ set_qpkg_service_path(){
 	if [ $QPKG_DISABLE_APPCENTER_UI_SERVICE -eq "1" ]; then
 		[ -z "$QPKG_SERVICE_PROGRAM" ] || set_qpkg_field "$SYS_QPKG_CONF_FIELD_SHELL_DISABLE_UI_NO_OFF" "$SYS_QPKG_DIR/$QPKG_SERVICE_PROGRAM"
 	else
-	[ -z "$QPKG_SERVICE_PROGRAM" ] || set_qpkg_field $SYS_QPKG_CONF_FIELD_SHELL "$SYS_QPKG_DIR/$QPKG_SERVICE_PROGRAM"
+		[ -z "$QPKG_SERVICE_PROGRAM" ] || set_qpkg_field $SYS_QPKG_CONF_FIELD_SHELL "$SYS_QPKG_DIR/$QPKG_SERVICE_PROGRAM"
 	fi
 }
 set_qpkg_service_port(){
@@ -1371,7 +1386,7 @@ main(){
 		SYS_QPKG_DATA_FILE=$SYS_QPKG_DATA_FILE_XZ
 	else
 		if [ -x "/usr/local/sbin/notify" ]; then
-			/usr/local/sbin/notify send -A A039 -C C001 -M 34 -l error -t 3 "[{0}] {1} install failed du to cannot find the data file." "$PREFIX" "$QPKG_DISPLAY_NAME"
+			/usr/local/sbin/notify send -A A039 -C C001 -M 34 -l error -t 3 "[{0}] {1} install failed due to cannot find the data file." "$PREFIX" "$QPKG_DISPLAY_NAME"
 			set_progress_fail
 			exit 1
 		else

diff --git a/debian/changelog b/debian/changelog
@@ -1,3 +1,9 @@
+qdk2 (0.26) trusty; urgency=medium
+
+  * Some enhabcement and bug fix for code signing 
+
+ -- ED Hong <edhongcy@gmail.com>  Fri, 19 Apr 2019 10:55:00 +0800
+
 qdk2 (0.25) trusty; urgency=medium
 
   * Support Ubuntu bionic