oats_cfg: add option to ignore signatures

2 files changed, 9 insertions, 1 deletions

diff --git a/modules/oats_cfg/README b/modules/oats_cfg/README
index 50bc2ef..6a10b83 100644
--- a/modules/oats_cfg/README
+++ b/modules/oats_cfg/README
@@ -11,6 +11,11 @@ to override this behaviour, the school server will not be tried. Useful in
 deployments with good connectivity where antitheft is controlled in a central
 location (as opposed to the specific school).
 
+ignore_signature: by default, the OATS client will expect the server's response to be signed, and it will verify the signature. Set this to 1 to ignore all
+signatures (and also accept messages with no signature). Useful for
+deployments that have not implemented OLPC's security system, but still wish
+to take advantage of other OATS features.
+
 stream: the update stream - this is helpful when deploying different OS images
 that query the same update server.
 
@@ -18,5 +23,6 @@ Example configuration:
 [oats_cfg]
 server=my-oats-server.mydeployment.com
 ignore_xs=1
+ignore_signature=1
 stream=xo15hs
 
diff --git a/modules/oats_cfg/kspost.50.oats_cfg.sh b/modules/oats_cfg/kspost.50.oats_cfg.sh
index 32989d2..49bae4c 100644
--- a/modules/oats_cfg/kspost.50.oats_cfg.sh
+++ b/modules/oats_cfg/kspost.50.oats_cfg.sh
@@ -5,12 +5,15 @@
 
 server=$(read_config oats_cfg server)
 ignore_xs=$(read_config oats_cfg ignore_xs)
+ignore_sig=$(read_config oats_cfg ignore_signature)
 stream=$(read_config oats_cfg stream)
 
 if [ "$ignore_xs" = "1" ]; then
 	echo "touch /etc/oats-ignore-xs"
 fi
 
+[ "$ignore_sig" = "1" ] && echo "touch /etc/oats-ignore-signature"
+
 if [ -n "$server" ]; then
 	echo "echo '$server' > /etc/oats-server"
 fi
@@ -18,4 +21,3 @@ fi
 if [ -n "$stream" ]; then
 	echo "echo '$stream' > /etc/update-stream"
 fi
-