config: add build config option to sign each .apk package

Add a build config option to sign each individual .apk package.

If individual .apk files are signed with the build key, they can be
installed with 'apk add' without '--allow-untrusted' to a firmware
compiled by the same buildhost.

Enable the option by default, but disable it for BUILDBOT.

(At the moment, since commit 084697e, only the package index is signed,
which forces users to use '--allow-untrusted' when installing
self-built .apk files.)

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>

config/Config-build.in

@@ -73,6 +73,16 @@ menu "Global build settings"
 		bool "Use APK instead of OPKG to build distribution"
 		default y
 
+	config SIGN_EACH_PACKAGE
+		bool "Cryptographically sign each package .apk file"
+		depends on USE_APK
+		default n if BUILDBOT
+		default y
+		help
+		  Sign also the individual package .apk file. Removes the need for
+		  --allow-untrusted when installing self-compiled packages to a
+		  firmware compiled by the same buildhost as public key matches.
+
 	comment "General build options"
 
 	config TESTING_KERNEL

include/package-pack.mk

@@ -605,6 +605,7 @@ else
 	  $$(APK_SCRIPTS_$(1)) \
 	  --info "depends:$$(foreach depends,$$(subst $$(comma),$$(space),$$(subst $$(space),,$$(subst $$(paren_right),,$$(subst $$(paren_left),,$$(Package/$(1)/DEPENDS))))),$$(depends))" \
 	  --files "$$(IDIR_$(1))" \
+	  $(if $(CONFIG_SIGN_EACH_PACKAGE),--sign $(BUILD_KEY_APK_SEC),) \
 	  --output "$$(PACK_$(1))"
 endif