[RFC] Release signing
Jo-Philipp Wich
jo at mein.io
Sun Jun 5 08:00:40 EDT 2016
Hi,
I am currently looking into factoring GPG signing into our build process.
For the OpenWrt 15.05.1 release we signed the release manually by adding
detached GnuPG signatures to the "md5sums", the "sha256sums" and the
per-repository "Packages" files.
This technically works to provide a chain of trust for firmware files
(pgp protects sha265sums protects firmware file) but makes actual
verification cumbersome as a user has to download three different files
and do some scripting or manual inspection of check sums in order to
judge the integrity of a download.
The current verification process (as applicable to OpenWrt 15.05.1) is
documented here:
https://www.lede-project.org/signing.html#verify_download_integrity
As you can see this is a rather involved process which does not exactly
make the topic of signature verification easily approachable.
So before I work on implementing any form of GPG signing in the build
system I'd like to know your opinion on it.
Shall we continue signing the check sums only or shall we make one
detached signature per firmware file?
~ Jo
More information about the openwrt-adm
mailing list