[OpenWrt-Devel] RFC: check signatures of sysupgrades via ucert
mail at aparcar.org
Tue Apr 23 18:02:49 EDT 2019
to improve security of the router sysupgrade process, it's sane to check
firmware images for signatures of trusted parties. While this should
always be optional (aka no vendor locking), it helps *basic* users to
easily verify that they are installing the image they intended.
It is already supported via ucert, but neither installed by default
nor really activate able by users. An improvement is done with this
pull request, adding an UCI option and installing ucert by default (+176
Eventually all targets should support metadata and therefore signatures
within the metadata, once there, the image verification could be turned
on by default?
Please share your opinion!
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
More information about the openwrt-devel