OpenWRT (ucert) signature check during upgrade

Andrii Voloshyn a.voloshyn at
Fri Aug 7 08:47:57 EDT 2020

Hi there,

I'd like to use signature verification during sysupgrade, but at the moment I get "Image check failed" message.
Similar to what guys mentioned here:
By digging around, I found out that:

fwtool -q -T -s /dev/null /tmp/sysupgrade.bin | ucert -V -m - -c "/tmp/sysupgrade.ucert" -P /etc/opkg/keys

command fails, with the following message "cert_verify: cannot parse cert".
My assumption is that it is because of a signature of the upgrade file that we add at the end of the certificate, while appending metadata to the upgrade file. line below (ucert -A -c "$@.ucert" -x "$@.sig")

define Build/append-metadata
>---$(if $(SUPPORTED_DEVICES),-echo $(call metadata_json,$(SUPPORTED_DEVICES)) | fwtool -I - $@)
>---[ ! -s "$(BUILD_KEY)" -o ! -s "$(BUILD_KEY).ucert" -o ! -s "$@" ] || { \
>--->---cp "$(BUILD_KEY).ucert" "$@.ucert" ;\
>--->---usign -S -m "$@" -s "$(BUILD_KEY)" -x "$@.sig" ;\
>--->---ucert -A -c "$@.ucert" -x "$@.sig" ;\
>--->---fwtool -S "$@.ucert" "$@" ;\

Would (ucert -V -m) expect appended upgrade image file signature in the certificate passed with -c?
Or this functionality has not been implemented yet?
In other words how to check upgtade file signature prior to upgrade with ucert tool?


More information about the openwrt-devel mailing list