OpenWRT (ucert) signature check during upgrade
Andrii Voloshyn
a.voloshyn at d.mobilunity.com
Fri Aug 7 08:47:57 EDT 2020
Hi there,
I'd like to use signature verification during sysupgrade, but at the moment I get "Image check failed" message.
Similar to what guys mentioned here: https://forum.openwrt.org/t/possible-bug-in-ucert/57704
By digging around, I found out that:
fwtool -q -T -s /dev/null /tmp/sysupgrade.bin | ucert -V -m - -c "/tmp/sysupgrade.ucert" -P /etc/opkg/keys
command fails, with the following message "cert_verify: cannot parse cert".
My assumption is that it is because of a signature of the upgrade file that we add at the end of the certificate, while appending metadata to the upgrade file. line below (ucert -A -c "$@.ucert" -x "$@.sig")
define Build/append-metadata
>---$(if $(SUPPORTED_DEVICES),-echo $(call metadata_json,$(SUPPORTED_DEVICES)) | fwtool -I - $@)
>---[ ! -s "$(BUILD_KEY)" -o ! -s "$(BUILD_KEY).ucert" -o ! -s "$@" ] || { \
>--->---cp "$(BUILD_KEY).ucert" "$@.ucert" ;\
>--->---usign -S -m "$@" -s "$(BUILD_KEY)" -x "$@.sig" ;\
>--->---ucert -A -c "$@.ucert" -x "$@.sig" ;\
>--->---fwtool -S "$@.ucert" "$@" ;\
>---}
endef
Would (ucert -V -m) expect appended upgrade image file signature in the certificate passed with -c?
Or this functionality has not been implemented yet?
In other words how to check upgtade file signature prior to upgrade with ucert tool?
Cheers,
Andrew
More information about the openwrt-devel
mailing list