stale key-build.ucert files

Bjørn Mork bjorn at mork.no
Tue Sep 8 15:38:55 EDT 2020


A few weeks ago I started getting

 chain_verify: certificate expired
 Image check failed.

from sysupgrade.  And just forced it since I "knew" the image was
fine,..

But then again today I got the same message and started looking into
it.  Google had little to offer, so this was obviously just me.  Looking
at my local build dir, I noticed that all the the key-build* files were
more than a year old.  Including the key-build.ucert.  And sure enough,
dumping it showed:


ucert -D -c key-build.ucert 
=== CHAIN ELEMENT 01 ===
signature:
---
untrusted comment: signed by key 99db1e0996685023
RWSZ2x4JlmhQI/wQ9kXSjLGUtynHUksgRpvz9ES/dCGwjlXWMtqNvTvrAx+foN1grKbNNf4iPhYUW0Ym1xeSQ+b7bF4Be6qsRQ0=
---
payload:
---
"ucert": {
        "certtype": 1,
        "validfrom": 1564991013,
        "expiresat": 1596527013,
        "pubkey": "untrusted comment: Local build key\nRWSZ2x4JlmhQI527QU7Q03p7YVx11VN8LFkVGJz/SQEHdyped/+0yjUs\n"
}
---


So this expired on the Aug 4th.  But why was it still there and used in
my recent builds? Well, it is generated by the configure step of
base-files, but only if the file doesn't already exist:

>From package/base-files/Makefile:
..
  define Build/Configure
        [ -s $(BUILD_KEY) -a -s $(BUILD_KEY).pub ] || \
                $(STAGING_DIR_HOST)/bin/usign -G -s $(BUILD_KEY) -p $(BUILD_KEY).pub -c "Local build key"

        [ -s $(BUILD_KEY).ucert ] || \
                $(STAGING_DIR_HOST)/bin/ucert -I -c $(BUILD_KEY).ucert -p $(BUILD_KEY).pub -s $(BUILD_KEY)

  endef


AFAICS, there isn't anything ever cleaning or recreating this file if it
exists.  I guess the rule should not just check for existense, but also
the expiry date of an existing certificate.

I would have prepared a patch here if I only knew what the policy was
supposed to be.  Simply checking for an expired certficate obviously
isn't enough.  The image should be installable tomorrow as well.  But
what about next year?  Why not?

Exacly how are these dates supposed to be used?  Does it really make
sense that a valid image signed by a key in /etc/opkg/keys expires on
disk and starts failing validation?   I am really not sure about that.



Bjørn



More information about the openwrt-devel mailing list