[PATCH] openwrt-keyring: Only copy sign key for snapshots

Hauke Mehrtens hauke at hauke-m.de
Wed May 12 16:32:39 PDT 2021

Instead of adding all public signature keys from the openwrt-keyring
repository only add the key which is used to sign the master feeds.

If one of the other keys would be compromised this would not affect
users of master snapshot builds.

Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>

As far as I know the other keys are not compromised, this is just a 

I would do similar changes to 21.02 and 19.07 to only add the key which 
is used for this specific release.

Instead of adding just this single key, should we add all keys of 
currently maintained releases like 19.07, 21.02 and master key into all 
3 branches? 

The signature verification of sysupgrade images is currently not used as 
far as I know, so normal we do not need the keys for of other releases.

 package/system/openwrt-keyring/Makefile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/package/system/openwrt-keyring/Makefile b/package/system/openwrt-keyring/Makefile
index 6f3aa65622d5..ceaccf1fc527 100644
--- a/package/system/openwrt-keyring/Makefile
+++ b/package/system/openwrt-keyring/Makefile
@@ -32,7 +32,8 @@ Build/Compile=
 define Package/openwrt-keyring/install
 	$(INSTALL_DIR) $(1)/etc/opkg/keys/
-	$(INSTALL_DATA) $(PKG_BUILD_DIR)/usign/* $(1)/etc/opkg/keys/
+	# Public usign key for unattended snapshot builds
+	$(INSTALL_DATA) $(PKG_BUILD_DIR)/usign/b5043e70f9a75cde $(1)/etc/opkg/keys/
 $(eval $(call BuildPackage,openwrt-keyring))

More information about the openwrt-devel mailing list