[PATCH] openwrt-keyring: Only copy sign key for snapshots

Paul Spooren mail at aparcar.org
Fri May 14 03:17:43 PDT 2021


On 5/13/21 1:32 AM, Hauke Mehrtens wrote:
> Instead of adding all public signature keys from the openwrt-keyring
> repository only add the key which is used to sign the master feeds.
> If one of the other keys would be compromised this would not affect
> users of master snapshot builds.
> Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
> ---

Thanks for working on this.

I'm still in favor to include a *openwrt-next* key which becomes the 
signing key for the next release. This way a upgrade step between 
release branches is possible.

> As far as I know the other keys are not compromised, this is just a
> precaution.
> I would do similar changes to 21.02 and 19.07 to only add the key which
> is used for this specific release.
In case of 19.07 please add 21.02 release keys as well, since it's *the 
next key*.
> Instead of adding just this single key, should we add all keys of
> currently maintained releases like 19.07, 21.02 and master key into all
> 3 branches?
How about adding keys like that:
19.07: 19.07 + 21.02 keys
21.02: 21.02 + openwrt-next keys
snapshot: snapshot key

The snapshot key stays the same "forever", it shouldn't be included in 

> The signature verification of sysupgrade images is currently not used as
> far as I know, so normal we do not need the keys for of other releases.

If the `ucert` package is installed and the env variable 
`REQUIRE_IMAGE_SIGNATURE` is set, the images are verified. This should 
eventually become the default.

So ideally we already start shipping the correct keys before activating 
the extra security measurements.

>   package/system/openwrt-keyring/Makefile | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> diff --git a/package/system/openwrt-keyring/Makefile b/package/system/openwrt-keyring/Makefile
> index 6f3aa65622d5..ceaccf1fc527 100644
> --- a/package/system/openwrt-keyring/Makefile
> +++ b/package/system/openwrt-keyring/Makefile
> @@ -32,7 +32,8 @@ Build/Compile=
>   define Package/openwrt-keyring/install
>   	$(INSTALL_DIR) $(1)/etc/opkg/keys/
> -	$(INSTALL_DATA) $(PKG_BUILD_DIR)/usign/* $(1)/etc/opkg/keys/
> +	# Public usign key for unattended snapshot builds
> +	$(INSTALL_DATA) $(PKG_BUILD_DIR)/usign/b5043e70f9a75cde $(1)/etc/opkg/keys/
>   endef
>   $(eval $(call BuildPackage,openwrt-keyring))

More information about the openwrt-devel mailing list