[PATCH] openwrt-keyring: Only copy sign key for snapshots
Paul Spooren
mail at aparcar.org
Fri May 14 03:17:43 PDT 2021
Hi,
On 5/13/21 1:32 AM, Hauke Mehrtens wrote:
> Instead of adding all public signature keys from the openwrt-keyring
> repository only add the key which is used to sign the master feeds.
>
> If one of the other keys would be compromised this would not affect
> users of master snapshot builds.
>
> Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
> ---
Thanks for working on this.
I'm still in favor to include a *openwrt-next* key which becomes the
signing key for the next release. This way a upgrade step between
release branches is possible.
> As far as I know the other keys are not compromised, this is just a
> precaution.
>
> I would do similar changes to 21.02 and 19.07 to only add the key which
> is used for this specific release.
In case of 19.07 please add 21.02 release keys as well, since it's *the
next key*.
> Instead of adding just this single key, should we add all keys of
> currently maintained releases like 19.07, 21.02 and master key into all
> 3 branches?
How about adding keys like that:
19.07: 19.07 + 21.02 keys
21.02: 21.02 + openwrt-next keys
snapshot: snapshot key
The snapshot key stays the same "forever", it shouldn't be included in
releases.
> The signature verification of sysupgrade images is currently not used as
> far as I know, so normal we do not need the keys for of other releases.
If the `ucert` package is installed and the env variable
`REQUIRE_IMAGE_SIGNATURE` is set, the images are verified. This should
eventually become the default.
So ideally we already start shipping the correct keys before activating
the extra security measurements.
>
> package/system/openwrt-keyring/Makefile | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/package/system/openwrt-keyring/Makefile b/package/system/openwrt-keyring/Makefile
> index 6f3aa65622d5..ceaccf1fc527 100644
> --- a/package/system/openwrt-keyring/Makefile
> +++ b/package/system/openwrt-keyring/Makefile
> @@ -32,7 +32,8 @@ Build/Compile=
>
> define Package/openwrt-keyring/install
> $(INSTALL_DIR) $(1)/etc/opkg/keys/
> - $(INSTALL_DATA) $(PKG_BUILD_DIR)/usign/* $(1)/etc/opkg/keys/
> + # Public usign key for unattended snapshot builds
> + $(INSTALL_DATA) $(PKG_BUILD_DIR)/usign/b5043e70f9a75cde $(1)/etc/opkg/keys/
> endef
>
> $(eval $(call BuildPackage,openwrt-keyring))
More information about the openwrt-devel
mailing list