[PATCH] openwrt-keyring: Only copy sign key for snapshots

Bjørn Mork bjorn at mork.no
Fri May 14 04:38:22 PDT 2021

Paul Spooren <mail at aparcar.org> writes:
> On 5/13/21 1:32 AM, Hauke Mehrtens wrote:

>> The signature verification of sysupgrade images is currently not used as
>> far as I know, so normal we do not need the keys for of other releases.
> If the `ucert` package is installed and the env variable
> `REQUIRE_IMAGE_SIGNATURE` is set, the images are verified. This should 
> eventually become the default.
> So ideally we already start shipping the correct keys before
> activating the extra security measurements.

I wonder if I have understood the current signing scheme correctly:

- create an expiring certificate signed by the private signing key
- sign image with private signing key and append both certificate and signature
- validate image signature using certificate
- validate ceritificate using public signing key

If this is correct, then I don't think it will fly.  The problem is the
expiration of the redundant certificate.  This means that the image has
an absolute expiration date. You don't want that.  You might have
expiring keys.  But the images, including their signatures, should last
forever.  Or as long as the key is considered valid.

I also have a small issue with the creation of the certificate for home
builders, but that's a minor problem and rather simple to fix. However,
it just hides the underlying problem by moving the image expiration date
from the past to up to a year in the future.  It just highlighted the
certificate issue when I started building invalid images because the
included certificate was older than a year, and already expired by the
time it was appended to the image


More information about the openwrt-devel mailing list