[PATCH] openwrt-keyring: Only copy sign key for snapshots

Hauke Mehrtens hauke at hauke-m.de
Fri May 14 14:31:27 PDT 2021


On 5/14/21 12:17 PM, Paul Spooren wrote:
> Hi,
> 
> On 5/13/21 1:32 AM, Hauke Mehrtens wrote:
>> Instead of adding all public signature keys from the openwrt-keyring
>> repository only add the key which is used to sign the master feeds.
>>
>> If one of the other keys would be compromised this would not affect
>> users of master snapshot builds.
>>
>> Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
>> ---
> 
> Thanks for working on this.
> 
> I'm still in favor to include a *openwrt-next* key which becomes the 
> signing key for the next release. This way a upgrade step between 
> release branches is possible.

I would prefer to create it closer to the next release.

>> As far as I know the other keys are not compromised, this is just a
>> precaution.
>>
>> I would do similar changes to 21.02 and 19.07 to only add the key which
>> is used for this specific release.
> In case of 19.07 please add 21.02 release keys as well, since it's *the 

> next key*.

Yes, good idea.

>> Instead of adding just this single key, should we add all keys of
>> currently maintained releases like 19.07, 21.02 and master key into all
>> 3 branches?
> How about adding keys like that:
> 19.07: 19.07 + 21.02 keys
> 21.02: 21.02 + openwrt-next keys
> snapshot: snapshot key
> 
> The snapshot key stays the same "forever", it shouldn't be included in 
> releases.
> 
>> The signature verification of sysupgrade images is currently not used as
>> far as I know, so normal we do not need the keys for of other releases.
> 
> If the `ucert` package is installed and the env variable 
> `REQUIRE_IMAGE_SIGNATURE` is set, the images are verified. This should 
> eventually become the default.

How reliable is this working?

Currently we do not ship ucert by default and this is needed to check 
the image signature.

> So ideally we already start shipping the correct keys before activating 

> the extra security measurements.
> 

Hauke
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x93DD20630910B515.asc
Type: application/pgp-keys
Size: 9895 bytes
Desc: OpenPGP public key
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20210514/60e0fb7b/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20210514/60e0fb7b/attachment-0001.sig>


More information about the openwrt-devel mailing list