Hi all,

to improve security of the router sysupgrade process, it's sane to check
firmware images for signatures of trusted parties. While this should
always be optional (aka no vendor locking), it helps *basic* users to
easily verify that they are installing the image they intended.

It is already supported via ucert[0], but neither installed by default
nor really activate able by users. An improvement is done with this[1]
pull request, adding an UCI option and installing ucert by default (+176
Bytes).

Eventually all targets should support metadata and therefore signatures
within the metadata, once there, the image verification could be turned
on by default?

Please share your opinion!

Best,
Paul

[0]: https://git.openwrt.org/?p=project/ucert.git;a=summary
[1]: https://github.com/openwrt/openwrt/pull/1992



_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Reply via email to