Hi there, I'd like to use signature verification during sysupgrade, but at the moment I get "Image check failed" message. Similar to what guys mentioned here: https://forum.openwrt.org/t/possible-bug-in-ucert/57704 By digging around, I found out that:
fwtool -q -T -s /dev/null /tmp/sysupgrade.bin | ucert -V -m - -c "/tmp/sysupgrade.ucert" -P /etc/opkg/keys command fails, with the following message "cert_verify: cannot parse cert". My assumption is that it is because of a signature of the upgrade file that we add at the end of the certificate, while appending metadata to the upgrade file. line below (ucert -A -c "[email protected]" -x "[email protected]") define Build/append-metadata >---$(if $(SUPPORTED_DEVICES),-echo $(call metadata_json,$(SUPPORTED_DEVICES)) >| fwtool -I - $@) >---[ ! -s "$(BUILD_KEY)" -o ! -s "$(BUILD_KEY).ucert" -o ! -s "$@" ] || { \ >--->---cp "$(BUILD_KEY).ucert" "[email protected]" ;\ >--->---usign -S -m "$@" -s "$(BUILD_KEY)" -x "[email protected]" ;\ >--->---ucert -A -c "[email protected]" -x "[email protected]" ;\ >--->---fwtool -S "[email protected]" "$@" ;\ >---} endef Would (ucert -V -m) expect appended upgrade image file signature in the certificate passed with -c? Or this functionality has not been implemented yet? In other words how to check upgtade file signature prior to upgrade with ucert tool? Cheers, Andrew _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
