On Fri, Aug 07, 2020 at 03:47:57PM +0300, Andrii Voloshyn wrote: > Hi there, > > I'd like to use signature verification during sysupgrade, but at the moment I > get "Image check failed" message. > Similar to what guys mentioned here: > https://forum.openwrt.org/t/possible-bug-in-ucert/57704 > By digging around, I found out that: > > fwtool -q -T -s /dev/null /tmp/sysupgrade.bin | ucert -V -m - -c > "/tmp/sysupgrade.ucert" -P /etc/opkg/keys > > command fails, with the following message "cert_verify: cannot parse cert". > My assumption is that it is because of a signature of the upgrade file that > we add at the end of the certificate, while appending metadata to the upgrade > file. line below (ucert -A -c "[email protected]" -x "[email protected]") > > define Build/append-metadata > >---$(if $(SUPPORTED_DEVICES),-echo $(call > >metadata_json,$(SUPPORTED_DEVICES)) | fwtool -I - $@) > >---[ ! -s "$(BUILD_KEY)" -o ! -s "$(BUILD_KEY).ucert" -o ! -s "$@" ] || { \ > >--->---cp "$(BUILD_KEY).ucert" "[email protected]" ;\ > >--->---usign -S -m "$@" -s "$(BUILD_KEY)" -x "[email protected]" ;\ > >--->---ucert -A -c "[email protected]" -x "[email protected]" ;\ > >--->---fwtool -S "[email protected]" "$@" ;\ > >---} > endef > > Would (ucert -V -m) expect appended upgrade image file signature in the > certificate passed with -c? > Or this functionality has not been implemented yet? > In other words how to check upgtade file signature prior to upgrade with > ucert tool?
Yes, this is exactly how it is supposed to work. There has been a bug caused by libubox security improvements which made ucert always fail to parse certificates, it should have been fixed by commit 96c42c5ed3207b8ad1ce836a4426c8700c13b655 Author: Matthias Schiffer <[email protected]> Date: Sat May 16 22:29:24 2020 +0200 Fix length checks in cert_load() Please verify manually if ucert can parse the certificate, ie. extract it into a file /tmp/sysupgrade.ucert using fwtool, then install ucert-full and use `ucert -D -c /tmp/sysupgrade.ucert` and see what happends. Cheers Daniel > > > Cheers, > Andrew > > > > _______________________________________________ > openwrt-devel mailing list > [email protected] > https://lists.openwrt.org/mailman/listinfo/openwrt-devel _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
