Re: [PATCH] openwrt-keyring: Only copy sign key for snapshots

Fri, 14 May 2021 03:23:41 -0700 

Hi,

On 5/13/21 1:32 AM, Hauke Mehrtens wrote:

Instead of adding all public signature keys from the openwrt-keyring
repository only add the key which is used to sign the master feeds.

If one of the other keys would be compromised this would not affect
users of master snapshot builds.

Signed-off-by: Hauke Mehrtens <[email protected]>
---


Thanks for working on this.
I'm still in favor to include a *openwrt-next* key which becomes the signing key for the next release. This way a upgrade step between release branches is possible. 


As far as I know the other keys are not compromised, this is just a
precaution.

I would do similar changes to 21.02 and 19.07 to only add the key which
is used for this specific release.
In case of 19.07 please add 21.02 release keys as well, since it's *the next key*. 
Instead of adding just this single key, should we add all keys of
currently maintained releases like 19.07, 21.02 and master key into all
3 branches?

How about adding keys like that:
19.07: 19.07 + 21.02 keys
21.02: 21.02 + openwrt-next keys
snapshot: snapshot key
The snapshot key stays the same "forever", it shouldn't be included in releases. 


The signature verification of sysupgrade images is currently not used as
far as I know, so normal we do not need the keys for of other releases.
If the `ucert` package is installed and the env variable `REQUIRE_IMAGE_SIGNATURE` is set, the images are verified. This should eventually become the default.
So ideally we already start shipping the correct keys before activating the extra security measurements. 



  package/system/openwrt-keyring/Makefile | 3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/package/system/openwrt-keyring/Makefile 
b/package/system/openwrt-keyring/Makefile
index 6f3aa65622d5..ceaccf1fc527 100644
--- a/package/system/openwrt-keyring/Makefile
+++ b/package/system/openwrt-keyring/Makefile
@@ -32,7 +32,8 @@ Build/Compile=
define Package/openwrt-keyring/install 
        $(INSTALL_DIR) $(1)/etc/opkg/keys/
-       $(INSTALL_DATA) $(PKG_BUILD_DIR)/usign/* $(1)/etc/opkg/keys/
+       # Public usign key for unattended snapshot builds
+       $(INSTALL_DATA) $(PKG_BUILD_DIR)/usign/b5043e70f9a75cde 
$(1)/etc/opkg/keys/
  endef
$(eval $(call BuildPackage,openwrt-keyring)) 

_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Reply via email to