Thanks for clarifying.
How can a user add a usign EdDSA ed25519 key for e.g. a self-hosted package
set?
https://openwrt.org/docs/guide-user/security/release_signatures links to
https://openwrt.org/docs/guide-user/security/keygen which describes how to
generate release signing keys with GPG and us
Hi Wes,
> It's definitely an issue that the sha256 checksum check was broken.
> But, can someone explain why a person who is MITM'ing ipk downloads
> would change the package and not the checksum?
the repository index files containing the SHA256 checksums are signed using
usign, which is a deriva
Saw this post and thought I'd forward it along here.
https://news.ycombinator.com/item?id=22208557
"""
It's definitely an issue that the sha256 checksum check was broken.
But, can someone explain why a person who is MITM'ing ipk downloads
would change the package and not the checksum?
Are there GP