Paul Spooren <m...@aparcar.org> writes: > On 5/13/21 1:32 AM, Hauke Mehrtens wrote:
>> The signature verification of sysupgrade images is currently not used as >> far as I know, so normal we do not need the keys for of other releases. > > If the `ucert` package is installed and the env variable > `REQUIRE_IMAGE_SIGNATURE` is set, the images are verified. This should > eventually become the default. > > So ideally we already start shipping the correct keys before > activating the extra security measurements. I wonder if I have understood the current signing scheme correctly: - create an expiring certificate signed by the private signing key - sign image with private signing key and append both certificate and signature - validate image signature using certificate - validate ceritificate using public signing key If this is correct, then I don't think it will fly. The problem is the expiration of the redundant certificate. This means that the image has an absolute expiration date. You don't want that. You might have expiring keys. But the images, including their signatures, should last forever. Or as long as the key is considered valid. I also have a small issue with the creation of the certificate for home builders, but that's a minor problem and rather simple to fix. However, it just hides the underlying problem by moving the image expiration date from the past to up to a year in the future. It just highlighted the certificate issue when I started building invalid images because the included certificate was older than a year, and already expired by the time it was appended to the image Bjørn _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
