Re: [PATCH] openwrt-keyring: Only copy sign key for snapshots

Fri, 14 May 2021 14:38:51 -0700 

On 5/14/21 12:17 PM, Paul Spooren wrote:

Hi,

On 5/13/21 1:32 AM, Hauke Mehrtens wrote:

Instead of adding all public signature keys from the openwrt-keyring
repository only add the key which is used to sign the master feeds.

If one of the other keys would be compromised this would not affect
users of master snapshot builds.

Signed-off-by: Hauke Mehrtens <ha...@hauke-m.de>
---


Thanks for working on this.
I'm still in favor to include a *openwrt-next* key which becomes the signing key for the next release. This way a upgrade step between release branches is possible. 

I would prefer to create it closer to the next release.


As far as I know the other keys are not compromised, this is just a
precaution.

I would do similar changes to 21.02 and 19.07 to only add the key which
is used for this specific release.
In case of 19.07 please add 21.02 release keys as well, since it's *the 


next key*.


Yes, good idea.


Instead of adding just this single key, should we add all keys of
currently maintained releases like 19.07, 21.02 and master key into all
3 branches?

How about adding keys like that:
19.07: 19.07 + 21.02 keys
21.02: 21.02 + openwrt-next keys
snapshot: snapshot key
The snapshot key stays the same "forever", it shouldn't be included in releases. 


The signature verification of sysupgrade images is currently not used as
far as I know, so normal we do not need the keys for of other releases.
If the `ucert` package is installed and the env variable `REQUIRE_IMAGE_SIGNATURE` is set, the images are verified. This should eventually become the default. 

How reliable is this working?
Currently we do not ship ucert by default and this is needed to check the image signature.
So ideally we already start shipping the correct keys before activating 


the extra security measurements.



Hauke

Attachment: OpenPGP_0x93DD20630910B515.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Reply via email to