| Message ID | 20210516132658.3129902-1-hauke@hauke-m.de |
|---|---|
| State | Accepted |
| Delegated to: | Hauke Mehrtens |
| Headers | show |
| Series | openwrt-keyring: Only copy sign key for 21.02 | expand |
On 5/16/21 3:26 PM, Hauke Mehrtens wrote: > Instead of adding all public signature keys from the openwrt-keyring > repository only add the key which is used to sign the OpenWrt 21.02 feeds. > > If one of the other keys would be compromised this would not affect > users of 21.02 release builds. > > Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> > --- > package/system/openwrt-keyring/Makefile | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/package/system/openwrt-keyring/Makefile b/package/system/openwrt-keyring/Makefile > index 6f3aa65622..e3078074b9 100644 > --- a/package/system/openwrt-keyring/Makefile > +++ b/package/system/openwrt-keyring/Makefile > @@ -32,7 +32,8 @@ Build/Compile= > > define Package/openwrt-keyring/install > $(INSTALL_DIR) $(1)/etc/opkg/keys/ > - $(INSTALL_DATA) $(PKG_BUILD_DIR)/usign/* $(1)/etc/opkg/keys/ > + # Public usign key for 21.02 release builds > + $(INSTALL_DATA) $(PKG_BUILD_DIR)/usign/2f8b0b98e08306bf $(1)/etc/opkg/keys/ > endef > > $(eval $(call BuildPackage,openwrt-keyring)) > This patch is for the 21.02 release branch and the PKG_RELEASE should also get increased. Hauke
On 5/17/21 8:10 PM, Paul Spooren wrote: > > On 5/16/21 3:57 PM, Hauke Mehrtens wrote: >> On 5/16/21 3:26 PM, Hauke Mehrtens wrote: >>> Instead of adding all public signature keys from the openwrt-keyring >>> repository only add the key which is used to sign the OpenWrt 21.02 >>> feeds. >>> >>> If one of the other keys would be compromised this would not affect >>> users of 21.02 release builds. >>> >>> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> >>> --- > In my opinion this patch still lacks a *openwrt-next* key to allow a > secure upgrade path between major releases. We can also add this later in some service release. Currently I wanted to remove all the personal keys from the trusted keys. Hauke
May 17, 2021 21:53:01 Hauke Mehrtens <hauke@hauke-m.de>: > On 5/17/21 8:10 PM, Paul Spooren wrote: >> On 5/16/21 3:57 PM, Hauke Mehrtens wrote: >>> On 5/16/21 3:26 PM, Hauke Mehrtens wrote: >>>> Instead of adding all public signature keys from the openwrt-keyring >>>> repository only add the key which is used to sign the OpenWrt 21.02 >>>> feeds. >>>> >>>> If one of the other keys would be compromised this would not affect >>>> users of 21.02 release builds. >>>> >>>> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> >>>> --- Acked-by: Paul Spooren <mail@aparcar.org> >> In my opinion this patch still lacks a *openwrt-next* key to allow a >> secure upgrade path between major releases. > > We can also add this later in some service release. > Currently I wanted to remove all the personal keys from the trusted > keys. > > Hauke
diff --git a/package/system/openwrt-keyring/Makefile b/package/system/openwrt-keyring/Makefile index 6f3aa65622..e3078074b9 100644 --- a/package/system/openwrt-keyring/Makefile +++ b/package/system/openwrt-keyring/Makefile @@ -32,7 +32,8 @@ Build/Compile= define Package/openwrt-keyring/install $(INSTALL_DIR) $(1)/etc/opkg/keys/ - $(INSTALL_DATA) $(PKG_BUILD_DIR)/usign/* $(1)/etc/opkg/keys/ + # Public usign key for 21.02 release builds + $(INSTALL_DATA) $(PKG_BUILD_DIR)/usign/2f8b0b98e08306bf $(1)/etc/opkg/keys/ endef $(eval $(call BuildPackage,openwrt-keyring))
Instead of adding all public signature keys from the openwrt-keyring repository only add the key which is used to sign the OpenWrt 21.02 feeds. If one of the other keys would be compromised this would not affect users of 21.02 release builds. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> --- package/system/openwrt-keyring/Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)