From patchwork Sun May 16 13:26:58 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hauke Mehrtens X-Patchwork-Id: 1479065 X-Patchwork-Delegate: hauke@hauke-m.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1:d65d:64ff:fe57:4e05; helo=desiato.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=desiato.20200630 header.b=j/t7jz+V; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=hauke-m.de header.i=@hauke-m.de header.a=rsa-sha256 header.s=MBO0001 header.b=JtsNVBoG; dkim-atps=neutral Received: from desiato.infradead.org (desiato.infradead.org [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FjjlB6D43z9sCD for ; Sun, 16 May 2021 23:28:38 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=TAgpriqjfj6LfvW+fp/KIDLUtCPQo/evo4oXVSZgWSM=; b=j/t7jz+Ve6xD5iMk5tzyYYpffY eIBVzc0BxYi5u8ZtvC36oz4vR7YgUZmxaZbu8VBjBZuPnX7mLdrZ1YYCX6tJoK3tmzwNI/ZeNYTGw DdGvz5nR0wTC6GGZKW3il/3t1jmh4dTwfPSLvBhHTmoq2DZIfyqMcJABzB/vZ9EkgYn0SMqAxWnqJ JJLjMUunJB9Nepyv0aJy59KTkxIoDas35YtGXDxH5/qUdBpBKcG/NeYK6E8t0IUzSBjNatVYeQydO CT2EMuTkgKlKSedZ3+pHVvHaKO/fvyEUCZJpo1JrbHTv3WZyGp+jh9kxFmGQoU+JKvp+iOMRaaWua +uS8eHWg==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1liGnj-00CIgs-0c; Sun, 16 May 2021 13:27:23 +0000 Received: from mout-p-102.mailbox.org ([2001:67c:2050::465:102]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1liGne-00CIg3-Ci for openwrt-devel@lists.openwrt.org; Sun, 16 May 2021 13:27:20 +0000 Received: from smtp2.mailbox.org (smtp2.mailbox.org [80.241.60.241]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-102.mailbox.org (Postfix) with ESMTPS id 4Fjjjd49tzzQk2k; Sun, 16 May 2021 15:27:17 +0200 (CEST) X-Virus-Scanned: amavisd-new at heinlein-support.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hauke-m.de; s=MBO0001; t=1621171635; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=SxOx1KqUUNE87cDybWqjcq/YNBRHDtLr5D/ZIIgI3do=; b=JtsNVBoGfiBHxRvsT0+/Sa1cKkXfRzFS9jTDONcCmrl0RMhZd5HEIPbBslBhGWkemAnQbM S7IEiKerS4wTOL3IzLnTzVr4iAxR21NgnOQBVP2xNoSl/bD3uARw78wa7iXlQtKez/svGM rDH4kcZg/X1QWm6yBlhy1AOn2+XQ+YUu/MJrF9VuwdgTB1R4eTeiA0BfcSw93JZchlC2NM yUbPmceu9O6CyPbUcxfd3AT3B6SzeIqYQv1NOgViS6hbR3mCWvRfuD0plSLz7rVZKmoQmz PvV0Jp0+2dGbiteiYFbLV6ds1oKplnzC4DYtneLjw8RmS/Y64DZT1jlIhYekdA== Received: from smtp2.mailbox.org ([80.241.60.241]) by gerste.heinlein-support.de (gerste.heinlein-support.de [91.198.250.173]) (amavisd-new, port 10030) with ESMTP id pPPkivssVsYZ; Sun, 16 May 2021 15:27:14 +0200 (CEST) From: Hauke Mehrtens To: openwrt-devel@lists.openwrt.org Subject: [PATCH] openwrt-keyring: Only copy sign key for 21.02 Date: Sun, 16 May 2021 15:26:58 +0200 Message-Id: <20210516132658.3129902-1-hauke@hauke-m.de> MIME-Version: 1.0 X-MBO-SPAM-Probability: * X-Rspamd-Score: 0.92 / 15.00 / 15.00 X-Rspamd-Queue-Id: 8236D1802 X-Rspamd-UID: 559bb7 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210516_142718_569111_3A1389A7 X-CRM114-Status: UNSURE ( 6.82 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "desiato.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Instead of adding all public signature keys from the openwrt-keyring repository only add the key which is used to sign the OpenWrt 21.02 feeds. If one of the other keys would be compromised this would not affect users of 21.02 release builds. Content analysis details: (-0.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [2001:67c:2050:0:0:0:465:102 listed in] [list.dnswl.org] X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Hauke Mehrtens Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org Instead of adding all public signature keys from the openwrt-keyring repository only add the key which is used to sign the OpenWrt 21.02 feeds. If one of the other keys would be compromised this would not affect users of 21.02 release builds. Signed-off-by: Hauke Mehrtens Acked-by: Paul Spooren --- package/system/openwrt-keyring/Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/package/system/openwrt-keyring/Makefile b/package/system/openwrt-keyring/Makefile index 6f3aa65622..e3078074b9 100644 --- a/package/system/openwrt-keyring/Makefile +++ b/package/system/openwrt-keyring/Makefile @@ -32,7 +32,8 @@ Build/Compile= define Package/openwrt-keyring/install $(INSTALL_DIR) $(1)/etc/opkg/keys/ - $(INSTALL_DATA) $(PKG_BUILD_DIR)/usign/* $(1)/etc/opkg/keys/ + # Public usign key for 21.02 release builds + $(INSTALL_DATA) $(PKG_BUILD_DIR)/usign/2f8b0b98e08306bf $(1)/etc/opkg/keys/ endef $(eval $(call BuildPackage,openwrt-keyring))