From patchwork Wed May 12 23:32:39 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hauke Mehrtens X-Patchwork-Id: 1477899 X-Patchwork-Delegate: hauke@hauke-m.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1:d65d:64ff:fe57:4e05; helo=desiato.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=desiato.20200630 header.b=lphzswQN; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=hauke-m.de header.i=@hauke-m.de header.a=rsa-sha256 header.s=MBO0001 header.b=k+/fLG5T; dkim-atps=neutral Received: from desiato.infradead.org (desiato.infradead.org [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FgWP50cxMz9sW7 for ; Thu, 13 May 2021 09:35:20 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=QFPpPpLfGvYvPYayD7TEAY8B3s4zfn5RqkPBBV6P/Ck=; b=lphzswQNHtS3BCEp0BYnYQA4ho gN5YDyG8IL+slgmcYFVsub0ZOSI+fQswP/y17GXlR4xOSXIrOZ9oI+TNXeo+K/Kyn7IbWEM1yGC0L vV6U6KZllWPiW98rYRNlOhrrdImfRMCuMTpIOxqhdslJoC8fB+AhNcpMtjttLhCUM7AALJaQOrM6u RbjGA4lX0igj3JC4U2V2ZSoNR+miMiELE5HrT5bcdlKqj1LrOoIw3xMkSFmus9uOAyetIO3/cHPiC SuPZ+xkWPoAAPRHtxk2xvZCAGyxcLS4CrmlzpqKI/ClDCpBO6kc4x0H+veXWl30ClDeNfJj058nfP jtlvzIqg==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lgyLz-004Eus-GH; Wed, 12 May 2021 23:33:23 +0000 Received: from mout-p-201.mailbox.org ([80.241.56.171]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lgyLt-004Eso-IK for openwrt-devel@lists.openwrt.org; Wed, 12 May 2021 23:33:20 +0000 Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:105:465:1:1:0]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-201.mailbox.org (Postfix) with ESMTPS id 4FgWLW3QVPzQk2R; Thu, 13 May 2021 01:33:07 +0200 (CEST) X-Virus-Scanned: amavisd-new at heinlein-support.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hauke-m.de; s=MBO0001; t=1620862385; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=b2IUXnUQ1HKoQqTM7Iu5zX/khqWtuHjzKGeBwgKpsqE=; b=k+/fLG5TpNIJpUrdyMg6tmLzYI58zbRU+WCB563Pd+up6OTKxk1qaXfjoJKA7dsq7PpoNP rW5/n2BeJLGnANuVOzt7mzgOxXD/sauturjUme0+jwzgj5bL1KZ4+mx6e01HNkmEQkj+4Y R6k2aF5DKcOkhQCMz2qXJa46x0rINcbeZGoNjyMYI7BQEqxrJKcLnKIHIcDClqTy5woK2E a07xQolcFd0lWrt2BMY31xy6iI3axfVrhmhGN3xtrNJ2U883avTEOa795H5QinEZrCpFte 7uKn5RdT478//i2A3bJIhogDhc2rDqUyvSlT2ib2kI5maLzZ47U0p0064k+aUQ== Received: from smtp1.mailbox.org ([80.241.60.240]) by spamfilter03.heinlein-hosting.de (spamfilter03.heinlein-hosting.de [80.241.56.117]) (amavisd-new, port 10030) with ESMTP id H8tLQ6pmUdz7; Thu, 13 May 2021 01:33:04 +0200 (CEST) From: Hauke Mehrtens To: openwrt-devel@lists.openwrt.org Subject: [PATCH] openwrt-keyring: Only copy sign key for snapshots Date: Thu, 13 May 2021 01:32:39 +0200 Message-Id: <20210512233239.866967-1-hauke@hauke-m.de> MIME-Version: 1.0 X-MBO-SPAM-Probability: ****** X-Rspamd-Score: 8.89 / 15.00 / 15.00 X-Rspamd-Queue-Id: 7C0AC1888 X-Rspamd-UID: 8f48d5 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210513_003318_165552_44463ED0 X-CRM114-Status: UNSURE ( 8.54 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "desiato.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Instead of adding all public signature keys from the openwrt-keyring repository only add the key which is used to sign the master feeds. If one of the other keys would be compromised this would not affect users of master snapshot builds. Content analysis details: (-0.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [80.241.56.171 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Hauke Mehrtens Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org Instead of adding all public signature keys from the openwrt-keyring repository only add the key which is used to sign the master feeds. If one of the other keys would be compromised this would not affect users of master snapshot builds. Signed-off-by: Hauke Mehrtens --- As far as I know the other keys are not compromised, this is just a precaution. I would do similar changes to 21.02 and 19.07 to only add the key which is used for this specific release. Instead of adding just this single key, should we add all keys of currently maintained releases like 19.07, 21.02 and master key into all 3 branches? The signature verification of sysupgrade images is currently not used as far as I know, so normal we do not need the keys for of other releases. package/system/openwrt-keyring/Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/package/system/openwrt-keyring/Makefile b/package/system/openwrt-keyring/Makefile index 6f3aa65622d5..ceaccf1fc527 100644 --- a/package/system/openwrt-keyring/Makefile +++ b/package/system/openwrt-keyring/Makefile @@ -32,7 +32,8 @@ Build/Compile= define Package/openwrt-keyring/install $(INSTALL_DIR) $(1)/etc/opkg/keys/ - $(INSTALL_DATA) $(PKG_BUILD_DIR)/usign/* $(1)/etc/opkg/keys/ + # Public usign key for unattended snapshot builds + $(INSTALL_DATA) $(PKG_BUILD_DIR)/usign/b5043e70f9a75cde $(1)/etc/opkg/keys/ endef $(eval $(call BuildPackage,openwrt-keyring))