[RFC] Release signing

Jo-Philipp Wich jo at mein.io
Sun Jun 5 08:00:40 EDT 2016


Hi,

I am currently looking into factoring GPG signing into our build process.

For the OpenWrt 15.05.1 release we signed the release manually by adding
detached GnuPG signatures to the "md5sums", the "sha256sums" and the
per-repository "Packages" files.

This technically works to provide a chain of trust for firmware files
(pgp protects sha265sums protects firmware file) but makes actual
verification cumbersome as a user has to download three different files
and do some scripting or manual inspection of check sums in order to
judge the integrity of a download.

The current verification process (as applicable to OpenWrt 15.05.1) is
documented here:

  https://www.lede-project.org/signing.html#verify_download_integrity

As you can see this is a rather involved process which does not exactly
make the topic of signature verification easily approachable.

So before I work on implementing any form of GPG signing in the build
system I'd like to know your opinion on it.

Shall we continue signing the check sums only or shall we make one
detached signature per firmware file?


~ Jo



More information about the openwrt-adm mailing list