Fwd: keyring package diet

Paul Spooren mail at aparcar.org
Thu Mar 18 21:40:28 GMT 2021


Hi, a little forward as discussed.

Hauke suggested to (re)move user keys or the whole keyring-package.

My suggestion would be to ship with two keys for now, a release key 
21.02 and a "next key", which becomes later 21.08 (hah!)

This would allow a secure upgrade path between releases as `sysupgrade` 
already support signature checks.

Ideally more people start playing around (and donating for an audit of) 
ucert so we have a slim certificate system.

Each buildbot worker could have it's own local signing key and the 
private versions of the on-device stored keys are kept some offline.

Best,
Paul

---------- Forwarded message ----------
 From: Paul Spooren <mail at aparcar.org>
Subject: keyring package diet
Date: 2021-03-17T14:32:48-1000
To: contact at openwrt.org

Hi all,

the package `openwrt-keyring` is installed on every device to have 
public signing keys for the opkg package manager or verify sysupgrades.

The package script installs *all* keys found in keyring.git/usign/ on 
the device, meaning 8 keys of individual developers plus release keys 
from 21.02 to 17.01.

While I find it useful to have a Git repository containing latest keys 
of developers, I don't see the point of installing them all. No team 
member signs public packages or images with their personal usign key 
and due to ABI changes it'll be hard to install many packages from 
17.01 on a 21.02 device.

Aren't the following potential security issues:
* Shipping "old" EOF keys in our latest releases?
* Shipping OPKG keys of individuals without any need for that?

I'd suggest we change the package to only contain releases keys of the 
actually installed release and update branches whenever a new release 
appears. Updating the opkg-keyring packages with newer releases allows 
signature checks for sysupgrades (which are signed with newer releases).

Best,
Paul






More information about the openwrt-adm mailing list