[Cerowrt-devel] signed packages

Dave Taht dave.taht at gmail.com
Fri Dec 13 18:34:49 EST 2013


so whilst we sort out what broke in the last couple builds (and please
don't install them on anything you care about!) I'd wanted to mention
something that has been in place for a while. Stephen walker did the
original work ages ago, and the ohgf folk picked it up and tested it
and helped get it into the openwrt mainline recently (Evan hunt,
steven barth, others)

Package signing has been a feature that has helped make the mainline
linux distros much more secure and it much safer to do things like
mirror package databases and yet avoid malign updates.

Now, I'm not terribly clear on how it all works in openwrt, but it can
be enabled at least, now, with adding the following lines to
/etc/opkg.conf

option check_signature 1
option signature_ca_file /etc/ssl/certs/opkg.pem

root at CMTS:/# opkg update
Downloading http://snapon.lab.bufferbloat.net/~cero2/cerowrt/wndr/3.10.24-1/packages/Packages.gz.
Updated list of available packages in /var/opkg-lists/vancouver.
Downloading http://snapon.lab.bufferbloat.net/~cero2/cerowrt/wndr/3.10.24-1/packages/Packages.sig.
Signature check passed.

Package signing does not save you from versioning errors, however.

# opkg update
Downloading http://snapon.lab.bufferbloat.net/~cero2/cerowrt/wndr/3.10.17-6/packages/Packages.gz.
Updated list of available packages in /var/opkg-lists/vancouver.
Downloading http://snapon.lab.bufferbloat.net/~cero2/cerowrt/wndr/3.10.17-6/packages/Packages.sig.
Signature check passed.

But it should make it more possible to be assured that the package you
are adding or updating was indeed from the maintainer or vendor making
the product. There is support for multiple signing keys and multiple
repositories.

Future versions of cero will be signed.

-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html



More information about the Cerowrt-devel mailing list