Apk UNTRUSTED signature errors when compiling latest snapshot

anon_openwrt · November 23, 2024, 2:37am

/openwrtbuilder/src/r4s/snapshot-src/staging_dir/host/bin/apk mkndx \
		--root /home/anonopenwrt/.local/bin/openwrtbuilder/src/r4s/snapshot-src \
		--keys-dir /home/anonopenwrt/.local/bin/openwrtbuilder/src/r4s/snapshot-src \
		--sign /home/anonopenwrt/.local/bin/openwrtbuilder/src/r4s/snapshot-src/private-key.pem \
		--output packages.adb \
		*.apk; \
)
ERROR: apk-mbedtls-3.0.0_pre20241108-r2.apk: UNTRUSTED signature
ERROR: base-files-1633~487ca61f91.apk: UNTRUSTED signature
ERROR: base-files-1633~77cfe8fd15.apk: UNTRUSTED signature
ERROR: base-files-1637~22664498eb.apk: UNTRUSTED signature
ERROR: base-files-1637~7e287b563a.apk: UNTRUSTED signature
ERROR: dropbear-2024.85-r1.apk: UNTRUSTED signature
ERROR: dropbearconvert-2024.85-r1.apk: UNTRUSTED signature
ERROR: iperf3-3.17.1-r3.apk: UNTRUSTED signature
ERROR: kernel-6.6.60~83585006f1fa7ee866e627843af17cfe-r1.apk: UNTRUSTED signature
ERROR: kernel-6.6.61~83585006f1fa7ee866e627843af17cfe-r1.apk: UNTRUSTED signature
ERROR: kmod-3c59x-6.6.60-r1.apk: UNTRUSTED signature
ERROR: kmod-6lowpan-6.6.60-r1.apk: UNTRUSTED signature
ERROR: kmod-8139cp-6.6.60-r1.apk: UNTRUSTED signature
ERROR: kmod-8139too-6.6.60-r1.apk: UNTRUSTED signature
ERROR: kmod-9pnet-6.6.60-r1.apk: UNTRUSTED signature
ERROR: kmod-ac97-6.6.60-r1.apk: UNTRUSTED signature
ERROR: kmod-ag71xx-6.6.60-r1.apk: UNTRUSTED signature
ERROR: kmod-alx-6.6.60-r1.apk: UNTRUSTED signature
ERROR: kmod-aoe-6.6.60-r1.apk: UNTRUSTED signature
ERROR: kmod-arptables-6.6.60-r1.apk: UNTRUSTED signature
**snip**
ERROR: luci-theme-bootstrap-24.320.57985~1a4b6ad.apk: UNTRUSTED signature
ERROR: luci-theme-bootstrap-24.322.80622~a403707.apk: UNTRUSTED signature
ERROR: luci-theme-bootstrap-24.324.44605~b9496f2.apk: UNTRUSTED signature
ERROR: odhcp6c-2023.05.12~bcd28363-r20.apk: UNTRUSTED signature
ERROR: 955 errors, not creating index
make[2]: *** [package/Makefile:70: package/merge-index] Error 99

Should I add --allow-untrusted to that build command or is there an issue with the key provided in the repo?

hnyman · November 23, 2024, 6:33am

Are you really compiling from sources? (Or just using imagebuilder that uses buildbot .apks?)

If you are compiling from sources, a private build key should have been generated automatically into your buildroot.
And .apks compiled by you would be signed with that, and they would be later trusted as your key gets into the firmware image, too. The official OpenWrt key used by the buildbot should also be automatically in the image.

hnyman · November 23, 2024, 6:36am

It is also strange/wrong that there would be two different kernel versions visible at the same time. Especially that there would be same hash although version itself has changed.

Somehow this looks like semi-stale .APK repo and/or build system, where you see both new and old version at the same time.

slh · November 23, 2024, 6:43am

If you look at the discussions of (one of) the recent pull requests, there's an an open issue with (source-) package cleanup during the build process (_ vs - as version delimiter). intel-microcode is also s package prone to falling over this.

github.com/openwrt/openwrt

build: apk: Fix package cleaning

openwrt:main ← hauke:apt-opkg_package_files

opened 10:50PM - 19 Nov 24 UTC

hauke

+1 -1

Fix the regex for removing packages. APK uses a "-" between the package name and… the version. opkg used a "_" between them. This fixes removing package in build clean when using apk. This generates for example this file name: ``` /home/hauke/openwrt/openwrt/bin/packages/mips_24kc/base/libmbedtls21-3.6.2-r1.apk ``` In OPKG we used _ to seperate the package name and the version string. With apk we use a - and can not really say where the package name ends and where the version begins.

anon_openwrt · November 23, 2024, 2:39pm

Yes, it's from source, here's my diffconfig:

CONFIG_TARGET_rockchip=y
CONFIG_TARGET_rockchip_armv8=y
CONFIG_TARGET_rockchip_armv8_DEVICE_friendlyarm_nanopi-r4s=y
CONFIG_ALL_KMODS=y
CONFIG_ALL_NONSHARED=y
CONFIG_DEVEL=y
CONFIG_AUTOREMOVE=y
CONFIG_BINARY_FOLDER="/home/anonopenwrt/.local/bin/openwrtbuilder/bin/r4s/snapshot"
CONFIG_BPF_TOOLCHAIN_BUILD_LLVM=y
# CONFIG_BPF_TOOLCHAIN_NONE is not set
CONFIG_BTRFS_PROGS_ZSTD=y
CONFIG_COLLECT_KERNEL_DEBUG=y
CONFIG_HAS_BPF_TOOLCHAIN=y
CONFIG_HTOP_LMSENSORS=y
CONFIG_JSON_CYCLONEDX_SBOM=y
CONFIG_KERNEL_BUILD_DOMAIN="buildhost"
CONFIG_KERNEL_BUILD_USER="builder"
CONFIG_LIBCURL_COOKIES=y
CONFIG_LIBCURL_FILE=y
CONFIG_LIBCURL_FTP=y
CONFIG_LIBCURL_HTTP=y
CONFIG_LIBCURL_MBEDTLS=y
CONFIG_LIBCURL_NGHTTP2=y
CONFIG_LIBCURL_NO_SMB="!"
CONFIG_LIBCURL_PROXY=y
CONFIG_LIBCURL_UNIX_SOCKETS=y
CONFIG_PACKAGE_TAR_BZIP2=y
CONFIG_PACKAGE_TAR_GZIP=y
CONFIG_PACKAGE_TAR_POSIX_ACL=y
CONFIG_PACKAGE_TAR_XATTR=y
CONFIG_PACKAGE_TAR_XZ=y
CONFIG_PACKAGE_TAR_ZSTD=y
CONFIG_PACKAGE_block-mount=y
CONFIG_PACKAGE_btrfs-progs=y
CONFIG_PACKAGE_bzip2=y
CONFIG_PACKAGE_cgi-io=y
CONFIG_PACKAGE_collectd=y
CONFIG_PACKAGE_collectd-mod-conntrack=y
CONFIG_PACKAGE_collectd-mod-cpu=y
CONFIG_PACKAGE_collectd-mod-df=y
CONFIG_PACKAGE_collectd-mod-interface=y
CONFIG_PACKAGE_collectd-mod-iwinfo=y
CONFIG_PACKAGE_collectd-mod-load=y
CONFIG_PACKAGE_collectd-mod-memory=y
CONFIG_PACKAGE_collectd-mod-network=y
CONFIG_PACKAGE_collectd-mod-rrdtool=y
CONFIG_PACKAGE_collectd-mod-sensors=y
CONFIG_PACKAGE_collectd-mod-thermal=y
CONFIG_PACKAGE_curl=y
CONFIG_PACKAGE_ddns-scripts=y
CONFIG_PACKAGE_ddns-scripts-services=y
CONFIG_PACKAGE_diffutils=y
CONFIG_PACKAGE_ethtool=y
CONFIG_PACKAGE_htop=y
CONFIG_PACKAGE_ip-tiny=y
CONFIG_PACKAGE_iperf3=y
CONFIG_PACKAGE_iptables-mod-ipopt=y
CONFIG_PACKAGE_iptables-nft=y
CONFIG_PACKAGE_irqbalance=y
CONFIG_PACKAGE_kmod-crypto-blake2b=y
CONFIG_PACKAGE_kmod-crypto-kpp=y
CONFIG_PACKAGE_kmod-crypto-lib-chacha20=y
CONFIG_PACKAGE_kmod-crypto-lib-chacha20poly1305=y
CONFIG_PACKAGE_kmod-crypto-lib-curve25519=y
CONFIG_PACKAGE_kmod-crypto-lib-poly1305=y
CONFIG_PACKAGE_kmod-crypto-xxhash=y
CONFIG_PACKAGE_kmod-fs-btrfs=y
CONFIG_PACKAGE_kmod-ifb=y
CONFIG_PACKAGE_kmod-ipt-core=y
CONFIG_PACKAGE_kmod-ipt-ipopt=y
CONFIG_PACKAGE_kmod-lib-raid6=y
CONFIG_PACKAGE_kmod-lib-xor=y
CONFIG_PACKAGE_kmod-lib-xxhash=y
CONFIG_PACKAGE_kmod-lib-zlib-deflate=y
CONFIG_PACKAGE_kmod-lib-zlib-inflate=y
CONFIG_PACKAGE_kmod-lib-zstd=y
CONFIG_PACKAGE_kmod-nf-ipt=y
CONFIG_PACKAGE_kmod-nft-compat=y
CONFIG_PACKAGE_kmod-nls-base=y
CONFIG_PACKAGE_kmod-sched-cake=y
CONFIG_PACKAGE_kmod-sched-core=y
CONFIG_PACKAGE_kmod-scsi-core=y
CONFIG_PACKAGE_kmod-udptunnel4=y
CONFIG_PACKAGE_kmod-udptunnel6=y
CONFIG_PACKAGE_kmod-usb-core=y
CONFIG_PACKAGE_kmod-usb-storage=y
CONFIG_PACKAGE_kmod-usb-storage-uas=y
CONFIG_PACKAGE_kmod-wireguard=y
CONFIG_PACKAGE_libacl=y
CONFIG_PACKAGE_libatomic=y
CONFIG_PACKAGE_libattr=y
CONFIG_PACKAGE_libbpf=m
CONFIG_PACKAGE_libbz2=y
CONFIG_PACKAGE_libcap=y
CONFIG_PACKAGE_libcurl=y
CONFIG_PACKAGE_libelf=m
CONFIG_PACKAGE_libevdev=y
CONFIG_PACKAGE_libiperf3=y
CONFIG_PACKAGE_libiptext=y
CONFIG_PACKAGE_libiptext-nft=y
CONFIG_PACKAGE_libiptext6=y
CONFIG_PACKAGE_libiwinfo=y
CONFIG_PACKAGE_libiwinfo-data=y
CONFIG_PACKAGE_libltdl=y
CONFIG_PACKAGE_liblucihttp=y
CONFIG_PACKAGE_liblucihttp-ucode=y
CONFIG_PACKAGE_liblzma=y
CONFIG_PACKAGE_liblzo=y
CONFIG_PACKAGE_libmount=y
CONFIG_PACKAGE_libncurses=y
CONFIG_PACKAGE_libnghttp2=y
CONFIG_PACKAGE_libpcap=m
CONFIG_PACKAGE_libpcre2=y
CONFIG_PACKAGE_libpopt=y
CONFIG_PACKAGE_librrd1=y
CONFIG_PACKAGE_libsensors=y
CONFIG_PACKAGE_libsysfs=y
CONFIG_PACKAGE_libudev-zero=y
CONFIG_PACKAGE_libusb-1.0=y
CONFIG_PACKAGE_libxdp=m
CONFIG_PACKAGE_libxtables=y
CONFIG_PACKAGE_libzstd=y
CONFIG_PACKAGE_lm-sensors=y
CONFIG_PACKAGE_luci=y
CONFIG_PACKAGE_luci-app-ddns=y
CONFIG_PACKAGE_luci-app-firewall=y
CONFIG_PACKAGE_luci-app-package-manager=y
CONFIG_PACKAGE_luci-app-sqm=y
CONFIG_PACKAGE_luci-app-statistics=y
CONFIG_PACKAGE_luci-base=y
CONFIG_PACKAGE_luci-lib-uqr=y
CONFIG_PACKAGE_luci-light=y
CONFIG_PACKAGE_luci-mod-admin-full=y
CONFIG_PACKAGE_luci-mod-network=y
CONFIG_PACKAGE_luci-mod-status=y
CONFIG_PACKAGE_luci-mod-system=y
CONFIG_PACKAGE_luci-proto-ipv6=y
CONFIG_PACKAGE_luci-proto-ppp=y
CONFIG_PACKAGE_luci-proto-wireguard=y
CONFIG_PACKAGE_luci-ssl=y
CONFIG_PACKAGE_luci-theme-bootstrap=y
CONFIG_PACKAGE_nano=y
CONFIG_PACKAGE_openssh-sftp-server=y
CONFIG_PACKAGE_px5g-mbedtls=y
CONFIG_PACKAGE_qosify=m
CONFIG_PACKAGE_resolveip=y
CONFIG_PACKAGE_rpcd=y
CONFIG_PACKAGE_rpcd-mod-file=y
CONFIG_PACKAGE_rpcd-mod-iwinfo=y
CONFIG_PACKAGE_rpcd-mod-luci=y
CONFIG_PACKAGE_rpcd-mod-rrdns=y
CONFIG_PACKAGE_rpcd-mod-ucode=y
CONFIG_PACKAGE_rrdtool1=y
CONFIG_PACKAGE_rsync=y
CONFIG_PACKAGE_smcroute=y
CONFIG_PACKAGE_sqm-scripts=y
CONFIG_PACKAGE_sysfsutils=y
CONFIG_PACKAGE_tar=y
CONFIG_PACKAGE_tc-tiny=y
CONFIG_PACKAGE_terminfo=y
CONFIG_PACKAGE_ucode-mod-html=y
CONFIG_PACKAGE_ucode-mod-math=y
CONFIG_PACKAGE_uhttpd=y
CONFIG_PACKAGE_uhttpd-mod-ubus=y
CONFIG_PACKAGE_usbids=y
CONFIG_PACKAGE_usbutils=y
CONFIG_PACKAGE_wireguard-tools=y
CONFIG_PACKAGE_xdp-filter=m
CONFIG_PACKAGE_xdp-loader=m
CONFIG_PACKAGE_xdpdump=m
CONFIG_PACKAGE_xtables-nft=y
CONFIG_PACKAGE_xz=y
CONFIG_PACKAGE_xz-utils=y
CONFIG_PACKAGE_zsh=y
CONFIG_REPRODUCIBLE_DEBUG_INFO=y
CONFIG_RSYNC_acl=y
CONFIG_RSYNC_xattr=y
CONFIG_TARGET_KERNEL_PARTSIZE=32
CONFIG_TARGET_ROOTFS_PARTSIZE=512
# CONFIG_TARGET_ROOTFS_SQUASHFS is not set
CONFIG_USE_LLVM_BUILD=y
CONFIG_ZSTD_OPTIMIZE_O3=y

They key is there in my build root, so I don't know what the issue is.

stangri · November 24, 2024, 7:06pm

After searching for variable name which contains path to auto-generated private key, I can't seem to locate the code where the private key is generated. If you have a better understanding of the build process and can point me to that code I'd appreciate it.

I'm trying to understand how can I inject my own pre-generated RSA key to be used for signing anything built from sources and the SDK, so I wouldn't have to sign individual packages later.

Thanks!

hnyman · November 24, 2024, 9:21pm

I guess it would be this makefile

github.com

openwrt/openwrt/blob/a9d3c5b4c9bf910d4b3b42109161b1f6526b76eb/package/Makefile#L62-L66


      
          $(BUILD_KEY_APK_SEC):
          	$(STAGING_DIR_HOST)/bin/openssl ecparam -name prime256v1 -genkey -noout -out $(BUILD_KEY_APK_SEC)
          
          $(BUILD_KEY_APK_PUB): $(BUILD_KEY_APK_SEC)
          	$(STAGING_DIR_HOST)/bin/openssl ec -in $(BUILD_KEY_APK_SEC) -pubout > $(BUILD_KEY_APK_PUB)

And the location is defined at

github.com

openwrt/openwrt/blob/a9d3c5b4c9bf910d4b3b42109161b1f6526b76eb/rules.mk#L288-L290


      
          BUILD_KEY=$(TOPDIR)/key-build
          BUILD_KEY_APK_SEC=$(TOPDIR)/private-key.pem
          BUILD_KEY_APK_PUB=$(TOPDIR)/public-key.pem

stangri · November 25, 2024, 5:24pm

Thank you, that helped tremendously, the keys generated with the same openssl options seem to work fine when copied before running make.

stangri · November 25, 2024, 8:29pm

Oh, sorry, one more question, can you help me understand where do I need to place a public key for the out-of-tree signed packages I want to add to the Image Builder?

hnyman · November 25, 2024, 8:43pm

Sorry, no real idea about imagebuilder, but the same code search in github might help you with that.

anon_openwrt · November 26, 2024, 1:48pm

The issue resolved itself yesterday and now my builds are completing again.