Apk UNTRUSTED signature errors with packages compiled with SDK

orangepizza · April 26, 2026, 1:07pm

Trying to use SDK and package it output doesn't look like signed with key files it generated. Even after I added that key into /etc/apk/key it still says untrusted signature when apk in client try to verify

hnyman · April 26, 2026, 1:33pm

Your build key in the build host is in the buildroot root dir where you run the commands, and in the router the public key should be in /etc/apk/keys ( not in 'key' like in your message).

OpenWrt SNAPSHOT, r34136-8ef7b4ee4b
 -----------------------------------------------------
 16:26:35 up 46 min,  load average: 0.00, 0.00, 0.00
root@router5:~# ls /etc/apk
arch            keys            repositories.d  world
root@router5:~# ls /etc/apk/keys/
openwrt-snapshots.pem  public-key.pem

Individual packages compiled by the full toolchain should be now signed by default in master, but not in 25.12. commit enabling that was

github.com/openwrt/openwrt

config: add build config option to sign each .apk package

committed 10:08AM - 02 Mar 26 UTC

hnyman

+11 -0

Add a build config option to sign each individual .apk package. If individual .…apk files are signed with the build key, they can be installed with 'apk add' without '--allow-untrusted' to a firmware compiled by the same buildhost. Enable the option by default, but disable it for BUILDBOT. (At the moment, since commit 084697e, only the package index is signed, which forces users to use '--allow-untrusted' when installing self-built .apk files.) Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>

From PR https://github.com/openwrt/openwrt/pull/22221

But I have not tried with SDK to see if that logic gets used there.

orangepizza · April 26, 2026, 2:07pm

I just ran snapshow x86 sdk to test, (I was 25.12 sdk for backport) it don't have sign each .apk option in menuconfig, although searching that flag it menuconfig did find it at Config-build.in:597 but don't expose it. (default disabled)

hnyman · April 26, 2026, 2:49pm

Hmmm... Then it will likely need to be separately added to SDK for usage there. The option (from my commit) defaults to "y" if not building in buildbot, where it defaults to "n". But as the SDK is compiled by the buildbot, the option possibly gets "n" set as the default for SDK, too.

You might manually edit the Config-build.in in the SDK root, until the option gets somehow properly enabled for the SDK.
Just change the default on line 819 to y.

    817 config SIGN_EACH_PACKAGE
    818         bool
    819         default n
    820

hnyman · April 26, 2026, 3:05pm

Possible solution for the SDK build process might be:

Exclude the option from the collected defaults embedded in to SDK Config-build.in
Default to 'y' and expose it in the SDK config menu. (not sure if that USE_APK works ok)

--- a/target/sdk/convert-config.pl
+++ b/target/sdk/convert-config.pl
@@ -8,6 +8,7 @@ while (<>) {
 	my $type;
 	chomp;
 	next if /^CONFIG_SIGNED_PACKAGES/;
+	next if /^CONFIG_SIGN_EACH_PACKAGE/;
 
 	if (/^CONFIG_((BINARY)|(DOWNLOAD))_FOLDER=(.*)$/) {
 		# We don't want to preserve the build setting of
diff --git a/target/sdk/files/Config.in b/target/sdk/files/Config.in
index 0cf68faa6e..422b0bb782 100644
--- a/target/sdk/files/Config.in
+++ b/target/sdk/files/Config.in
@@ -18,6 +18,15 @@ menu "Global build settings"
 		bool "Cryptographically sign package lists"
 		default y
 
+	config SIGN_EACH_PACKAGE
+		bool "Cryptographically sign each package .apk file"
+		depends on USE_APK
+		default y
+		help
+		  Sign also the individual package .apk file. Removes the need for
+		  --allow-untrusted when installing self-compiled packages to a
+		  firmware compiled by the same buildhost as public key matches.
+
 	comment "General build options"
 
 	config BUILD_PATENTED

I will compile SDK and see what happens...

hnyman · April 26, 2026, 4:34pm

I made a PR out of it:

github.com/openwrt/openwrt

sdk: add support to sign each .apk package by sdk (#23104)

main ← hnyman:sdk-apk

opened 04:34PM - 26 Apr 26 UTC

hnyman

+10 -0

cc @aparcar @robimarko Add support to signing each package's .apk file into …SDK. This adds into SDK the feature alrready added to the normal builds by f20794a Currently SDK does not sign the compiled packages, causing untrusted package errors at package installation. The reason is the logic in f20794a of defaulting to 'n' in BUILDBOT and 'y' elsewhere. As downloadable SDKs are compiled by the buildbot, the option gets 'n' set as the default. And the option is not among the few build options exposed in the SDK menuconfig, so the user can't easily change it. Enable the feature by default: * Exclude the SIGN_EACH_PACKAGE option from sdk/convert-config.pl * Default to 'y' and expose the option in the SDK config menu. (Avoiding untrusted errors naturally requires the user to copy the public key into the router, quite similar as with full builds.) Reference to: * enabling in full builds: commit f20794a / PR https://github.com/openwrt/openwrt/pull/22221 * forum discussion in https://forum.openwrt.org/t/apk-untrusted-signature-errors-with-packages-compiled-with-sdk/249479 initiated by @orangepizza Tested with mediatek/mt7622 RT3200. SDK menuconfig: ``` │ ┌────────────────────────────────────────────────────────────────────────────┐ │ │ │ [*] Select all target specific packages by default │ │ │ │ [*] Select all kernel module packages by default │ │ │ │ [*] Select all userspace packages by default │ │ │ │ [*] Cryptographically sign package lists │ │ │ │ [*] Cryptographically sign each package .apk file │ │ │ │ *** General build options *** │ │ │ │ [ ] Compile with support for patented functionality │ │ ``` Package installation test: ``` root@router4:~# apk verify /tmp/joe-4.6-r3.apk /tmp/joe-4.6-r3.apk: OK root@router4:~# apk add /tmp/joe-4.6-r3.apk (1/1) Upgrading joe (4.6-r2 -> 4.6-r3) Executing joe-4.6-r3.post-upgrade OK: 51.8 MiB in 315 packages ```