Hi I'm trying to verify an openwrt img file I downloaded using gpg. I tried downloading gpg key but it has a .asc extension NOT .gpg extension - is this right ? Also how does this file relate to sha256sums.asc file sha256sums.txt and sha256sums.sig ?? instructions for something so important should be made clearer !
Thanks in advance !
Well it is a lot of very clear instruction out there already.
But this setup has nothing to do with OpenWrt. It is how the gpg system manages keys and signatures actually for all software in the whole world.
You need to web search for something like “how to verify signatures and checksums with gpg”
With which steps listed here do you have problems?
https://openwrt.org/docs/guide-quick-start/verify_firmware_checksum
Thanks all for responding. I ran commands specified and it all seems legit including fingerprint matching on site. However does anyone happen to know why it says text in bold below about '...key is not certified.. no indication signature belongs to owner..' ? After all you folks manage these public keys ?
*gpg: Good signature from "OpenWrt Build System (PGP key for 21.02 release builds) <pgpsign-21.02@openwrt.org>" [unknown]*
***gpg: WARNING: This key is not certified with a trusted signature!***
***gpg: There is no indication that the signature belongs to the owner.***
I repeat! Gpg/pgp has nothing to do with OpenWrt. Gpg is a security function in Linux. Web search for something like ”gpg key trust level”.
But in the bottom end this error is caused by the fact OpenWrt keys aren’t traceable to a known source but instead self signed certificate!
I take your point but doesn't self signed certs defeat purpose of verification through public keys published ? Don't get me wrong - I do appreciate the software you are providing to public !
Yes, but a fully verified certificates need a company on top of the verification hierarchy to verify you are you. And that usually cost money and is complicated.
In pretty much all open source projects this is solved a little in between in the way that you verify the webpage the open source verification certificate is downloaded from.
But in the bottom end it is up to you to trust OpenWrt webpage and if you want to manually set the certificate as “ultimate trusted” to get rid of the warning.
But if you really have sleep problem over authenticity you can build from source code instead.
Then you don’t use gpg verification at all.