There were few topics before:
I'm getting "The page you are looking for is temporarily unavailable" on the main site at the moment, but unless I'm totally mistaken, the stable builds of 23.05.0 are signed with the "PGP key for unattended snapshot builds".
Furthermore, the page doesn't list any signing key for the 23.05 series, and was last modified in April. From past threads it seems like this isn't the first time that the page is lacking up-to-date keys. Given the security implications, shouldn't the pubkeys always be ava…
Every 23.05 release contains the same note and promises that later release will have different key.
Could someone explain why the latest 23.05.5 has been signed with the wrong key?
1 Like
That didn't mean version 24?
1 Like
So, does anybody know whether or not we are going to have any 23.05 release with the correct keys? And why the wrong keys have been used for a long period?
1 Like
This seems very much a question worth asking. Anybody able to answer this?
1 Like
I asked the same thing on .3
No one working on this as far as I know.
No one is fixing the release workflow so it will continue to be wrong.
1 Like
hecatae
October 22, 2024, 10:46pm
8
Here's the answer:
opened 03:31AM - 19 Apr 24 UTC
bug
security
### Describe the bug
The key used to sign the stable release of v23.05.x is mis… sing from the [documentation](https://openwrt.org/docs/guide-user/security/signatures) and [keyring](https://git.openwrt.org/keyring.git), without which we cannot verify the downloaded `sha256sum` file.
The same thing happened in [v22.03.0](/openwrt/openwrt/issues/9814#issuecomment-1117030972).
@ynezz @jow- At your convenience, would you please fix this problem? Thank you for your assistance.
### OpenWrt version
r23809-234f1a2efa
### OpenWrt release
23.05.3
### OpenWrt target/subtarget
all
### Device
all
### Image kind
Official downloaded image
### Steps to reproduce
_No response_
### Actual behaviour
_No response_
### Expected behaviour
_No response_
### Additional info
_No response_
### Diffconfig
_No response_
### Terms
- [X] I am reporting an issue for OpenWrt, not an unsupported fork.
And documentation:
https://openwrt.org/docs/guide-developer/releases/provision-nitrokey3
@ynezz do you want any assistance with the artifact signing REST API service?
3 Likes
Thanks for pointing. At least I understand now what is the root of issue.
@ynezz , how can I help you to have correct keys used for the latest OpenWRT release?