Package feed/repo signature - how to make it not fail on custom build

I'm using the OpenWrt build system to create an image, and I've successfully built a packages folder that includes all necessary packages. These packages install correctly, which is especially useful since snapshot builds often have compatibility issues with .ipk files from official repositories due to kernel mismatches.

However, I encounter a problem when I upload this packages folder to my web host and try to use it as my own repository. Despite setting it up correctly in /etc/opkg/distfeeds.conf or customfeeds, I get a 'Signature check failed' error during the update process in Luci / opkg.

I've read in forums that this issue might be related to the keys in /etc/opkg/keys, and there were discussions about using usign as far back as 2017, but I encountered errors attempting to use that method.

I want to set up my repository without bypassing the signature check for security reasons and without having to manually upload each .ipk file. Can anyone provide advice on how to resolve this signature check error? Any tips would be greatly appreciated!

I'm not particularly familiar with this, so I'm just guessing, but are you uploading the *.sig files along with the packages and lists?

$ find bin/ -iname '*.sig'
bin/targets/x86/64/packages/Packages.sig
bin/packages/x86_64/base/Packages.sig
bin/packages/x86_64/luci/Packages.sig
bin/packages/x86_64/packages/Packages.sig
bin/packages/x86_64/routing/Packages.sig
bin/packages/x86_64/telephony/Packages.sig

Literally just uploading the full directory (tried with both individual directories like base and also the /packages folder that is in targets) - including the Packages.sig file etc. And pointed to it in OpenWRT but signature fails:

Oops, I misunderstood your question... This is happening when you do opkg update on the router, right?

How about copying the "Local build key" from your build onto your router?

On build machine, I see:

$ head staging_dir/target-x86_64_musl/root-x86/etc/opkg/keys/*
==> staging_dir/target-x86_64_musl/root-x86/etc/opkg/keys/8a11255d14aef6c8 <==
untrusted comment: ASU CA pubkey 2022
RWSKESVdFK72yB0Y5q0ckpqqXU+51UbFYYMPRrOTMdNjvLkU1tjJTSiU

==> staging_dir/target-x86_64_musl/root-x86/etc/opkg/keys/b5043e70f9a75cde <==
untrusted comment: Public usign key for unattended snapshot builds
RWS1BD5w+adc3j2Hqg9+b66CvLR7NlHbsj7wjNVj0XGt/othDgIAOJS+

==> staging_dir/target-x86_64_musl/root-x86/etc/opkg/keys/c8793eda37f519b4 <==
untrusted comment: Local build key
RWTIeT7aN/UZtM96cIQ26YhzxLalc0sIcp4F9YsJ2XlYxkBOVClxadwC

So scp that last one into /etc/opkg/keys/ and see what happens??? (On my router, those first two already exist, but the last one does not.)

Interesting - when I check /openwrt/staging_dir/target-aarch64_cortex-a72_musl/root-bcm27xx/etc/opkg/keys on linux - only 1 shows in that location, the one which says "untrusted comment: Public usign key for unattended snapshot builds" inside (which is the same as is on the build)

Is there a way I can find the local build key with the 16 characters of the key's SHA-256 hash like you have there?

I can also see the local build key in key-build.pub but not sure how to usign it to get the 16 characters i.e the c8793eda37f519b4 in your example

I found that by

$ cd openwrt   # my git build dir
$ find . -type d -name keys
...

which showed about 20 directories about 8 of which were opkg ones, and I picked that one as it falls latest in the build process... I'd think if you poke around, you'll find something.

Or maybe just copy that key from my post above?

Or how about this? Grab the signing file name from one of the package sigs and search for it everywhere... This could be the basis for automatic the key update.

$ awk '/signed by key/ { print $NF }' bin/targets/x86/64/packages/Packages.sig | xargs find . -name
./staging_dir/target-x86_64_musl/root-x86/etc/opkg/keys/c8793eda37f519b4
./build_dir/target-x86_64_musl/linux-x86_64/base-files/.pkgdir/base-files/etc/opkg/keys/c8793eda37f519b4
... a  bunch more ...

I believe the code below is responsible for signing packages in my repo:

MKHASH="./Builder/staging_dir/host/bin/mkhash" "./Builder/scripts/ipkg-make-index.sh" . 2>/dev/null > Packages.manifest
grep -vE '^(Maintainer|LicenseFiles|Source|Require)' Packages.manifest > Packages
gzip -9nc Packages > Packages.gz
"./Builder/staging_dir/host/bin/usign" -S -m Packages -s "./keys/signing.key"