If you have an openwrt local full build environment, with key-build.(,pub,ucert) files generated for you on first run, you may stumble upon error/problem after one year of working with this directory (and key-build files).
PROBLEM:
key-build.ucert, while being automatically generated , is created with 365days expiry, and after this date, without any warning you will start building images which fill fail sysupgrade's /usr/libexec/validate_firmware_image check.
Proposed solutions:
- renew ucert automatically (if it's being genered in automatic way, also renew could be automated)
(btw: you must delete old key-build.ucert and have a new one generated from scratch, as chained verification is not working, at least for me
so stacked ucert file will also fail sysupgrade! - at least put big warning at the end of build process.