[reopen] Imagebuilder with signature check issue for custom repo

giorez · January 3, 2025, 4:38pm

I added a custom repo to the script for image building:

# https://github.com/4IceG/Modem-extras/tree/main
cat <<EOF >> repositories.conf
# add custom repo into repositories.conf
src/gz IceG_repo https://github.com/4IceG/Modem-extras/raw/main/myrepo
EOF

I also commented out the signature check option, to avoid errors during building process:
sed -i 's/option check_signature/# option check_signature/g' repositories.conf

I'd like to improve the script respecting the signature check. How can I use the key from https://github.com/4IceG/Modem-extras/raw/main/myrepo/IceG-repo.pub into my script?

thanks

hnyman · January 4, 2025, 6:52pm

By downloading the public key, and placing it on the proper APK keys directory in the live router, or you can include it as a custom file into the build itself with the full toolchain or the imagebuilder.

giorez · January 4, 2025, 6:56pm

@hnyman do you know if the custom directory "openwrt-imagebuilder.../files" is the right place to insert the key file? something like this?

# from main directory where make file is located i.e. "openwrt-imagebuilder..."
mkdir -p files
cd files
wget https://github.com/4IceG/Modem-extras/raw/main/myrepo/IceG-repo.pub -O files/IceG-repo.pub

I tryed to put the key into "build_dir/target-mipsel_24kc_musl/root-ramips/etc/opkg/keys" but during building process the folder is recreated and the "IceG-repo.pub" is deleted

hnyman · January 4, 2025, 7:43pm

Not quite.
If you check from a live router, you can easily see the path...

root@router6000:~# ls -l /etc/apk/keys/
-rw-r--r--    1 root     root           178 Dec 29 20:57 openwrt-snapshots.pem
-rw-r--r--    1 root     root           178 Dec 29 20:57 public-key.pem
root@router6000:~#

So it is files/etc/apk/keys

giorez · January 4, 2025, 7:50pm

ok, I'll try your suggestion to check if the building process finishes without errors. thanks

here is a memo for myself

mkdir -p files/etc/opkg/keys
wget https://github.com/4IceG/Modem-extras/raw/main/myrepo/IceG-repo.pub -O files/etc/opkg/keys/IceG-repo.pub

edited 09:08 sun 5 jan 2025

stangri · January 5, 2025, 2:56am

@hnyman, I have a suspicion that @giorez is talking about release (23.05 or 24.10) IB, not snapshots.

giorez · January 5, 2025, 7:16am

@stangri yes i'm on 24.10.0-rc4, using opkg

hnyman · January 5, 2025, 8:03am

Yeah, then it is not APK but still opkg.
Check the correct directory and adjust the file copy CMD accordingly.

giorez · January 5, 2025, 8:06am

thanks a lot for your revision

giorez · January 5, 2025, 4:22pm

mkdir -p files/etc/opkg/keys
wget https://github.com/4IceG/Modem-extras/raw/main/myrepo/IceG-repo.pub -O files/etc/opkg/keys/IceG-repo.pub

is putting the file properly, but when i "make image" I get errors:

Collected errors:
 * opkg_install_cmd: Cannot install package luci-app-3ginfo-lite.
 * opkg_install_cmd: Cannot install package luci-app-modemband.
make[2]: *** [Makefile:228: package_install] Error 255
make[1]: *** [Makefile:155: _call_image] Error 2
make: *** [Makefile:331: image] Error 2

Any suggestion?

The only workaround, to succesfully build the image, is:

sed -i 's/option check_signature/# option check_signature # GIO commentato/g' repositories.conf

hnyman · January 5, 2025, 6:44pm

I got your question wrong, as the custom file approach is meant for a live router, not for imagebuilder itself.

But I think that the keys for the imagebuilder process itself are also somewhere in the imagebuilder directories in the build system.

giorez · January 6, 2025, 3:48pm

none of the following directories can solve the isssue:

wget https://github.com/4IceG/Modem-extras/raw/main/myrepo/IceG-repo.pub -O 

> IceG-repo.pub
> keys/IceG-repo.pub
> tmp/IceG-repo.pub
> files/IceG-repo.pub
> files/etc/IceG-repo.pub
> files/etc/opkg/IceG-repo.pub
> files/etc/opkg/keys/IceG-repo.pub
> build_dir/target-mipsel_24kc_musl/root-ramips/etc/opkg/keys/IceG-repo.pub
> build_dir/target-mipsel_24kc_musl/root-ramips/tmp/IceG-repo.pub
> target/linux/ramips/base-files/etc/opkg/keys/IceG-repo.pub

The imagebuilder log at line 2499 reports this error:

Downloading https://github.com/4IceG/Modem-extras/raw/main/myrepo/Packages.sig
Signature check failed.
Remove wrong Signature file.

And line 2850:

Unknown package 'luci-app-3ginfo-lite'.
Unknown package 'luci-app-modemband'.

And line 3070:

 * opkg_install_cmd: Cannot install package luci-app-3ginfo-lite.
 * opkg_install_cmd: Cannot install package luci-app-modemband.
make[2]: *** [Makefile:228: package_install] Error 255
make[1]: *** [Makefile:155: _call_image] Error 2
make: *** [Makefile:331: image] Error 2

hnyman · January 7, 2025, 7:24pm

I got to my computer after a few sickdays, and tested with an arbitrary 24.10 imagebuilder and this works just as expected:

Downloading https://downloads.openwrt.org/releases/24.10-SNAPSHOT/packages/aarch64_cortex-a53/telephony/Packages.gz
Updated list of available packages in /tmp/koe/openwrt-imagebuilder-24.10-SNAPSHOT-mediatek-filogic.Linux-x86_64/build_dir/target-aarch64_cortex-a53_musl/root-mediatek/../../../../../../tmp/koe/openwrt-imagebuilder-24.10-SNAPSHOT-mediatek-filogic.Linux-x86_64/dl/openwrt_telephony
Downloading https://downloads.openwrt.org/releases/24.10-SNAPSHOT/packages/aarch64_cortex-a53/telephony/Packages.sig
Signature check passed.
Downloading https://github.com/4IceG/Modem-extras/raw/main/myrepo/Packages.gz
Updated list of available packages in /tmp/koe/openwrt-imagebuilder-24.10-SNAPSHOT-mediatek-filogic.Linux-x86_64/build_dir/target-aarch64_cortex-a53_musl/root-mediatek/../../../../../../tmp/koe/openwrt-imagebuilder-24.10-SNAPSHOT-mediatek-filogic.Linux-x86_64/dl/IceG_repo
Downloading https://github.com/4IceG/Modem-extras/raw/main/myrepo/Packages.sig
Signature check passed.
Downloading file:packages/Packages
Updated list of available packages in /tmp/koe/openwrt-imagebuilder-24.10-SNAPSHOT-mediatek-filogic.Linux-x86_64/build_dir/target-aarch64_cortex-a53_musl/root-mediatek/../../../../../../tmp/koe/openwrt-imagebuilder-24.10-SNAPSHOT-mediatek-filogic.Linux-x86_64/dl/imagebuilder
Downloading file:packages/Packages.sig
Signature check passed.

The only thing that I did more than your experiments, was that I (apparently properly) renamed the key file to match the fingerprint that was mentioned in the .sig file signed with it (as all the other key files in keys/ were named as fingerprints...)

untrusted comment: signed by key 0a0f903b916f6cb5
RWQKD5A7kW9stWc0w2BD6obyFxcoR7aY+kPLhzLUpG+OFrsBIx6rx9lxBD9QdRZBZP09HdEs75OE5e4FTIDz+vI+Vkyp/AOPPQ4=

mv IceG-repo.pub 0a0f903b916f6cb5

perus@ub2410:/openwrt-imagebuilder-24.10...$ ls keys
0a0f903b916f6cb5  a09286c7021b883f  d310c6f2833e97f7

src/gz openwrt_telephony https://downloads.openwrt.org/releases/24.10-SNAPSHOT/packages/aarch64_cortex-a53/telephony
src/gz IceG_repo https://github.com/4IceG/Modem-extras/raw/main/myrepo
## This is the local package repository, do not remove!

I haven't tested any further, but might just work normally.

giorez · January 7, 2025, 11:19pm

IT WORKS!!!

here is the solution:
wget https://github.com/4IceG/Modem-extras/raw/main/myrepo/IceG-repo.pub -O keys/0a0f903b916f6cb5

this original wget was the problem:
wget https://github.com/4IceG/Modem-extras/raw/main/myrepo/IceG-repo.pub -O keys/IceG-repo.pub

Thanks a lot for your job.

system · January 17, 2025, 11:20pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.