SEC: GPG keys for OpenWRT 23.05.0 release

westurner · November 5, 2023, 9:16pm

SEC: GPG keys for 23.05.0 reverted to 2016 Unattended snapshot build key?

There is an OpenWRT wiki page that lists gpg key signatures:
https://openwrt.org/docs/guide-user/security/signatures

There is no key listed for 23.05 release builds:

 ---
PGP key for 22.03 release builds

User ID: OpenWrt Build System pgpsign-22.03@openwrt.org
Public Key: 0xCD54E82DADB3684D (4096 Bit RSA, created 2022-03-25, expires 2025-04-03)
Fingerprint: BF85 6781 A012 93C8 409A BE72 CD54 E82D ADB3 684D
Signing Subkey: 0xAB3F4049 13AA0D5A (4096 Bit RSA, created 2022-03-25, expires 2025-04-03)
Fingerprint: 1FDF CF69 F6FB 7776 B14D D61D AB3F 4049 13AA 0D5A
Last change: 2023-04-04 10:33:03 +0200 | Download

---
PGP key for unattended snapshot builds

User ID: OpenWrt Build System pgpsign-snapshots@openwrt.org
Public Key: 0xCD84BCED626471F1 (4096 Bit RSA, created 2016-07-26)
Fingerprint: 54CC 7430 7A2C 6DC9 CE61 8269 CD84 BCED 6264 71F1
Signing Subkey: 0xF93525A8 8B699029 (4096 Bit RSA, created 2016-07-26)
Fingerprint: 6D92 78A3 3A9A B314 6262 DCEC F935 25A8 8B69 9029
Last change: 2019-07-24 18:05:02 +0200 | Download

When I download the latest 23.05.0 images,
and verify with gpg, it's pointing to the unattended snapshot build key from 2016.
Is that correct?

 gpg --recv-keys 0xCD54E82DADB3684D # 23.05 Public key fingerprint
 gpg --status-fd 1 --with-fingerprint --verify sha256sums.asc ./sha256sums 
 [GNUPG:] NEWSIG
 gpg: Signature made Thu 12 Oct 2023 11:48:30 AM EDT
 gpg: using RSA key 6D9278A33A9AB3146262DCECF93525A88B699029
 [GNUPG:] ERRSIG F93525A88B699029 1 10 00 1697125710 9
    6D9278A33A9AB3146262DCECF93525A88B699029
 [GNUPG:] NO_PUBKEY F93525A88B699029


 # This should work, but should we trust this keypair?
 gpg --recv-keys 0xCD84BCED626471F1 # OpenWrt Build System key from 2016
 gpg --status-fd 1 --with-fingerprint --verify sha256sums.asc ./sha256sums

Previously (and in other distros) each OpenWRT release had a new GPG key?

TODO: find an existing forum post for GPG keys in 23.05.0
https://forum.openwrt.org/search?expanded=true&q=gpg%2023.05.0
- OpenWrt 23.05.0 - First stable release

( https://slsa.dev/ specifies a more correct way to do builds and release signatures; e.g. with sigstore, too )

( E.g. LetsEncrypt certs are valid for 90 or 30 days. )

Was it justified to have had unique GPG keys per release,
why was this release management procedure changed,
and why do the builds I've downloaded from two places signed with key that's 7 years old?

westurner · November 5, 2023, 9:20pm

Docs: https://openwrt.org/docs/guide-user/security/release_signatures#verify_download_integrity
"How to verify integrity of OpenWRT files"
https://peterbabic.dev/blog/how-verify-openwrt-integrity-files/

( Usign is there, too. Is there a good way to gpg --recv-keys the usign pubkeys? )

jow · November 5, 2023, 9:23pm

The CI setup for 23.05 was cloned from the snapshot one, so it inherited the snapshot keys as well. No dedicated PGP keys were created for 23.05.

There's work underway to revamp the signing topic but for the time being, snapshot PGP keys are used to sign everything. In general, dealing with GPG signing has been very complex and error prone so far and none of the developers involved with doing releases so far feels comfortable doing it, GPG signing was only ever done because it was demanded by parts of the user base.

vgaetera · November 5, 2023, 9:24pm

https://openwrt.org/releases/23.05/notes-23.05.0?s[]=wrong%20singing%20keys#known_issues

westurner · November 5, 2023, 10:37pm

https://openwrt.org/releases/23.05/notes-23.05.0?s[]=wrong%20singing%20keys#known_issues :

OpenWrt 23.05.0 was signed with the wrong singing keys. The keys from OpenWrt snapshot were used for OpenWrt 23.05.0 including the release candidates. A later OpenWrt 23.05 service release will use a different key