Signature check failed after clean installation

pmisch · August 2, 2019, 4:19pm

I've been fiddling around with virtualized OpenWrt 18.06.04 stable quite intensivley for some weeks now.
link.
Since today suddenly there were some luci-app-* packages missing. I firgured opkg update gave back:

Downloading http://downloads.openwrt.org/releases/18.06.4/packages/x86_64/luci/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_luci
Downloading http://downloads.openwrt.org/releases/18.06.4/packages/x86_64/luci/Packages.sig
Signature check failed.
Remove wrong Signature file.

Did something go wrong with building packages related to the signature process, recently?

hnyman · August 2, 2019, 7:04pm

I think that the old keys expired or were somehow otherwise disabled. Jow made new ones and stored them in the keyring. I think that you could download them there and store in the opkg key directory
https://git.openwrt.org/?p=keyring.git;a=summary

vgaetera · August 2, 2019, 7:22pm

It seems that check_signature is missing in the latest opkg.conf which is pushed via updates:

# opkg update
# opkg download opkg
# tar zxf opkg_*
# tar zxf data.*
# cat etc/opkg.conf 
dest root /
dest ram /tmp
lists_dir ext /var/opkg-lists
option overlay_root /overlay

This looks like a security issue.

pmisch · August 2, 2019, 10:16pm

I still don't understand what to do. I see key files in /etc/opkg/keys but which is wrong and where is the right one, idk.

Nurple · August 4, 2019, 10:22am

Looking at the keyring on https://git.openwrt.org/keyring.git the changes to usign keys shouldn't be an issue.

I've tried verifying the sig of /18.06.4/packages/arm_cortex-a9_vfpv3/luci/ on 18.06.4 - x86_64 and works fine using the same keys in /etc/opkg/keys/, unlike /18.06.4/packages/x86_64/luci/ which fails like op shows.

On ubuntu I was able to verify /18.06.4/packages/x86_64/luci/ sig using signify-openbsd, and signify-rs using key 1035ac73cc4e59e3 without issue.

hnyman · August 5, 2019, 6:41pm

I downgrade my router back to 18.06.4 and tested.
It seems to work ok for me:

 OpenWrt 18.06.4, r7808-ef686b7292
 -----------------------------------------------------

root@router1:# opkg update
Downloading http://downloads.openwrt.org/releases/18.06.4/targets/ipq806x/generic/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_core
Downloading http://downloads.openwrt.org/releases/18.06.4/targets/ipq806x/generic/packages/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/releases/18.06.4/targets/ipq806x/generic/kmods/4.14.131-1-c88f42e7e6dcd9861f5cef23dee0dcdb/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_kmods
Downloading http://downloads.openwrt.org/releases/18.06.4/targets/ipq806x/generic/kmods/4.14.131-1-c88f42e7e6dcd9861f5cef23dee0dcdb/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/releases/18.06.4/packages/arm_cortex-a15_neon-vfpv4/base/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_base
Downloading http://downloads.openwrt.org/releases/18.06.4/packages/arm_cortex-a15_neon-vfpv4/base/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/releases/18.06.4/packages/arm_cortex-a15_neon-vfpv4/luci/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_luci
Downloading http://downloads.openwrt.org/releases/18.06.4/packages/arm_cortex-a15_neon-vfpv4/luci/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/releases/18.06.4/packages/arm_cortex-a15_neon-vfpv4/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_packages
Downloading http://downloads.openwrt.org/releases/18.06.4/packages/arm_cortex-a15_neon-vfpv4/packages/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/releases/18.06.4/packages/arm_cortex-a15_neon-vfpv4/routing/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_routing
Downloading http://downloads.openwrt.org/releases/18.06.4/packages/arm_cortex-a15_neon-vfpv4/routing/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/releases/18.06.4/packages/arm_cortex-a15_neon-vfpv4/telephony/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_telephony
Downloading http://downloads.openwrt.org/releases/18.06.4/packages/arm_cortex-a15_neon-vfpv4/telephony/Packages.sig
Signature check passed.

Nurple · August 6, 2019, 12:48am

Your output doesn't show you testing the x86_64 target which is where the issue is happening though.

hnyman · August 6, 2019, 5:03am

Sure, no as I have no x86 routers. But there should not be any built-in difference between x86 and other targets in signature checking.

Does the signature check still fail in x86? For all feeds or just one/some? (Buildbot builds packages frequently, so if there has been error in buildbot signature files, the error may have corrected itself in the new build rounds.)

Nurple · August 6, 2019, 12:37pm

It only happens with luci, I've been rechecking whenever packages get updated/refreshed going by the date/time on the download server.

I even replaced the distfeeds.conf with the one from my router (wrt1900acs) and the sig for luci worked fine.

Oh I should say this is on VirtualBox, I don't have an x86 router either.

hnyman · August 6, 2019, 12:53pm

You might try installing the updated keyring from 19.07 with opkg. Not sure that it would help, but it might.

@jow
Should the openwrt-keyring package update be backported also into 18.06? (You backported it to 19.07 but not to 18.06.)

jow · August 6, 2019, 1:35pm

Right, thats a buildroot/buildbot interaction bug - will look into it. It is unrelated to this issue however.

No, none of the usign keys related to 18.06 were touched.

I am unable to reproduce the OP's issue. This happened when I spun up the image linked above in QEMU:

root@OpenWrt:/# Please press Enter to activate this console.



BusyBox v1.28.4 () built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 18.06.4, r7808-ef686b7292
 -----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@OpenWrt:/# 
root@OpenWrt:/# opkg update
Downloading http://downloads.openwrt.org/releases/18.06.4/targets/x86/64/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_core
Downloading http://downloads.openwrt.org/releases/18.06.4/targets/x86/64/packages/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/releases/18.06.4/packages/x86_64/base/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_base
Downloading http://downloads.openwrt.org/releases/18.06.4/packages/x86_64/base/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/releases/18.06.4/packages/x86_64/luci/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_luci
Downloading http://downloads.openwrt.org/releases/18.06.4/packages/x86_64/luci/Packages.sig
Signature check failed.
Remove wrong Signature file.
Downloading http://downloads.openwrt.org/releases/18.06.4/packages/x86_64/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_packages
Downloading http://downloads.openwrt.org/releases/18.06.4/packages/x86_64/packages/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/releases/18.06.4/packages/x86_64/routing/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_routing
Downloading http://downloads.openwrt.org/releases/18.06.4/packages/x86_64/routing/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/releases/18.06.4/packages/x86_64/telephony/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_telephony
Downloading http://downloads.openwrt.org/releases/18.06.4/packages/x86_64/telephony/Packages.sig
Signature check passed.
root@OpenWrt:/#

hnyman · August 6, 2019, 2:11pm

Actually, you reproduced the error. It only concerns LuCI feed, strangely.

EDIT:
just wondering if that could be some one-off case of signature check failing although the signature itself is correct.

jow · August 6, 2019, 2:35pm

Indeed, sorry for overlooking that. It appears to be a bug with usign. I can reproduce it offline on a Debian 10 desktop using the usign host build:

jow@j460:~/devel/lede/broken-sig$ ls -l
total 380K
-rw-r--r-- 1 jow jow  101 Aug  6 16:26 18.06.pub
-rw-r--r-- 1 jow jow 310K Aug  5 14:46 Packages
-rw-r--r-- 1 jow jow  57K Aug  5 14:46 Packages.gz
-rw-r--r-- 1 jow jow  167 Aug  5 14:48 Packages.sig
jow@j460:~/devel/lede/broken-sig$ sha256sum *
00b1fe841cd8e52c9f8dcfe7fe7234a28586f897601eff81ab6582b820b93178  18.06.pub
8990a5db11df538d45ded5d955042a8f624a64b909064cd7a780c8f1eaf4eb07  Packages
700b7b2fecdff9e16647d0e56aba77bce0bdb99393bf2fa5c01bceba135a6936  Packages.gz
f948ab32df6c40ec12de4a4590bb03bcedce5b3561486efd1e15c064c81edd76  Packages.sig
jow@j460:~/devel/lede/broken-sig$ cat 18.06.pub 
untrusted comment: OpenWrt 18.06 public key
RWQQNaxzzE5Z41cVmEh2rilAPKLsyfPKm+S4BJWA1Yv+LP1hKebmGtXi
jow@j460:~/devel/lede/broken-sig$ signify-openbsd -V -p 18.06.pub -x Packages.sig -m Packages
Signature Verified
jow@j460:~/devel/lede/broken-sig$ ../staging.git/staging_dir/host/bin/usign -V -p 18.06.pub -m Packages
verification failed
jow@j460:~/devel/lede/broken-sig$

jow · August 6, 2019, 5:11pm

I tracked the issue down to a bug in usign's SHA512 implementation. The final padding of the last SHA512 block is wrong under certain circumstances, working on a fix now.

Turned out to be a bad magic value which triggered bad hash calculation when the final data buffer was exactly 110 or 111 bytes long.

The patch below should fix it, still doing more tests.

diff --git a/sha512.c b/sha512.c
index 68a9e65..d06d65b 100644
--- a/sha512.c
+++ b/sha512.c
@@ -232,7 +232,7 @@ void sha512_final(struct sha512_state *s, uint8_t *hash)
                memset(&s->partial[last_size], 0,
                       SHA512_BLOCK_SIZE - last_size);
 
-       if (last_size > 110) {
+       if (last_size > (SHA512_BLOCK_SIZE - 16)) {
                sha512_block(s, s->partial);
                memset(s->partial, 0, sizeof(s->partial));
        }

pmisch · August 6, 2019, 9:05pm

Is there anything I can do to work this around without waiting for next official release?
Much appreciated.

hnyman · August 6, 2019, 9:25pm

I think that you could install an updated version of usign once the packages buildbot has completed builds for x86_64. That should fix the signature verification. (it may take 1-2 days for the build to get generated)

usign was updated to version 2019-08-06 in all current branches (master, 19.07, 18.06 and 17.01)

hnyman · August 7, 2019, 6:18am

Jow has applied an addtional fix to creating the packages index, which fix aims to prevent creating packages inex files that would trigger the buggy behaviour.

https://git.openwrt.org/?p=openwrt/openwrt.git;a=commitdiff;h=8a83892662d06a5f2fd4d95b73fe919a21066038

So, after the next packages build round, your current opkg & usign should also work ok without any need of manually updating usign.

Nurple · August 7, 2019, 11:19am

Thanks guys, all working now after upgrading usign.

pmisch · August 7, 2019, 11:25am

After I issued opkg install usign the problem vanished for me. Thank you!

JonathanPorta · August 10, 2019, 5:11am

This fixed my issue as well. Thanks for sharing! Was seeing this on 20 devices after they had all been through a clean install.