Ok so something is wrong with the package signatures on downloads.openwrt.org for older releases. To be fair I have only checked the following feeds:
src/gz reboot_core http://downloads.lede-project.org/releases/17.01.6/targets/ar71xx/generic/packages
src/gz reboot_base http://downloads.lede-project.org/releases/17.01.6/packages/mips_24kc/base
src/gz reboot_luci http://downloads.lede-project.org/releases/17.01.6/packages/mips_24kc/luci
src/gz reboot_packages http://downloads.lede-project.org/releases/17.01.6/packages/mips_24kc/packages
src/gz reboot_routing http://downloads.lede-project.org/releases/17.01.6/packages/mips_24kc/routing
src/gz reboot_telephony http://downloads.lede-project.org/releases/17.01.6/packages/mips_24kc/telephony
These redirect as expected to archive.openwrt.org.
Now please do not brush me off saying this is an old release. I know and the issue itself is not the hardware/release its the package signatures on the website.
So a couple of weeks ago I started having issues with opkg update throwing a “Signature check failed” on all package lists except core. After some time messing with usign on the router I delved a bit further and found that this is derived from signify-openbsd.
I therefore installed signify-openbsd on my debian installation on pc and tried to replicate the issue.
I downloaded with wget the package lists and signature files, copied the public key (792d9d9b39f180dc) and ran signify-openbsd as follows:
signify-openbsd -V -p /media/mysharedfolder/signify/keys/792d9d9b39f180dc -m /media/mysharedfolder/signify/opkg-lists/reboot_core
Signature Verified
signify-openbsd -V -p /media/mysharedfolder/signify/keys/792d9d9b39f180dc -m /media/mysharedfolder/signify/opkg-lists/reboot_base.gz
signify-openbsd: signature verification failed
Only core verifies, the rest fail. So the issue is not just on the router but can be replicated on PC.
Can somebody tell me what is happening here?