[SOLVED]Https for downloads.openwrt.org repos in imagebuilder

I use imagebuilder for my installation image creation.
I am sensitive to website that use plain http instead of https.
I understand that usign (or something like that) ensures the integrity of packages but https also ensures that users packages installation cant be tracked (among other things) and also add another layer of protection against tampering.
is there a reason that http is used for downloading packages from repos?

I am not talking about the /etc/config files for opkg. I understand that those need to be http by default because of size of needed packages for https support on opkg. (thought to be honest now that after a long time openwrt has upped the size required for default images maybe https can be added to that too)

I am talking about the packages that get downloaded to host computer for creating the image.

does this have a reason I am missing?

honestly I dont understand using http instead of https at all, much less for a project that deals with the single most vulnerable point of net in users homes.

1 Like

I dont understand what is the quotes are supposed to do?
I am talking about spying and surveillance and censorship.
for http links
like http://something.com/tor.pkg

and I also said I understand that openwrt image builder already does integrity checking for packages.
so I dont understand why you quoted the first one.

" In the past there's been various download servers which frequently had broken HTTPS setups in the past, so the sanest choice was to disable certificate checking. "
this is no longer a sane option.

You asked for a reason, and that's it.
HTTPS provides neither integrity nor authenticity verification.
It could be less reliable than you may think for the given task.

HTTPS does not protect you against those threats.
The ISP can still utilize DPI to analyze SNI or simply filter traffic by IP.
You should use a VPN or Tor as already mentioned above.

1 Like

I understand the underlying part about https not providing integrity.
but in this day and age using http is the wrong choice.
now using https in the default image in device takes a lot of space and I understand that, but using http on host for creating images and saying that you check the packages is not enough.
using https creates another layer (As I said in the first post). maybe use https by default and then let the user use http if he has issues?
I think a user that creates images understand enough to be able to edit a text file if downloads fail.

also https does absolutly helps against spying and surveillance and censorship.
at least compared to http.
if that is not the case then please use http for all the openwrt websites so that servers use less cpu.

I am not talking about NSA level of spying. I am talking about https vs http.

it seems that I got you a t a bad time because you seem to not get the point I am trying to make.

https seems fine to me...

Downloading https://downloads.openwrt.org/snapshots/targets/bcm27xx/bcm2711/kmods/5.4.105-1-e6bc2400f376a9e1e6c0d7653674211c/kmod-usb-ledtrig-usbport_5.4.105-1_aarch64_cortex-a72.ipk
Installing luci-app-ledtrig-rssi (git-20.125.36159-be640ce) to root...
Downloading https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a72/luci/luci-app-ledtrig-rssi_git-20.125.36159-be640ce_all.ipk
Installing rssileds (3) to root...
Downloading https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a72/base/rssileds_3_aarch64_cortex-a72.ipk
Installing bcm27xx-userland (4a0a19b88b43e48c6b51b526b9378289fb712a4c-1) to root...
Downloading https://downloads.openwrt.org/snapshots/targets/bcm27xx/bcm2711/packages/bcm27xx-userland_4a0a19b88b43e48c6b51b526b9378289fb712a4c-1_aarch64_cortex-a72.ipk
Installing kmod-sched-ctinfo (5.4.105-1) to root...
Downloading https://downloads.openwrt.org/snapshots/targets/bcm27xx/bcm2711/kmods/5.4.105-1-e6bc2400f376a9e1e6c0d7653674211c/kmod-sched-ctinfo_5.4.105-1_aarch64_cortex-a72.ipk
Package ip-full (5.11.0-1) installed in root is up to date.
Package atftpd (0.7.4-1) installed in root is up to date.

check you are using master or your repositories.conf paths...

I download image builder from openwrt website
like this:

when I use that the repo urls are like this

## Place your custom repositories here, they must match the architecture and version.
# src/gz %n http://downloads.openwrt.org/releases/19.07.7
# src custom file:///usr/src/openwrt/bin/mvebu/packages

## Remote package repositories
src/gz openwrt_core http://downloads.openwrt.org/releases/19.07.7/targets/mvebu/cortexa9/packages
src/gz openwrt_base http://downloads.openwrt.org/releases/19.07.7/packages/arm_cortex-a9_vfpv3-d16/base
src/gz openwrt_freifunk http://downloads.openwrt.org/releases/19.07.7/packages/arm_cortex-a9_vfpv3-d16/freifunk
src/gz openwrt_luci http://downloads.openwrt.org/releases/19.07.7/packages/arm_cortex-a9_vfpv3-d16/luci
src/gz openwrt_packages http://downloads.openwrt.org/releases/19.07.7/packages/arm_cortex-a9_vfpv3-d16/packages
src/gz openwrt_routing http://downloads.openwrt.org/releases/19.07.7/packages/arm_cortex-a9_vfpv3-d16/routing
src/gz openwrt_telephony http://downloads.openwrt.org/releases/19.07.7/packages/arm_cortex-a9_vfpv3-d16/telephony

## This is the local package repository, do not remove!
src imagebuilder file:packages

which is http not https.
every time I download the image builder I have to change them manually.

did you try changing it?

sed is your friend

1 Like

Sorry, it seems I misunderstood you as my comment is mostly relevant for the build system.

When building from sources, the build process depends on many external projects which authors sometimes don't offer HTTPS, or configure the server incorrectly, or use outdated certificates, etc.

With dozens of different sources, the risk that something goes wrong rises exponentially, so it's just another point of failure without significant benefits to the purpose.

I agree that HTTPS can be a good additional layer of security when using the ImageBuilder.

If you are concerned about State-issue concerns, using 19.07 and the packages FOR 19.07 should be a concern. You would be better basing your images (multiple, guessing from the OP) on 21.02 or master/main branch of your own fork to freeze the devel.

1 Like

thanks for noticing my point.
yes I meant that downloads.openwrt.org needs to be set as https.
I changed the title to reflect that.

but if I remember correctly from my git compile days on openwrt, the image compiler (not builder but the one that needs the whole development environment) also tries to download from openwrt website the sources that it uses. for example if it tries to compile tor it first tries to download it from somewhere on openwrt.org website. I just don't remember where.

1 Like

no, not NSA level.
contrary to western belief iran network is more geared toward censorship not surveillance (to be honest I would have preferred the reverse).

but overall, anywhere you live should not matter. this is a trend(belief/gaol ?) of internet activist and recently some corporations' to make https the default one. like mozilla https-only mode and chrome warning about http downloads and so on.
which is a good trend.
if it wasn't for covid19 we would have moved more toward that mode, but special care needed to be made so that very old website that are for healthcare still work so they delayed a lot of changes for that.

btw what is the difference between the two point releases that makes a difference vis-a-vis state-wide issues?
just newer version of programs or some new great feature that I have not heard about?
I didnt get your point.

also I try to avoid git version, because I wasted a lot of time on that before moving to imagebuilder (that creates images from prebuild ipks). the time used by that process was not worth it, and I needed that only for some packages to change their options.

also how does openwrt verify the downloads?
doesnt it download a .sig file and check the files against that?
I dont completely understand this verify process but from what I understand it checks it against a file.
is that file inside the openwrt imagebuilder or is it downloaded.
if it is downloaded then cant it be manipulated when it is transmitted via http with no https?

The comment was more about anyone having the need to worry about security (for whatever reasons), including state-agent surveillance or censorship, would probably be interested in the code changes since July, 2019. The branch was set then, and while security patches were backported, the kernel is certainly out of date. The packages were also forked July 2019, and I couldn't attest to security updates being backported for 19.07 packages (might be wrong, might depend on the maintainer).

For anyone concerned about security, these will play into consideration (or should).

thank you for clearifying. I thought I missed some news or a feature that was announced for 21.02 :slight_smile:
about the point you made I am not sure that kernel security is that outdated for a remote device (but maybe there are cases that can be exploited remotely) I think programs running on the device are more important to be updated and they are to some extent on openwrt.

on the other hand if you use the newest kernel you actually open yourself to new exploit and bugs that may have slipped in.
these are just my opinions and not expert ones. :slight_smile:

1 Like

also I downloaded the snapshot imagebuilder and saw that repositories' urls have been changed to https.

1 Like

Opkg should verify lists by signatures and packages by hashes:
Understanding Chain of trust when installing packages offline - #2 by vgaetera

The ImageBuilder seems to provide a similar implementation:

The keys should be part of the ImageBuilder archive:


is this downloaded for imagebuilder or is it included?
if it is downloaded then doesnt that defeat its purpose?

Isn't the signature verified against the keys included in the imagebuilder, and those keys are obtained from the OpenWrt keyring during the build process of the imagebuilder itself. Additionally, if somebody builds imagebuilder for himself, the local build key is included in that case, similarly as with any private build.


The keys in the official keyring are installed in the build process (of the imagebuilder). Keyring includes separate keys for master snapshots, 21.02, 19.07 etc.

I see the keys in the ImageBuilder@master.
But they seem to be missing in ImageBuilder@openwrt-19.07.
Is that a bug, or the logic has changed?