[Solved] Opkg and Signature check

Hi there,

I'm new to OpenWRT and noticed that the software downloads are using plain HTTP links as default.
While 'opkg update' seems to check signature ('Signature check passed.'), I did not found similar output for 'opkg install ip-full'.
Does this mean that some downloads are processed without signature check?
I also found instructions how to configure downloads via HTTPS, but I probably have to download unchecked files in the first place. Sounds like a catch-22 for me and I wonder how I can fix this without having to download packages without signature check?

Many thanks in advance,


your device does download the signed package list from openwrt servers over plain http and checks the signature of it against the keys in /etc/opkg/keys.
This package lists contains package names and a sha256 of the ipk package.
So if you install a package, it's fetched also over plain http and checked against the sha256 hash in the already verified package list.
And voala, your requested package install is verified to come from the official openwrt package repos.

Using https has no real advantage over http...




thank you for your detailed explanation. Good to know that the package installation will be aborted when the Hashes does not match.


If your question has been answered, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.