Hello everybody !
I'm using OpenWRT on my Raspberry PI with success. Recently, I needed to recompile some software for my device as I did in the past. But this time, I had some issues with opkg not accepting my recompiled packet because of a signature issue.
# opkg update Downloading file:///opt/opkg/base/Packages.gz Updated list of available packages in /var/opkg-lists/base Downloading file:///opt/opkg/base/Packages.sig Signature check failed. Remove wrong Signature file. Downloading file:///opt/opkg/packages/Packages.gz Updated list of available packages in /var/opkg-lists/packages Downloading file:///opt/opkg/packages/Packages.sig Signature check passed.
Very strangely, the problem only appears on one of the two generated package lists...
I managed to reduce the problem to usign. On some conditions, the generated signature is valid on the build host (using the OpenWRT SDK) but not on the OpenWRT device.
I discovered this existing problem: Signature check failed after clean installation
But my usign is up-to-date on my device and my OpenWRT SDK is freshly downloaded from yesterday.
# uname -a Linux raspberry-pi.example.test 4.9.198 #0 SMP Tue Nov 5 14:12:18 2019 aarch64 GNU/Linux # opkg install usign Package usign (2019-08-06-5a52b379-1) installed in root is up to date.
So, here is the minimal procedure I followed to reproduce the issue.
I installed the latest OpenWRT SDK for my device:
curl -o openwrt-sdk.tar.xz https://downloads.openwrt.org/releases/18.06.2/targets/brcm2708/bcm2710/openwrt-sdk-18.06.2-brcm2708-bcm2710_gcc-7.3.0_musl.Linux-x86_64.tar.xz tar Jxvf openwrt-sdk.tar.xz mv openwrt-sdk-*/ openwrt-sdk cd openwrt-sdk
Generated a key pair
$ staging_dir/host/bin/usign -G -p key-build.pub -s key-build $ cat key-build.pub untrusted comment: public key ea2dce9ca7506bf6 RWTqLc6cp1Br9iqPALenfhdHV5Moo/iay0KABmmNOEYavEgQMxZ07kF3
Create a file that triggers the bug
cat > example <<"EOF" Package: liblua Version: 5.1.5-1 Depends: libc License: MIT Section: libs Architecture: aarch64_cortex-a53 Installed-Size: 65697 Filename: liblua_5.1.5-1_aarch64_cortex-a53.ipk Size: 66507 SHA256sum: dfea49dc37157e293db7b52810550e89fc61e4691c7cdcc23084cc030977b702 Description: Lua is a powerful light-weight programming language designed for extending applications. Lua is also frequently used as a general-purpose, stand-alone language. Lua is free software. This package contains the Lua shared libraries, needed by other programs. Package: libopenssl Version: 1.0.2q-1 Depends: libc License: OpenSSL Section: libs Architecture: aarch64_cortex-a53 Installed-Size: 692552 Filename: libopenssl_1.0.2q-1_aarch64_cortex-a53.ipk Size: 688744 SHA256sum: 96e587b5dbcbe9b3e6e76456f6783a2586ae30b7e19d7b0d337516207e8925a3 Description: The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. This package contains the OpenSSL shared libraries, needed by other programs. Package: lua Version: 5.1.5-1 Depends: libc, liblua License: MIT Section: lang Architecture: aarch64_cortex-a53 Installed-Size: 4385 Filename: lua_5.1.5-1_aarch64_cortex-a53.ipk Size: 5220 SHA256sum: ac1f1ea219f11c166eaad61ebcf2d322c3f994c1a74f357f4b57d483cc3cd18c Description: Lua is a powerful light-weight programming language designed for extending applications. Lua is also frequently used as a general-purpose, stand-alone language. Lua is free software. This package contains the Lua language interpreter. Package: zlib Version: 1.2.11-2 Depends: libc License: Zlib Section: libs Architecture: aarch64_cortex-a53 Installed-Size: 39791 Filename: zlib_1.2.11-2_aarch64_cortex-a53.ipk Size: 40536 SHA256sum: e74c4eac90ec86551aa349b09e2c0b2c28e1a9e70e0157d8bea77adfd57024e3 Description: zlib is a lossless data-compression library. This package includes the shared library. EOF
$ staging_dir/host/bin/usign -S -m example -s key-build $ cat example.sig untrusted comment: signed by key ea2dce9ca7506bf6 RWTqLc6cp1Br9vHJqu8vdUvwVDpVpThCNO+pCYFudkLyJAY9WDf+MaFI1Rv9M92IQg2Y0wyiAfzrgBBjHKrp7lIX89ZQoOkmiA8=
The signature is validated correctly with the OpenWRT SDK
$ staging_dir/host/bin/usign -V -m example -p key-build.pub OK
I copy the file, signature and public keys on my device (making sure they are not altered during transfer)
$ sha256sum example* key-build.pub 4ee199a5d824b4cec10fbb5456acba544eaad89f7c45a92ef552460d92ec0a73 example 3aa154d09de2f80847dd01f6c1886c35cf6b0913d94b9ea72e233f541977445f example.sig 6290a06d8775a005b5bdd9e3502205b1f41582321caebf4cb3dd59df58d0b184 key-build.pub $ scp example example.sig key-build.pub email@example.com:/tmp $ ssh firstname.lastname@example.org sha256sum /tmp/example* /tmp/key-build.pub 4ee199a5d824b4cec10fbb5456acba544eaad89f7c45a92ef552460d92ec0a73 /tmp/example 3aa154d09de2f80847dd01f6c1886c35cf6b0913d94b9ea72e233f541977445f /tmp/example.sig 6290a06d8775a005b5bdd9e3502205b1f41582321caebf4cb3dd59df58d0b184 /tmp/key-build.pub
The signature cannot be verified on the device.
$ ssh email@example.com usign -V -m /tmp/example -p /tmp/key-build.pub verification failed
Any idea about why this happens ?