Hello everybody !
I'm using OpenWRT on my Raspberry PI with success. Recently, I needed to recompile some software for my device as I did in the past. But this time, I had some issues with opkg not accepting my recompiled packet because of a signature issue.
# opkg update
Downloading file:///opt/opkg/base/Packages.gz
Updated list of available packages in /var/opkg-lists/base
Downloading file:///opt/opkg/base/Packages.sig
Signature check failed.
Remove wrong Signature file.
Downloading file:///opt/opkg/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/packages
Downloading file:///opt/opkg/packages/Packages.sig
Signature check passed.
Very strangely, the problem only appears on one of the two generated package lists...
I managed to reduce the problem to usign. On some conditions, the generated signature is valid on the build host (using the OpenWRT SDK) but not on the OpenWRT device.
I discovered this existing problem: Signature check failed after clean installation
But my usign is up-to-date on my device and my OpenWRT SDK is freshly downloaded from yesterday.
# uname -a
Linux raspberry-pi.example.test 4.9.198 #0 SMP Tue Nov 5 14:12:18 2019 aarch64 GNU/Linux
# opkg install usign
Package usign (2019-08-06-5a52b379-1) installed in root is up to date.
So, here is the minimal procedure I followed to reproduce the issue.
I installed the latest OpenWRT SDK for my device:
curl -o openwrt-sdk.tar.xz https://downloads.openwrt.org/releases/18.06.2/targets/brcm2708/bcm2710/openwrt-sdk-18.06.2-brcm2708-bcm2710_gcc-7.3.0_musl.Linux-x86_64.tar.xz
tar Jxvf openwrt-sdk.tar.xz
mv openwrt-sdk-*/ openwrt-sdk
cd openwrt-sdk
Generated a key pair
$ staging_dir/host/bin/usign -G -p key-build.pub -s key-build
$ cat key-build.pub
untrusted comment: public key ea2dce9ca7506bf6
RWTqLc6cp1Br9iqPALenfhdHV5Moo/iay0KABmmNOEYavEgQMxZ07kF3
Create a file that triggers the bug
cat > example <<"EOF"
Package: liblua
Version: 5.1.5-1
Depends: libc
License: MIT
Section: libs
Architecture: aarch64_cortex-a53
Installed-Size: 65697
Filename: liblua_5.1.5-1_aarch64_cortex-a53.ipk
Size: 66507
SHA256sum: dfea49dc37157e293db7b52810550e89fc61e4691c7cdcc23084cc030977b702
Description: Lua is a powerful light-weight programming language designed for extending
applications. Lua is also frequently used as a general-purpose, stand-alone
language. Lua is free software.
This package contains the Lua shared libraries, needed by other programs.
Package: libopenssl
Version: 1.0.2q-1
Depends: libc
License: OpenSSL
Section: libs
Architecture: aarch64_cortex-a53
Installed-Size: 692552
Filename: libopenssl_1.0.2q-1_aarch64_cortex-a53.ipk
Size: 688744
SHA256sum: 96e587b5dbcbe9b3e6e76456f6783a2586ae30b7e19d7b0d337516207e8925a3
Description: The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, full-featured, and Open Source toolkit implementing the Secure
Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well
as a full-strength general purpose cryptography library.
This package contains the OpenSSL shared libraries, needed by other programs.
Package: lua
Version: 5.1.5-1
Depends: libc, liblua
License: MIT
Section: lang
Architecture: aarch64_cortex-a53
Installed-Size: 4385
Filename: lua_5.1.5-1_aarch64_cortex-a53.ipk
Size: 5220
SHA256sum: ac1f1ea219f11c166eaad61ebcf2d322c3f994c1a74f357f4b57d483cc3cd18c
Description: Lua is a powerful light-weight programming language designed for extending
applications. Lua is also frequently used as a general-purpose, stand-alone
language. Lua is free software.
This package contains the Lua language interpreter.
Package: zlib
Version: 1.2.11-2
Depends: libc
License: Zlib
Section: libs
Architecture: aarch64_cortex-a53
Installed-Size: 39791
Filename: zlib_1.2.11-2_aarch64_cortex-a53.ipk
Size: 40536
SHA256sum: e74c4eac90ec86551aa349b09e2c0b2c28e1a9e70e0157d8bea77adfd57024e3
Description: zlib is a lossless data-compression library.
This package includes the shared library.
EOF
Signed it
$ staging_dir/host/bin/usign -S -m example -s key-build
$ cat example.sig
untrusted comment: signed by key ea2dce9ca7506bf6
RWTqLc6cp1Br9vHJqu8vdUvwVDpVpThCNO+pCYFudkLyJAY9WDf+MaFI1Rv9M92IQg2Y0wyiAfzrgBBjHKrp7lIX89ZQoOkmiA8=
The signature is validated correctly with the OpenWRT SDK
$ staging_dir/host/bin/usign -V -m example -p key-build.pub
OK
I copy the file, signature and public keys on my device (making sure they are not altered during transfer)
$ sha256sum example* key-build.pub
4ee199a5d824b4cec10fbb5456acba544eaad89f7c45a92ef552460d92ec0a73 example
3aa154d09de2f80847dd01f6c1886c35cf6b0913d94b9ea72e233f541977445f example.sig
6290a06d8775a005b5bdd9e3502205b1f41582321caebf4cb3dd59df58d0b184 key-build.pub
$ scp example example.sig key-build.pub root@raspberry-pi.itix.fr:/tmp
$ ssh root@raspberry-pi.itix.fr sha256sum /tmp/example* /tmp/key-build.pub
4ee199a5d824b4cec10fbb5456acba544eaad89f7c45a92ef552460d92ec0a73 /tmp/example
3aa154d09de2f80847dd01f6c1886c35cf6b0913d94b9ea72e233f541977445f /tmp/example.sig
6290a06d8775a005b5bdd9e3502205b1f41582321caebf4cb3dd59df58d0b184 /tmp/key-build.pub
The signature cannot be verified on the device.
$ ssh root@raspberry-pi.itix.fr usign -V -m /tmp/example -p /tmp/key-build.pub
verification failed
Any idea about why this happens ?