Understanding Chain of trust when installing packages offline

Tour2020 · August 25, 2020, 1:29pm

Hi,

I try to understand the Signing Approach and I don't understand how OpenWRT 19.07 verifies the packages when installing a package offline from "/tmp". The docs mention that you can update the lists with "opkg update" and that the downloaded .sig files inside "/tmp/opkg-lists" are usign signature files.

But I can do a Factory Reset, transfer previously saved .ipk files with scp to /tmp and install them with "opkg install /tmp/xxx.ipk" before I connect the router to the internet and therefore without any lists or .sig files inside "/tmp/opkg-lists". So I wonder if there is another place with lists or how OpenWRT does verify the packages in this situation?

Hopefully somebody can understand my thoughts and tell me how this is working...

Best regards
Tour2020

vgaetera · August 25, 2020, 1:39pm

# ls -l /tmp/opkg-lists
-rw-r--r--    1 root     root         53170 Aug 25 09:12 openwrt_base
-rw-r--r--    1 root     root           164 Aug 25 09:14 openwrt_base.sig
...

# gzip -c -d /tmp/opkg-lists/openwrt_base | head
Package: 464xlat
...
SHA256sum: 46e7741eadf349f594c2d4753a5063406afff9bc5bfcf9ad103156021fbeaac1

Thus, it does not verify packages separately from the lists.

You have the following options:

Use secure methods to store and transfer files, so there's no need to verify them
Mirror the repositories
Verify files manually

Tour2020 · August 25, 2020, 7:39pm

OK, now I understand.
Thank you very much for your explanation and the list of options.

Best regards
Tour2020

anon50098793 · August 25, 2020, 8:13pm

devel

system · September 4, 2020, 8:13pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.