The SHA-2 checksums to verify packages against are delivered as part of the (sig... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

slrz on Feb 1, 2020 | parent | favorite | on: OpenWRT remote code execution via MITM due to bug ...

The SHA-2 checksums to verify packages against are delivered as part of the (signed) package index (as the article alludes to).

pkgsupplysec on Feb 2, 2020 [–]

And those package repo sha256 checksums are signed and verified with ed25519 by usign and ucert (with a key built into the firmware)

usign: https://git.openwrt.org/project/usign.git

ucert: https://git.openwrt.org/project/ucert.git

Firmware releases are also signed with GPG: https://openwrt.org/docs/guide-user/security/release_signatu...

openwrt/openwrt: https://github.com/openwrt/openwrt

openwrt/packages: https://github.com/openwrt/packages

openwrt/openwrt/search?q="usign" https://github.com/openwrt/openwrt/search?q=usign

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact