Hacker News new | past | comments | ask | show | jobs | submit login

The SHA-2 checksums to verify packages against are delivered as part of the (signed) package index (as the article alludes to).

And those package repo sha256 checksums are signed and verified with ed25519 by usign and ucert (with a key built into the firmware)

usign: https://git.openwrt.org/project/usign.git

ucert: https://git.openwrt.org/project/ucert.git

Firmware releases are also signed with GPG: https://openwrt.org/docs/guide-user/security/release_signatu...

openwrt/openwrt: https://github.com/openwrt/openwrt

openwrt/packages: https://github.com/openwrt/packages

openwrt/openwrt/search?q="usign" https://github.com/openwrt/openwrt/search?q=usign

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact