Re: [OpenWrt-Devel] Missing GPG signatures
> > I cross-signed the 18.06 key with the 17.01 one now and signed both > using my personal key. > > ~ Jo > Many thanks Jo. I just felt that there is no other project that compares to OpenWRT, for embedded networking devices, so I didn't like to see anything slip. Thanks again. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Missing GPG signatures
Hi, > It seems only Robert Call of the LibreCMC fork is consistently signing > releases > with the same key. But how is he verifying upstream...? probably by trusting https://openwrt.org/docs/guide-user/security/signatures I cross-signed the 18.06 key with the 17.01 one now and signed both using my personal key. ~ Jo signature.asc Description: OpenPGP digital signature ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] Missing GPG signatures
Hello I couldn't find a way to cross verify the 18.06 key using the 17.01 key. So it seems anyone with the 17.01 key is not at any advantage over a totally new user, when upgrading to 18.06. This is a very unusual situation compared to what all major Linux distributions are doing nowadays. I then imported all GPG keys associated with OpenWRT and was confused to find that there seems to be no cross-signing of keys anywhere? It seems only Robert Call of the LibreCMC fork is consistently signing releases with the same key. But how is he verifying upstream...? Below is a full output of the situation. gpg --fingerprint --list-sigs pub rsa4096 2017-01-16 [SC] [expires: 2019-01-16] B09BE781AE8A0CD4702FDCD3833C6010D52BBB6B uid [ unknown] LEDE Release Builder (17.01 "Reboot" Signing Key) sig 3833C6010D52BBB6B 2017-01-16 LEDE Release Builder (17.01 "Reboot" Signing Key) pub rsa4096 2018-05-16 [SC] [expires: 2020-05-15] 6768C55E79B032D77A28DA5F0F20257417E1CE16 uid [ unknown] OpenWrt Release Builder (18.06 Signing Key) sig 30F20257417E1CE16 2018-05-18 OpenWrt Release Builder (18.06 Signing Key) pub rsa4096 2016-07-26 [SC] 54CC74307A2C6DC9CE618269CD84BCED626471F1 uid [ unknown] LEDE Build System (LEDE GnuPG key for unattended build jobs) sig 3CD84BCED626471F1 2016-07-26 LEDE Build System (LEDE GnuPG key for unattended build jobs) sub rsa4096 2016-07-26 [S] sig CD84BCED626471F1 2016-07-26 LEDE Build System (LEDE GnuPG key for unattended build jobs) pub rsa4096 2016-08-26 [SC] 10BDEE38E7DFDFC7D5D3CC09ED7282E208DAF586 uid [ unknown] Florian Fainelli (LEDE Signing Key) sig 3ED7282E208DAF586 2016-08-26 Florian Fainelli (LEDE Signing Key) pub rsa4096 2016-12-06 [SC] 569E3F24712DEF28C2448C12AAD7E1690C74E7B8 uid [ unknown] Hans Dedecker (LEDE Signing Key) sig 3AAD7E1690C74E7B8 2016-12-06 Hans Dedecker (LEDE Signing Key) sub rsa4096 2016-12-06 [S] [expires: 2018-12-06] sig AAD7E1690C74E7B8 2016-12-06 Hans Dedecker (LEDE Signing Key) pub rsa4096 2016-12-11 [SC] 3176362F0318F3C17DBF89DE818021EBB6C9ECDA uid [ unknown] Stijn Tintel (LEDE Signing Key) sig 3818021EBB6C9ECDA 2016-12-11 Stijn Tintel (LEDE Signing Key) sub rsa4096 2016-12-11 [S] [expires: 2018-12-11] sig 818021EBB6C9ECDA 2016-12-11 Stijn Tintel (LEDE Signing Key) pub rsa4096 2016-04-26 [SC] C2C9C93BF4775C11D4F6617C9C46FAFC12D89000 uid [ unknown] Ted Hess (LEDE Signing Key) sig 39C46FAFC12D89000 2016-04-26 Ted Hess (LEDE Signing Key) pub rsa4096 2016-04-14 [SC] B4DE4970B205473D26CD818F9E8F1F2934E5BBCC uid [ unknown] John Crispin (LEDE Signing Key) sig 39E8F1F2934E5BBCC 2016-04-14 John Crispin (LEDE Signing Key) pub rsa4096 2016-04-05 [SC] 69B26A2762D065E66F596755C76FDE50612A0E98 uid [ unknown] Jo-Philipp Wich (LEDE Signing Key) sig 3C76FDE50612A0E98 2016-04-05 Jo-Philipp Wich (LEDE Signing Key) pub rsa4096 2012-12-18 [SC] [expires: 2019-06-08] 390DCF788BF9AA504F8FF1E2C29E9DA6A0DF8604 uid [ unknown] Alexander Couzens sig 3C29E9DA6A0DF8604 2016-08-20 Alexander Couzens sig 61D851D9A6822153 2015-12-06 [User ID not found] sig 01E670EFB6ED1A3A 2016-04-04 [User ID not found] sig EA71ABC5AB83B1C3 2014-06-28 [User ID not found] sig 091AB856069AAA1C 2016-04-20 [User ID not found] sig EBF67A846AABE354 2016-10-03 [User ID not found] sig 6C6580E77BD756C4 2016-05-22 [User ID not found] sig 378D4EEEF482CB982 2015-08-30 [User ID not found] sig 4B043FCDB9444540 2016-12-29 [User ID not found] sig 153FE398821C8394 2018-08-22 [User ID not found] sig 3C29E9DA6A0DF8604 2013-08-19 Alexander Couzens sig 3C29E9DA6A0DF8604 2014-10-27 Alexander Couzens sig 2 P1318EFAC5FBBDBCE 2015-12-06 [User ID not found] sig 3C29E9DA6A0DF8604 2017-09-12 Alexander Couzens sig 3C29E9DA6A0DF8604 2018-06-08 Alexander Couzens uid [ unknown] Alexander Couzens sig 3C29E9DA6A0DF8604 2016-08-20 Alexander Couzens sig 61D851D9A6822153 2015-12-06 [User ID not found] sig 01E670EFB6ED1A3A 2016-04-04 [User ID not found] sig EA71ABC5AB83B1C3 2014-06-28 [User ID not found] sig 091AB856069AAA1C 2016-04-20 [User ID not found] sig EBF67A846AABE354 2016-10-03 [User ID not found] sig 6C6580E77BD756C4 2016-05-22 [User ID not found] sig 378D4EEEF482CB982 2015-08-30 [User ID not found] sig 4B043FCDB9444540 2016-12-29 [User ID not found] sig 153FE398821C8394 2018-08-22 [User ID not found] sig 3C29E9DA6A0DF8604 2014-10-27 Alexander Couzens sig 3C29E9DA6A0DF8604 2013-01-01 Alexander Couzens sig 2 P1318EFAC5FBBDBCE