Allow signing packages

[Eeems]

@ddvk has requested package signing:

According to https://stackoverflow.com/a/39972015 it's possible. That said we need to explore the implications of doing so. There is the possibility that this would require us to handle signing all the standard entware packages.

[matteodelabre]

Opkg LEDE (OpenWrt’s fork, which Entware and us are using) supports package signing. Entware doesn’t use or support signing. There are two options that control the checking of signatures by Opkg:

• Set option check_signature 1 in /opt/etc/opkg.conf to enable signature checking.
• Pass the (undocumented) --force-signature flag on the command line to make signature failures non-fatal.

Only the Packages index file is signed (its signature is located in a file called Packages.sig); the individual package archives are not signed. This is sufficient since the index file contains SHA-256 checksums for each package archive. Note that signature checking cannot be enabled on a per-feed basis, it’s a global setting. After downloading signatures, Opkg invokes the following script to check them:

/usr/sbin/opkg-key verify /path/to/Packages.sig /path/to/Packages

This script is tasked with checking that /path/to/Packages.sig is a valid signature for /path/to/Packages, and must exit with 0 if that’s the case. Entware does not ship such a script, so this will not work by default. There are at least two implementations of that script that we could take inspiration from:

• This one that’s a wrapper around the gpg command
• This one that’s a wrapper around the usign command (see the end of this comment for more info on usign)

The script does not have to be located in /usr/sbin/opkg-key. This default value can be overridden in one of two ways:

• Set option verify_program /path/to/opkg-key in /opt/etc/opkg.conf.
• Pass the --verify-program /path/to/opkg-key flag on the command line.

---

OpenWrt’s way: There is a brief page in their docs on how they do repository signatures. They use an in-house program called usign to check signatures. usign is compatible with signatures created by BSD’s signify (Ed25519 algorithm).

[Eeems]

We probably want to go with usign to keep in line with OpenWrt. As for entware, we could host a mirror of their repository and just sign the packages in that mirror, have a script that syncs nightly or something.

[matteodelabre]

We probably want to go with usign to keep in line with OpenWrt.

Yes, usign seems like the best approach. It’s simpler and more targeted than GnuPG, although maybe less scrutinized from a security point of view.

As for entware, we could host a mirror of their repository and just sign the packages in that mirror, have a script that syncs nightly or something.

Related: toltec-dev/toltec#327