roles/openwrt-image: Pin the LEDE release signing key

This addresses a security issue where an attacker with a key that GnuPG
considers valid (but doesn't claim to be LEDE's) can get their signature
accepted on malicious files.

This should also solve the issue equinox had with key validity.

diff --git a/ansible/roles/openwrt-image/openwrt-keyring.gpg b/ansible/roles/openwrt-image/openwrt-keyring.gpg
new file mode 100644 (file)
index 0000000..f4cab00
Binary files /dev/null and b/ansible/roles/openwrt-image/openwrt-keyring.gpg differ

diff --git a/ansible/roles/openwrt-image/tasks/fetch.yml b/ansible/roles/openwrt-image/tasks/fetch.yml
index 4b5b1c8..f68c87d 100644 (file)
--- a/ansible/roles/openwrt-image/tasks/fetch.yml
+++ b/ansible/roles/openwrt-image/tasks/fetch.yml
@@ -21,7 +21,11 @@
         dest: "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc"
 
     - name: Check OpenPGP signature
-      command: gpg --verify "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc"
+      command: >-
+        gpg2 --no-options --no-default-keyring --secret-keyring /dev/null
+             --verify --keyring "{{ role_path }}/openwrt-keyring.gpg"
+             --trust-model always
+             "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc"
       changed_when: False
 
     - name: Extract SHA256 hash of the imagebuilder archive