From: nicoo Date: Mon, 21 May 2018 12:02:28 +0000 (+0200) Subject: roles/openwrt-image: Pin the LEDE release signing key X-Git-Url: https://git.realraum.at/?a=commitdiff_plain;h=7bf98c441206e949e3f43ba3f662608c2f14ff81;p=noc.git roles/openwrt-image: Pin the LEDE release signing key This addresses a security issue where an attacker with a key that GnuPG considers valid (but doesn't claim to be LEDE's) can get their signature accepted on malicious files. This should also solve the issue equinox had with key validity. --- diff --git a/ansible/roles/openwrt-image/openwrt-keyring.gpg b/ansible/roles/openwrt-image/openwrt-keyring.gpg new file mode 100644 index 0000000..f4cab00 Binary files /dev/null and b/ansible/roles/openwrt-image/openwrt-keyring.gpg differ diff --git a/ansible/roles/openwrt-image/tasks/fetch.yml b/ansible/roles/openwrt-image/tasks/fetch.yml index 4b5b1c8..f68c87d 100644 --- a/ansible/roles/openwrt-image/tasks/fetch.yml +++ b/ansible/roles/openwrt-image/tasks/fetch.yml @@ -21,7 +21,11 @@ dest: "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc" - name: Check OpenPGP signature - command: gpg --verify "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc" + command: >- + gpg2 --no-options --no-default-keyring --secret-keyring /dev/null + --verify --keyring "{{ role_path }}/openwrt-keyring.gpg" + --trust-model always + "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc" changed_when: False - name: Extract SHA256 hash of the imagebuilder archive