From 7bf98c441206e949e3f43ba3f662608c2f14ff81 Mon Sep 17 00:00:00 2001 From: nicoo Date: Mon, 21 May 2018 14:02:28 +0200 Subject: [PATCH] roles/openwrt-image: Pin the LEDE release signing key This addresses a security issue where an attacker with a key that GnuPG considers valid (but doesn't claim to be LEDE's) can get their signature accepted on malicious files. This should also solve the issue equinox had with key validity. --- ansible/roles/openwrt-image/openwrt-keyring.gpg | Bin 0 -> 1190 bytes ansible/roles/openwrt-image/tasks/fetch.yml | 6 +++++- 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 ansible/roles/openwrt-image/openwrt-keyring.gpg diff --git a/ansible/roles/openwrt-image/openwrt-keyring.gpg b/ansible/roles/openwrt-image/openwrt-keyring.gpg new file mode 100644 index 0000000000000000000000000000000000000000..f4cab0024d6edf286c1e26e31f7258b95000a949 GIT binary patch literal 1190 zcmV;X1X=r;0u2OMeGLx*5CEo)A9Lbi7mYQ6P0EKO#W(PR2`;I@SQ+Sa1F z(ql-g0oj#_bBXMb1{Y31=7l@191$S)8|97_Ie-h1Ced-z<=HW+xu}aGzU}J16RQwXWB5k~Q0ew{cJUK$Y zL4NIfqPnW-ued@8bMc1bCarb6Wwk9*jb;o>OX;b3xWAnOpvHmyaGZ9nbCisT#Ra`k zUa=%H;jnxE-Xoxjbbq}N+jSMB{e$qAAKmsJMk{?iVioQgLcf-!wXMtiw194`(?rHZ0;;g+$QaJ#CR> zJ3yC!3!gXvEqeeF0RRECQ%prfMIcgTY-M3{WgtRzX>4R=av&%%H!d(SARIWn*+MZ*pfoi2^$~Vd3$h`S>k02ne1S|-K4IBkPl~*Y$S)usR7hw| zZe=qJDCxes8Ng;go$9;#-f|xY%IWgRH5e32-4pz#-s8G9kw4tu+3VEFh%cnpDTJ3E zXN@*wANrX{DQY*!`g$8F%L&pcV_!()KlH6e?yFXUDu`${8v4g=M0oL{9v!r(nz=_F zcR;m^wROEcWTVKLDPdy5KSm`cs8<}6z>S|9c$M0xT#9qTFG3Ed(x&?47+r-Lg7 z!b_O~YJ*!77n7YV`~1i?;Mma;8&;C8{jPEAAJY{;1@ew(cdJ18url+L$LnjcnR z`j3?mDKHZZ_{x_pUZg;9e29^O=D*6tVpJG(nP0P0U}rf!5og)c^h;6NjmM_mDs8*3 zWwnp!9B9oovQBFCGue9MM~BL67Ept4nX2h~pZozz74cuV zw;9|r8Ob(k#Bi!5oX3UttYC71=|0Tm9~k1nE}^Vb!^#)f!B1(FGCQI-2$kxJ_r>Ex EcBJkq8UO$Q literal 0 HcmV?d00001 diff --git a/ansible/roles/openwrt-image/tasks/fetch.yml b/ansible/roles/openwrt-image/tasks/fetch.yml index 4b5b1c8..f68c87d 100644 --- a/ansible/roles/openwrt-image/tasks/fetch.yml +++ b/ansible/roles/openwrt-image/tasks/fetch.yml @@ -21,7 +21,11 @@ dest: "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc" - name: Check OpenPGP signature - command: gpg --verify "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc" + command: >- + gpg2 --no-options --no-default-keyring --secret-keyring /dev/null + --verify --keyring "{{ role_path }}/openwrt-keyring.gpg" + --trust-model always + "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc" changed_when: False - name: Extract SHA256 hash of the imagebuilder archive -- 1.7.10.4