From: nicoo <nicoo@realraum.at>
Date: Mon, 21 May 2018 12:02:28 +0000 (+0200)
Subject: roles/openwrt-image: Pin the LEDE release signing key
X-Git-Url: https://git.realraum.at/?p=noc.git;a=commitdiff_plain;h=7bf98c441206e949e3f43ba3f662608c2f14ff81

roles/openwrt-image: Pin the LEDE release signing key

This addresses a security issue where an attacker with a key that GnuPG
considers valid (but doesn't claim to be LEDE's) can get their signature
accepted on malicious files.

This should also solve the issue equinox had with key validity.
---

diff --git a/ansible/roles/openwrt-image/openwrt-keyring.gpg b/ansible/roles/openwrt-image/openwrt-keyring.gpg
new file mode 100644
index 0000000..f4cab00
Binary files /dev/null and b/ansible/roles/openwrt-image/openwrt-keyring.gpg differ
diff --git a/ansible/roles/openwrt-image/tasks/fetch.yml b/ansible/roles/openwrt-image/tasks/fetch.yml
index 4b5b1c8..f68c87d 100644
--- a/ansible/roles/openwrt-image/tasks/fetch.yml
+++ b/ansible/roles/openwrt-image/tasks/fetch.yml
@@ -21,7 +21,11 @@
         dest: "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc"
 
     - name: Check OpenPGP signature
-      command: gpg --verify "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc"
+      command: >-
+        gpg2 --no-options --no-default-keyring --secret-keyring /dev/null
+             --verify --keyring "{{ role_path }}/openwrt-keyring.gpg"
+             --trust-model always
+             "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc"
       changed_when: False
 
     - name: Extract SHA256 hash of the imagebuilder archive