From 7bf98c441206e949e3f43ba3f662608c2f14ff81 Mon Sep 17 00:00:00 2001
From: nicoo <nicoo@realraum.at>
Date: Mon, 21 May 2018 14:02:28 +0200
Subject: [PATCH] roles/openwrt-image: Pin the LEDE release signing key

This addresses a security issue where an attacker with a key that GnuPG
considers valid (but doesn't claim to be LEDE's) can get their signature
accepted on malicious files.

This should also solve the issue equinox had with key validity.
---
 ansible/roles/openwrt-image/openwrt-keyring.gpg |  Bin 0 -> 1190 bytes
 ansible/roles/openwrt-image/tasks/fetch.yml     |    6 +++++-
 2 files changed, 5 insertions(+), 1 deletion(-)
 create mode 100644 ansible/roles/openwrt-image/openwrt-keyring.gpg

diff --git a/ansible/roles/openwrt-image/openwrt-keyring.gpg b/ansible/roles/openwrt-image/openwrt-keyring.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..f4cab0024d6edf286c1e26e31f7258b95000a949
GIT binary patch
literal 1190
zcmV;X1X=r;0u2OMeGLx*5CEo)A9Lbi7mYQ6P0EKO#W(PR2<MuTwN5i%iLGEsyec-0
z$Q!g5$RT@ehye5)9_!GDNpr7YC{2jIWCbN2vfJLzm~@gu*s2l_S=U>`;I@SQ+Sa1F
z(ql-g0oj#_bBXMb1{Y31=7l@191$S)8|97_<gEN=a6rxe{a@w#{Mk<lEsQOLS%xNM
zyGqAOwnAG1VGIf{%oI>Ie-h1Ced-z<=HW+xu}aGzU}J16RQwXWB5k~Q0ew{cJUK$Y
zL4NIfqPnW-ued@8bMc1bCarb6Wwk9*jb;o>OX;b3xWAnOpvHmyaGZ9nbCisT#Ra`k
zUa=%H;jnxE-Xoxjbbq}N+jSMB{e$qAAKmsJMk{?iVioQgLcf-<M<JXU;ZZ2Th|2G%
ztX^bpQ`TNguTprYNXWd{gOf;IZ(O`&e&EuGsriJ*7S+0$yH(G(pMsQiEv@w;*LFd^
zVTrO0rr)<KfC){$#o_WP#Q~p;v2M2kr<82v7!D$T_6FF5K-8S@2B1?|p69hj61woN
zmsb2Kv98aG8?q?y{4e@(y)&J|sQepd>!<ISuAVP&0Uk(IOB7ksC~8*!BZzJ1!9zOT
zqD%6fR|vezAcsrH2h^R+&6SU1FJ#h~E~lOXO>wXMtiw194`(?rHZ0;;g+$QaJ#CR>
zJ3yC!3!gXvEqeeF0RRECQ%prfMIcgTY-M3{WgtRzX>4R=av&%%H!d(SAR<y_VsCGB
zA|O*~XKrb3XCO;uc_|<~Y-MC+Eo5bOKx}DqbaO6jWn^V7aB^>IWn*+MZ*pfoi2^<Z
z69EDMC<OvoeGLx+8v_Li1Hxwj1`7!Y2Ll2I6$k<e3JU}l0s{d89svRufB*^!5Q98m
z5Y;QYYfNYl|7jcFtm+I+TVuoH>$~Vd3$h`S>k02ne1S|-K4IBkPl~*Y$S)usR7hw|
zZe=qJDCxes8Ng;go$9;#-f|xY%IWgRH5e32-4pz#-s8G9kw4tu+3VEFh%cnpDTJ3E
zXN@*wANrX{DQY*!`g$8F%L&pcV_!()KlH6e?yFXUDu`${8v4g=M0oL{9v!r(nz=_F
zcR;m^wROEcWTVKLDPdy5KSm`cs8<}6z>S|9c$M0xT#9qTFG<t|^+<(ITwKO_R@GqS
zyt+1}8?F{}Ratxt$?oSq3^=w{vFaP(xJu=1FZeYRdoofA_oDj>3Ed(x&?47+r-Lg7
z!b_O~YJ*!77n7YV`~1i?;Mma;8&;C8{jPEAAJY{;1@ew(cdJ18url+L$<W>LnjcnR
z`j3?mDKHZZ_{x_pUZg;9e29^O=D*6tVpJG(nP0P0U}rf!5og)c^h;6NjmM_mDs8*3
zWwnp!9B9oovQBFCGue9MM~BL67Ept4nX2h<Y_tzez~5<uoYMJ8AC5B=<XC|qMQ`A{
ze|5P{k}?DT<<tg2=|~Lq++fy|K_!tOU<UmBO)0wYMFvgu)r76J$L(>~pZozz74cuV
zw;9|r8Ob(k#Bi!5oX3UttYC71=|0Tm9~k1nE}^Vb!^#)f!B1(FGCQI-2$kxJ_r>Ex
EcBJkq8UO$Q

literal 0
HcmV?d00001

diff --git a/ansible/roles/openwrt-image/tasks/fetch.yml b/ansible/roles/openwrt-image/tasks/fetch.yml
index 4b5b1c8..f68c87d 100644
--- a/ansible/roles/openwrt-image/tasks/fetch.yml
+++ b/ansible/roles/openwrt-image/tasks/fetch.yml
@@ -21,7 +21,11 @@
         dest: "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc"
 
     - name: Check OpenPGP signature
-      command: gpg --verify "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc"
+      command: >-
+        gpg2 --no-options --no-default-keyring --secret-keyring /dev/null
+             --verify --keyring "{{ role_path }}/openwrt-keyring.gpg"
+             --trust-model always
+             "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc"
       changed_when: False
 
     - name: Extract SHA256 hash of the imagebuilder archive
-- 
1.7.10.4