Release Signing
Signing Approach
OpenWrt uses both GnuPG and usign, a derivate of the OpenBSD signify utilitiy.
The OPKG package manager uses usign Ed25519 signatures to verify repository metadata when installing packages while release image files are usually signed by one or more developers with detached GPG signatures to allow users to verify the integrity of installation files.
Our usign signature files carry the extension .sig
while the detached GPG signatures end with .asc
or, in older releases, with the .gpg
extension.
Note that not every file is signed individually but that we’re signing the sha256sums
or - for repositories - the Packages
files to establish a chain of trust: The SHA256 checksum will verify the integrity of the actual file while the signature will verify the integrity of the file containing the checksums.
Verify download integrity
In order to verify the integrity of a firmware download you need to do the following steps:
- Download the
sha256sum
andsha256sum.asc
files - Check the signature with
gpg --with-fingerprint --verify sha256sum.asc sha256sum
, ensure that the GnuPG command reports a good signature and that the fingerprint matches the ones listed on our fingerprints page. - Download the firmware image into the same directory as the
sha256sums
file and verify its checksum using the following command:sha256sum -c --ignore-missing sha256sums
Developer Information
Developers participating in the LEDE project need to provide both GnuPG and usign public keys which are stored in the central keyring.git repository.
Refer to the key generation howto page for instruction on how to generate suitable signing keys.