The OPKG package manager uses usign Ed25519 signatures to verify repository metadata when installing packages while release image files are usually signed by one or more developers with detached GPG signatures to allow users to verify the integrity of installation files.
Our usign signature files carry the extension
.sig while the detached GPG signatures end with
.asc or, in older releases, with the
Note that not every file is signed individually but that we’re signing the
sha256sums or - for repositories - the
Packages files to establish a chain of trust: The SHA256 checksum will verify the integrity of the actual file while the signature will verify the integrity of the file containing the checksums.
In order to verify the integrity of a firmware download you need to do the following steps:
gpg --with-fingerprint --verify sha256sum.asc sha256sum, ensure that the GnuPG command reports a good signature and that the fingerprint matches the ones listed on our fingerprints page.
sha256sumsfile and verify its checksum using the following command:
sha256sum -c --ignore-missing sha256sums