@KA2107 reported that opkg is not able to verify the artifact signatures
produced by buildbot using the usign 24.10 release keys. So lets fix it
by actually adding the 24.10 usign key with d310c6f2833e97f7 fingerprint
into the openwrt-keyring package.
Fixes: #16850
Reported-by: @KA2107
Fixes: a535cfc09e ("openwrt-keyring: add OpenWrt 24.10 release build usign key")
References: 2d03f27f0f ("openwrt-keyring: make opkg use 22.03 usign key")
Signed-off-by: Kuan-Yi Li <kyli@abysm.org>
Signed-off-by: Petr Štetiar <ynezz@true.cz> [commit description]
apk/openwrt-snapshots.pem contains Elliptic Curve based public key which
is going to be used for signing of apk's package.adb package indexes
after the builds using `apk adbsign --sign-key <key> packages.adb`
command on the buildbot.
References: https://github.com/openwrt/buildbot/pull/46
Link: https://github.com/openwrt/openwrt/pull/16539
Signed-off-by: Petr Štetiar <ynezz@true.cz>
When using zst instead of xz, the hash changes. This commit fixes the
hash for packages and tools in core.
Signed-off-by: Paul Spooren <mail@aparcar.org>
Different from OPKG, APK uses a deterministic version schema which chips
the version into chunks and compares them individually. This enforces a
certain schema which was previously entirely flexible.
- Releases are added at the very and end prefixed with an `r` like
`1.2.3-r3`.
- Hashes are prefixed with a `~` like `1.2.3~abc123`.
- Dates become semantic versions, like `2024.04.01`
- Extra tags are possible like `_git`, `_alpha` and more.
For full details see the APK test list:
https://gitlab.alpinelinux.org/alpine/apk-tools/-/blob/master/test/version.data
Signed-off-by: Paul Spooren <mail@aparcar.org>
Instead of adding all public signature keys from the openwrt-keyring
repository only add the key which is used to sign the master feeds.
If one of the other keys would be compromised this would not affect
users of master snapshot builds.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>