Make it possible to verify the signature of an installed image
Open, LowPublic
Actions

Assigned To

Authored By

	dmbaturin
	Sep 11 2023, 7:34 AM

Description

As of now, signatures are completely external to the release — we sign the image file when we build it, so that everyone can verify the integrity of downloaded files.

However, it's impossible to verify that an installed system was created from a signed image. Since VyOS uses an immutable SquashFS image in installations, it's very much possible to do.

There are two possible options I see:

Sign the SquashFS image file and place the signature in /boot on installation.
Sign the version.json file and place the signature inside the SquashFS image.

Those options are not mutually exclusive. Signed version.json is easier to verify for a user, but only signing the entire image protects is from modification. We may want to do both.

It's also a question whether we should introduce a new subtree like verify or add the command to the show subtree, like:

run show system image integrity <minisign public key>

Details

Difficulty level: Unknown (require assessment)
Version: -
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Perfectly compatible
Issue type: Improvement (missing useful functionality)

Event Timeline

dmbaturin created this task.Sep 11 2023, 7:34 AM

pasik added a subscriber: pasik.Sep 11 2023, 7:58 AM

Apachez added a subscriber: Apachez.Sep 11 2023, 8:53 AM

aga added a subscriber: aga.Sep 11 2023, 7:08 PM

dmbaturin edited projects, added VyOS 1.5 Circinus; removed VyOS 1.4 Sagitta.Fri, Apr 12, 2:29 PM

Make it possible to verify the signature of an installed imageOpen, LowPublicActions

Description

Details

Event Timeline

Make it possible to verify the signature of an installed image
Open, LowPublic
Actions