And those package repo sha256 checksums are signed and verified with ed25519 by usign and ucert (with a key built into the firmware) usign: https://git.openwrt.org/project/usign.git ucert:…
It's definitely an issue that the sha256 checksum check was broken. But, can someone explain why a person who is MITM'ing ipk downloads would change the package and not the checksum? Are there GPG signatures of the…
And those package repo sha256 checksums are signed and verified with ed25519 by usign and ucert (with a key built into the firmware) usign: https://git.openwrt.org/project/usign.git ucert:…
It's definitely an issue that the sha256 checksum check was broken. But, can someone explain why a person who is MITM'ing ipk downloads would change the package and not the checksum? Are there GPG signatures of the…