If you are in a high security environment or otherwise want to ensure the security of the firmware you can authenticate the images built by the libreCMC project before flashing or upgrading to a new version. We normally recommend using the images from the OEM ISO, but these are NOT signed. There is only a sha256sum file, which is good for checking against corruption, but not ensuring authenticity. The OEM images are primarily intended for ease of use and contain additional packages for mesh networking and WireGuard to make the setup of these services/technologies easier, but such packages can also be installed from the libreCMC repository so there is no loss in functionality if you choose to authenticate and use the non-OEM images.
In our demonstration on how to authenticate libreCMC images we are going to download images directly from the librecmc.org site and NOT use the OEM ISO images. We are going to demonstrate this with the images for the TPE-R1400 gigabit router, but the same applies to other images for other routers, including the TPE-R1300, TPE-R1200, and TPE-R1100 wireless models.
There is a sha246sums file that is signed by the lead developer of the libreCMC project. We will need this, the sha256sums.asc file, the lead developers public key, and the image for the router we want to authenticate.
For the TPE-R1400 model router you can download the images here:
https://librecmc.org/librecmc/downloads/snapshots
Go to the version you want, example v6.1
Then click targets > rockchip > armv8.
Note: For the TPE-R1100, TPE-R1200, and TPE-R1300 you would click targets > ath79 > generic.
We're now going to download the image, sha256sums file, and the sha256sums.asc file:
Open a terminal and run the following commands:
mkdir librecmc-images
cd librecmc-images
wget https://librecmc.org/librecmc/downloads/snapshots/v6.1/targets/rockchip/...
wget https://librecmc.org/librecmc/downloads/snapshots/v6.1/targets/rockchip/...
wget https://librecmc.org/librecmc/downloads/snapshots/v6.1/targets/rockchip/...
(for the TPE-R1300 we'd grab the librecmc-ath79-generic-thinkpenguin_tpe-r1300-squashfs-sysupgrade.bin image and the sha256sums and sha256sums.asc file)
Next we're going to visit the contact page and grab the finrgerprint for the lead developer: https://librecmc.org/contact.html
Fingerprint : DE0A 8D01 5F03 409C F11D AE55 979B 9775 C7D8 655C
We're going to search for this fingerprint using the terminal:
gpg --search-keys "DE0A 8D01 5F03 409C F11D AE55 979B 9775 C7D8 655C"
Partial output:
(1) Robert Call (RISCi_ATOM)
Robert Call (RISCi_ATOM)
Robert Call (RISCi_ATOM)
4096 bit RSA key 979B9775C7D8655C, created: 2015-09-16
We care about this part:
4096 bit RSA key 979B9775C7D8655C,
Then we're going to import the developers key using the following command and the output above:
gpg --recv-key 979B9775C7D8655C
Now we can verify the sha256sums file has been signed by the lead developer of the libreCMC project:
gpg --verify sha256sums.asc
Output:
gpg: Good signature from "Robert Call (RISCi_ATOM) " [unknown]
You should see a line like the above if all is good. If you get a signature bad message it may be the result of having skipped a part of these directions regarding creating a new directory and cd'ing into it first. The reason we do that is because you might be in a directory where you have already downloaded a sha256sums file for some other distribution or program. In that instance weget will download the file, but append a number to the end. When we run the gpg verify command we end up trying to verify the wrong file. If you have blindly copied an pasted the wget lines you might also get bad signature if the files failed to download. You need to type wget and then copy and paste the links. Otherwise you're only copying part of the link by highlighting it since it's not showing you the entire link.
You may also want to check the 'Signature made' date and just make sure it's somewhat recent.
gpg: Signature made Mon 12 Aug 2024 01:08:28 AM EDT
I'm checking the signature in October of 2024 and the signature is from August of 2024. This makes sense as there is typically a new release every 4 months or so. If the signature is out of date it's possible someone is trying to trick you into using an old release of libreCMC that contains vulnerabilities patched in newer releases.
Next we're going to make sure the sha256 hash of the image matches what it's suppose to be according to the sha256sums file.
In the terminal run:
sha256sum librecmc-rockchip-armv8-thinkpenguin_tpe-r1400-ext4-sysupgrade.img.gz
Example output:
3a71e0895aa2475d7c1766f667873f610943c174a8ec04c2b97c47cccee97b6a librecmc-rockchip-armv8-thinkpenguin_tpe-r1400-ext4-sysupgrade.img.gz
Next locate the line for the line with librecmc-rockchip-armv8-thinkpenguin_tpe-r1400-ext4-sysupgrade.img.gz on it in the sha256sums file:
cat sha256sums
Output line we are looking for:
3a71e0895aa2475d7c1766f667873f610943c174a8ec04c2b97c47cccee97b6a *librecmc-rockchip-armv8-thinkpenguin_tpe-r1400-ext4-sysupgrade.img.gz
You'll see the output of the sha256sum command matches what is in the sha256sums file for the librecmc-rockchip-armv8-thinkpenguin_tpe-r1400-ext4-sysupgrade.img.gz image. So this image is genuine and has not been tampered with by any third party.