OpenWrt uses both GnuPG and usign, a derivate of the OpenBSD signify utilitiy.
The OPKG package manager uses usign Ed25519 signatures to verify repository metadata when installing packages while release image files are usually signed by one or more developers with detached GPG signatures to allow users to verify the integrity of installation files.
Our usign signature files carry the extension .sig while the detached GPG signatures end with .asc or, in older releases, with the .gpg extension.
Note that not every file is signed individually but that we’re signing the sha256sums or - for repositories - the Packages files to establish a chain of trust: The SHA256 checksum will verify the integrity of the actual file while the signature will verify the integrity of the file containing the checksums.
In order to verify the integrity of a firmware download you need to do the following steps:
sha256sum and sha256sum.asc filesgpg --with-fingerprint --verify sha256sum.asc sha256sum, ensure that the GnuPG command reports a good signature and that the fingerprint matches the ones listed on our fingerprints page.sha256sums file and verify its checksum using the following command: sha256sum -c --ignore-missing sha256sumsDevelopers participating in the LEDE project need to provide both GnuPG and usign public keys which are stored in the central keyring.git repository.
Refer to the key generation howto page for instruction on how to generate suitable signing keys.