pkgsupplysec

It's definitely an issue that the sha256 checksum check was broken.

But, can someone explain why a person who is MITM'ing ipk downloads would change the package and not the checksum?

Are there GPG signatures of the package checksums signed with a key that ships with the release?

Are package repos downloaded over HTTPS? Is there a CA bundle in the release with which repo x.509 certs are validated?

slrz

The SHA-2 checksums to verify packages against are delivered as part of the (signed) package index (as the article alludes to).

pkgsupplysec
And those package repo sha256 checksums are signed and verified with ed25519 by usign and ucert (with a key built into the firmware)

usign: https://git.openwrt.org/project/usign.git

ucert: https://git.openwrt.org/project/ucert.git

Firmware releases are also signed with GPG: https://openwrt.org/docs/guide-user/security/release_signatu...

openwrt/openwrt: https://github.com/openwrt/openwrt

openwrt/packages: https://github.com/openwrt/packages

openwrt/openwrt/search?q="usign" https://github.com/openwrt/openwrt/search?q=usign