Medkit issue: "Signature check failed. Remove wrong Signature file." with `opkg update`

(FYI: I first reported this on the forum. This is an edited version of the original, incorporating the resolution and some other stuff. I downloaded the medkit on 2024-06-03, but version data is also given below!)

The issue (symptoms)

Hi, I downloaded the latest medkit to reset a Turris Omnia (original model with 1 GiB of RAM) which I hadn't used in a while. Configured all the basics through the web interface then.

After that I attempted opkg update and was immediately met with errors:

root@turris:~# opkg update
Downloading https://repo.turris.cz/hbl/omnia/packages/core/Packages.gz
Updated list of available packages in /var/opkg-lists/turrisos_core
Downloading https://repo.turris.cz/hbl/omnia/packages/core/Packages.sig
Signature check failed.
Remove wrong Signature file.
Downloading https://repo.turris.cz/hbl/omnia/packages/base/Packages.gz
Updated list of available packages in /var/opkg-lists/turrisos_base
Downloading https://repo.turris.cz/hbl/omnia/packages/base/Packages.sig
Signature check failed.
Remove wrong Signature file.
Downloading https://repo.turris.cz/hbl/omnia/packages/cesnet/Packages.gz
Updated list of available packages in /var/opkg-lists/turrisos_cesnet
Downloading https://repo.turris.cz/hbl/omnia/packages/cesnet/Packages.sig
Signature check failed.
Remove wrong Signature file.
Downloading https://repo.turris.cz/hbl/omnia/packages/luci/Packages.gz
Updated list of available packages in /var/opkg-lists/turrisos_luci
Downloading https://repo.turris.cz/hbl/omnia/packages/luci/Packages.sig
Signature check failed.
Remove wrong Signature file.
Downloading https://repo.turris.cz/hbl/omnia/packages/node/Packages.gz
Updated list of available packages in /var/opkg-lists/turrisos_node
Downloading https://repo.turris.cz/hbl/omnia/packages/node/Packages.sig
Signature check failed.
Remove wrong Signature file.
Downloading https://repo.turris.cz/hbl/omnia/packages/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/turrisos_packages
Downloading https://repo.turris.cz/hbl/omnia/packages/packages/Packages.sig
Signature check failed.
Remove wrong Signature file.
Downloading https://repo.turris.cz/hbl/omnia/packages/routing/Packages.gz
Updated list of available packages in /var/opkg-lists/turrisos_routing
Downloading https://repo.turris.cz/hbl/omnia/packages/routing/Packages.sig
Signature check failed.
Remove wrong Signature file.
Downloading https://repo.turris.cz/hbl/omnia/packages/telephony/Packages.gz
Updated list of available packages in /var/opkg-lists/turrisos_telephony
Downloading https://repo.turris.cz/hbl/omnia/packages/telephony/Packages.sig
Signature check failed.
Remove wrong Signature file.
Downloading https://repo.turris.cz/hbl/omnia/packages/turrispackages/Packages.gz
Updated list of available packages in /var/opkg-lists/turrisos_turrispackages
Downloading https://repo.turris.cz/hbl/omnia/packages/turrispackages/Packages.sig
Signature check failed.
Remove wrong Signature file.

Upon further investigation and finding a script (and unfortunately also removing wget-ssl based on advice in the OpenWRT forum), I was able to investigate this a little further.

I manually downloaded the following two files into /tmp:

wget https://repo.turris.cz/hbl/omnia/packages/turrispackages/Packages.{gz,sig}

... and attempted the steps evident from said script, after unpacking Packages from Packages.gz.

The result was the following error:

# usign -V -P /etc/opkg/keys -m /tmp/Packages
Cannot open file '/etc/opkg/keys/b4140d4dba7ec90e' for reading

which to me suggests that there should be a key with that fingerprint/ID (i.e. b4140d4dba7ec90e) which isn't present on my system.

Where does this key come from? What's the procedure to establish trust with previously not known keys?

System information

I reckon the following is also relevant:

# cat /etc/os-release
NAME="TurrisOS"
VERSION="7.0.0"
ID="turrisos"
ID_LIKE="lede openwrt"
PRETTY_NAME="TurrisOS 7.0.0"
VERSION_ID="7.0.0"
HOME_URL="https://www.turris.cz/"
BUG_URL="https://gitlab.nic.cz/groups/turris/-/issues/"
SUPPORT_URL="https://www.turris.cz/support/"
BUILD_ID="r20300+124-3547565f24"
OPENWRT_BOARD="mvebu/cortexa9"
OPENWRT_ARCH="arm_cortex-a9_vfpv3-d16"
OPENWRT_TAINTS="busybox"
OPENWRT_DEVICE_MANUFACTURER="CZ.NIC"
OPENWRT_DEVICE_MANUFACTURER_URL="https://www.turris.cz/"
OPENWRT_DEVICE_PRODUCT="Turris Omnia"
OPENWRT_DEVICE_REVISION="v0"
OPENWRT_RELEASE="TurrisOS 7.0.0 3547565f245479dc1643ea66828fb55635d49051"

Resolution

Provided by forum user @AreYouLoco:

It was reported already. Latest medkit points to HBL repos. Replace hbl with hbs in /etc/opkg/distfeeds.conf and it should work as expected

And indeed sed -i 's|hbl|hbs|g' /etc/opkg/distfeeds.conf solved it for me.

Additional stuff

Just for the benefit of whoever also removed wget-ssl as I did. The following adjusted script should fix it (original here):

#!/bin/sh
set -euo pipefail
readonly LISTDIR=/tmp/opkg-lists
rm -f -R -- "$LISTDIR" ||:
mkdir -p -- "$LISTDIR"
while read TYPE REPO URL; do
	for ext in gz sig; do
		( set -x; uclient-fetch -q -O "$LISTDIR/$REPO.$ext" "$URL/Packages.$ext" )
	done
	gzip -kd "$LISTDIR/$REPO.gz"
	if usign -V -P /etc/opkg/keys -m "$LISTDIR/$REPO" 2>&1 | grep -e "^OK$"; then
		( set -x; mv -f -- "$LISTDIR/$REPO.gz" "$LISTDIR/$REPO" )
	else
		echo "FATAL: Signature verification failed:"
		( set -x; usign -V -P /etc/opkg/keys -m "$LISTDIR/${REPO}" )
	fi
done < /etc/opkg/distfeeds.conf

This uses uclient-fetch instead of wget to fetch the files. It also makes some of the logic a little more robust and a little more verbose (thanks to set -x showing the executed commands).