Skip to content

Adding support for openssl code-signing verification

Adding support for openssl code-signing verification. This enables used to choose between PGP signatures or openssl code-signing verification for binary blobs.

This requires openssl in packages.x86_64 to work:

Helper functionality for signing:

Example usage of openssl CMS signature verification: To sign with openssl cms:

openssl cms -sign -binary -noattr -in "/root/arch/x86_64/airootfs.sfs" -signer "codesigning.cert.pem" -inkey "codesigning.key" -certfile "intermediate.cert.pem" -outform DER -out "/root/arch/x86_64/airootfs.sfs.cms.sig"

To verify that the file is signed with the codesigning/emailProtection certificate (-noverify makes it so we don't chec kthe trust chain):

openssl cms -verify -binary -noattr -noverify -nointern -certfile "codesigning.cert.pem" -in "/root/arch/x86_64/airootfs.sfs.cms.sig" -content "/root/arch/x86_64/airootfs.sfs" -inform DER -out /dev/null

To verify that the file is signed by codesigning/emailProtection certificate that is signed by a CA:

openssl cms -verify -binary -noattr -in "/root/arch/x86_64/airootfs.sfs.cms.sig" -content "/root/arch/x86_64/airootfs.sfs" -inform DER -purpose any -out /dev/null

We add -purpose any because a "bug" in openssl requires emailProtection to be set in the code signing certificate to work. (for instance you can sign it with a webbcert or usercert), see github issue:

Edited by Anton Hvornum

Merge request reports

Loading