Adding support for openssl code-signing verification
Adding support for openssl code-signing verification. This enables used to choose between PGP signatures or openssl code-signing verification for binary blobs.
This requires openssl in packages.x86_64 to work:
Helper functionality for signing:
Example usage of openssl CMS signature verification:
To sign with openssl cms
:
openssl cms -sign -binary -noattr -in "/root/arch/x86_64/airootfs.sfs" -signer "codesigning.cert.pem" -inkey "codesigning.key" -certfile "intermediate.cert.pem" -outform DER -out "/root/arch/x86_64/airootfs.sfs.cms.sig"
To verify that the file is signed with the codesigning/emailProtection certificate (-noverify
makes it so we don't chec kthe trust chain):
openssl cms -verify -binary -noattr -noverify -nointern -certfile "codesigning.cert.pem" -in "/root/arch/x86_64/airootfs.sfs.cms.sig" -content "/root/arch/x86_64/airootfs.sfs" -inform DER -out /dev/null
To verify that the file is signed by codesigning/emailProtection certificate that is signed by a CA:
openssl cms -verify -binary -noattr -in "/root/arch/x86_64/airootfs.sfs.cms.sig" -content "/root/arch/x86_64/airootfs.sfs" -inform DER -purpose any -out /dev/null
We add -purpose any
because a "bug" in openssl requires emailProtection
to be set in the code signing certificate to work. (for instance you can sign it with a webbcert or usercert), see github issue: