Adding support for openssl code-signing verification (!24) · Merge requests · Arch Linux / Mkinitcpio / mkinitcpio-archiso

Anton Hvornum requested to merge torxed/mkinitcpio-archiso:openssl-support2 into master May 13, 2022

Adding support for openssl code-signing verification. This enables used to choose between PGP signatures or openssl code-signing verification for binary blobs.

This requires openssl in packages.x86_64 to work:

archlinux/archiso!249 (closed)

Helper functionality for signing:

archlinux/archiso!251 (merged)

Example usage of openssl CMS signature verification: To sign with openssl cms:

openssl cms -sign -binary -noattr -in "/root/arch/x86_64/airootfs.sfs" -signer "codesigning.cert.pem" -inkey "codesigning.key" -certfile "intermediate.cert.pem" -outform DER -out "/root/arch/x86_64/airootfs.sfs.cms.sig"

To verify that the file is signed with the codesigning/emailProtection certificate (-noverify makes it so we don't chec kthe trust chain):

openssl cms -verify -binary -noattr -noverify -nointern -certfile "codesigning.cert.pem" -in "/root/arch/x86_64/airootfs.sfs.cms.sig" -content "/root/arch/x86_64/airootfs.sfs" -inform DER -out /dev/null

To verify that the file is signed by codesigning/emailProtection certificate that is signed by a CA:

openssl cms -verify -binary -noattr -in "/root/arch/x86_64/airootfs.sfs.cms.sig" -content "/root/arch/x86_64/airootfs.sfs" -inform DER -purpose any -out /dev/null

We add -purpose any because a "bug" in openssl requires emailProtection to be set in the code signing certificate to work. (for instance you can sign it with a webbcert or usercert), see github issue:

https://github.com/openssl/openssl/issues/17134

Edited May 18, 2022 by Anton Hvornum

Admin message

Adding support for openssl code-signing verification

Merge request reports