Merge pull request #48 from Foundation-Devices/PASS1-515-document-dev…

…eloper-pubkey-setup Pass1-515: document developer pubkey setup
Foundation-Devices · Oct 28, 2022 · a4ba805 · a4ba805
2 parents a053d15 + 41384fd
commit a4ba805
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 2 deletions.
diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
@@ -15,6 +15,9 @@ In order to build the Passport firmware, you need to:
 * Install the dependencies
 * Run the build or sign command
 
+## Contributing
+Foundation requires commits to be signed with GPG keys in order to be merged. Follow [Github's guide to commit signature verification](https://docs.github.com/en/authentication/managing-commit-signature-verification) to get started.
+
 ### Get the Source Code
 The instructions below assume you are installing into your home folder at `~/passport2`.  You can choose
 to install to a different folder, and just update command paths appropriately.
@@ -99,6 +102,19 @@ First, you need to build the `cosign` tool and copy it somewhere in your `PATH`:
     make
     cp x86/release/cosign ~/.local/bin   # You can run `echo $PATH` to see the list of possible places you can put this file
 
+If you don't already have an openssl key, return to the repo root directory and generate a Pubkey using `tools/genkeys.sh`. This takes a key number as an argument.
+
+    ./tools/genkeys.sh 1
+
+Now, move the keys into `~/bin/keys/`, or look ahead a few steps for instructions on setting a custom `cosign_keypath`. Create the directory if it doesn't exist yet. If you already have keys here for another use, make sure not to overwrite them. Make sure not to commit these keys in the git repo.
+
+    mkdir ~/bin/keys
+    mv tools/1.pem ~/bin/keys/user.pem
+    mv tools/1-pub.bin ~/bin/keys/user-pub.bin
+    mv tools/1-pub.pem ~/bin/keys/user-pub.pem
+
+Next, save `user-pub.bin` to a microSD card, and upload it to the passport by inserting the microSD, going to the leftmost settings page, and selecting Advanced -> Developer Pubkey -> Install Pubkey, then selecting user-pub.bin.
+
 Next you need to sign the firmware and give it a version number.  Once signed, `cosign` will output a filename of the format `v2.0.3-passport.bin`, but with the version number
 replaced with whatever you specified.  Note that you need to tell `cosign` whether you are signing for a `mono` (Founder's Edition) Passport or a `color` (Batch 2 onward) Passport.
 
@@ -119,8 +135,6 @@ You can also print the contents of the firmware header with the following comman
 
 The signed firmware can be put onto a microSD card and installed on Passport.  You just need to upload the corresponding Developer Pubkey first.
 
-***TBD: Insert link to article on installing Developer Pubkey***
-
 #### Building the Bootloader
 To build the bootloader for a reproducibility check, go to the repo root folder:
 

diff --git a/tools/genkeys.sh b/tools/genkeys.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+keynum=$1
+if [ -z "$keynum" ]; then
+    echo "No key number specified"
+    exit 1
+fi
+# Generate an ECKEY
+openssl ecparam -name secp256k1 -genkey -noout -out ${keynum}.pem
+# Get the corresponding public key
+openssl ec -in ${keynum}.pem -pubout -out ${keynum}-pub.pem
+# Convert the public key to a binary file
+openssl ec -pubin -inform PEM -outform DER -in ${keynum}-pub.pem -out ${keynum}-pub.bin
+# Dump public key so that we can get the text required for pulling it into the code
+openssl ec -in ${keynum}.pem -pubout -text