-
Notifications
You must be signed in to change notification settings - Fork 190
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feature: extract signatue: add option to extract signature from bundle #749
Conversation
44a0575
to
3541f9c
Compare
@Jarsop Thanks for your contribution. The existing intended way for this would be to use the Did you check this? Or could you describe in how this would not meet your requirements? How would you ensure that the 'external' signing produces a valid signature format for RAUC? |
@ejoerns Yes I already check that but in an embedded Linux project of a large company for which I am currently working (and others in the past which have the same functioning), they have a PKI which prohibits any external tool to sign artifacts (so no So I had to provide them with the exact format of the desired signature and he provides it to me. Today I created a tool that allows you to build this kind of bundle and then assemble the CMS in post process. This problem is common in large companies which have very strict signature policies. Hoping to have been clear and thanks for your quick reply. Regards |
For this point although the signature can be constrained during this request to the signer, I think that a check at the command level which will allow to assemble the unsigned bundle and the CMS will be able to solve this problem |
To be more precise about PKI, the official signer don't have a direct access to the private keys but only access to a client which take a signature policies parameter and request to a secure server which contain the official private key. |
Maybe it's better to will be a part of |
Both If not, how about this:
I'd restrict this to verity bundles, as the CMS signature is "self-contained" in that mode (and also I'd like to discourage plain bundles). In practice, you'd then build bundles as normal (signed with a development/CI key), test and review them. Then you'd use I see some benefits:
We'd be happy to discuss this in https://app.element.io/#/room/#rauc:matrix.org (bridged from #rauc on libera.chat), as well. |
Codecov Report
@@ Coverage Diff @@
## master #749 +/- ##
==========================================
- Coverage 72.99% 72.91% -0.09%
==========================================
Files 28 28
Lines 8720 8771 +51
==========================================
+ Hits 6365 6395 +30
- Misses 2355 2376 +21
Continue to review full report at Codecov.
|
3541f9c
to
503a63c
Compare
35828d8
to
11cb8ba
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a minor suggestion for simplification. I'll likely do some rewording on the commit message and documentation before merging if that's fine with you.
11cb8ba
to
4e500be
Compare
@jluebbe Any ideas why uncrustify failed? Maybe because you requested changes? |
2a1f49d
to
45c6972
Compare
Some industrialization procedures require signing artifacts in a dedicated secure room with restricted access (as Public Key Infrastructure aka PKI). Add a `extract-signature` command to extract the signature and allow resigning the bundle content externally. Signed-off-by: Jean-Pierre Geslin <jarsop@outlook.com> Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
45c6972
to
7b044a6
Compare
I've made some small changes and force-pushed the PR. You can check my changes here: https://github.com/rauc/rauc/compare/45c6972431e92d8c062c6e54c9afdebbf2384ede..7b044a64a39541e95ee8a23da0b614973b83b6db
This was a the "sightly"/"slightly" typo. |
g_debug("input bundle: %s", argv[2]); | ||
g_debug("output file: %s", argv[3]); | ||
|
||
if (!check_bundle(argv[2], &bundle, TRUE, &ierror)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jluebbe Should it be configurable with --no-verify
option ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, probably yes, although I'm not a fan of --no-verify
. That could be a separate PR though. I'd prefer to merge this as-is to prepare for the replace-signature
command.
Many industrialization procedure requires to sign any artifact in a
dedicated secure room with restricted access
(as Public Key Infrastructure aka PKI).
This purpose add a
extract-signature
command to extract the signatureand allow resigning the signature content externally.
Signed-off-by: Jean-Pierre Geslin jarsop@outlook.com