| Message ID | 1504775341-13994-1-git-send-email-maciej.pijanowski@3mdeb.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [meta-swupdate] README: update signing documentation | expand |
On 07/09/2017 11:09, Maciej Pijanowski wrote: > Signed-off-by: Maciej Pijanowski <maciej.pijanowski@3mdeb.com> > --- > README | 34 +++++++++++++++++++++++++--------- > 1 file changed, 25 insertions(+), 9 deletions(-) > > diff --git a/README b/README > index 2e50a72aad7f..793b38b1923f 100644 > --- a/README > +++ b/README > @@ -21,18 +21,34 @@ image filename) are replaced with the sha256 hash of the image. > SWU image signing > ------------ > > -To enable signing: > - Set SWUPDATE_SIGNING = "1" > - Set SWUPDATE_PRIVATE_KEY to the full path of private key file > +There are 3 signing mechanism supported by meta-swupdate at the moment: > > -sw-description is signed with the private key and the signature is writen to > -sw-description.sig which is included in the SWU file. > +1. RSA signing: > > -Encrypted private keys are not currently supported since a secure > -mechanism must exist to provide the passphrase. > + * Set variable: `SWUPDATE_SIGNING = "RSA"` > + > + * Set `SWUPDATE_PRIVATE_KEY` to the full path of private key file > + > +2. CMS signing: > + > + * Set variable: `SWUPDATE_SIGNING = "CMS"` > + > + * Set `SWUPDATE_CMS_CERT` to the full path of certificate file > + > + * Set `SWUPDATE_CMS_KEY ` to the full path of private key file > > -If SWUPDATE_SIGN_TOOL is set, SWUPDATE_PRIVATE_KEY is ignored and the string > -contained in SWUPDATE_SIGN_TOOL is executed to perform the signing. > +3. Custom signing tool: > + > + * Set variable: `SWUPDATE_SIGNING = "CUSTOM"` > + > + * Set variable `SWUPDATE_SIGN_TOOL' to custom string that needs to be > + executed in order to perform the signing > + > +sw-description is signed and the signature is written to sw-description.sig > +which is included in the SWU file. > + > +Encrypted private keys are not currently supported since a secure > +mechanism must exist to provide the passphrase. > > Maintainer > ---------- > Applied to -master and -pyro, thanks ! Best regards, Stefano Babic
diff --git a/README b/README index 2e50a72aad7f..793b38b1923f 100644 --- a/README +++ b/README @@ -21,18 +21,34 @@ image filename) are replaced with the sha256 hash of the image. SWU image signing ------------ -To enable signing: - Set SWUPDATE_SIGNING = "1" - Set SWUPDATE_PRIVATE_KEY to the full path of private key file +There are 3 signing mechanism supported by meta-swupdate at the moment: -sw-description is signed with the private key and the signature is writen to -sw-description.sig which is included in the SWU file. +1. RSA signing: -Encrypted private keys are not currently supported since a secure -mechanism must exist to provide the passphrase. + * Set variable: `SWUPDATE_SIGNING = "RSA"` + + * Set `SWUPDATE_PRIVATE_KEY` to the full path of private key file + +2. CMS signing: + + * Set variable: `SWUPDATE_SIGNING = "CMS"` + + * Set `SWUPDATE_CMS_CERT` to the full path of certificate file + + * Set `SWUPDATE_CMS_KEY ` to the full path of private key file -If SWUPDATE_SIGN_TOOL is set, SWUPDATE_PRIVATE_KEY is ignored and the string -contained in SWUPDATE_SIGN_TOOL is executed to perform the signing. +3. Custom signing tool: + + * Set variable: `SWUPDATE_SIGNING = "CUSTOM"` + + * Set variable `SWUPDATE_SIGN_TOOL' to custom string that needs to be + executed in order to perform the signing + +sw-description is signed and the signature is written to sw-description.sig +which is included in the SWU file. + +Encrypted private keys are not currently supported since a secure +mechanism must exist to provide the passphrase. Maintainer ----------
Signed-off-by: Maciej Pijanowski <maciej.pijanowski@3mdeb.com> --- README | 34 +++++++++++++++++++++++++--------- 1 file changed, 25 insertions(+), 9 deletions(-)