[{"id":1766825,"web_url":"http://patchwork.ozlabs.org/comment/1766825/","msgid":"","list_archive_url":null,"date":"2017-09-12T09:40:58","subject":"Re: [swupdate] [meta-swupdate][PATCH] README: update signing\n\tdocumentation","submitter":{"id":5771,"url":"http://patchwork.ozlabs.org/api/people/5771/","name":"Stefano Babic","email":"sbabic@denx.de"},"content":"On 07/09/2017 11:09, Maciej Pijanowski wrote:\n> Signed-off-by: Maciej Pijanowski \n> ---\n> README | 34 +++++++++++++++++++++++++---------\n> 1 file changed, 25 insertions(+), 9 deletions(-)\n> \n> diff --git a/README b/README\n> index 2e50a72aad7f..793b38b1923f 100644\n> --- a/README\n> +++ b/README\n> @@ -21,18 +21,34 @@ image filename) are replaced with the sha256 hash of the image.\n> SWU image signing\n> ------------\n> \n> -To enable signing:\n> - Set SWUPDATE_SIGNING = \"1\"\n> - Set SWUPDATE_PRIVATE_KEY to the full path of private key file\n> +There are 3 signing mechanism supported by meta-swupdate at the moment:\n> \n> -sw-description is signed with the private key and the signature is writen to\n> -sw-description.sig which is included in the SWU file.\n> +1. RSA signing:\n> \n> -Encrypted private keys are not currently supported since a secure \n> -mechanism must exist to provide the passphrase.\n> + * Set variable: `SWUPDATE_SIGNING = \"RSA\"`\n> +\n> + * Set `SWUPDATE_PRIVATE_KEY` to the full path of private key file\n> +\n> +2. CMS signing:\n> +\n> + * Set variable: `SWUPDATE_SIGNING = \"CMS\"`\n> +\n> + * Set `SWUPDATE_CMS_CERT` to the full path of certificate file\n> +\n> + * Set `SWUPDATE_CMS_KEY ` to the full path of private key file\n> \n> -If SWUPDATE_SIGN_TOOL is set, SWUPDATE_PRIVATE_KEY is ignored and the string\n> -contained in SWUPDATE_SIGN_TOOL is executed to perform the signing.\n> +3. Custom signing tool:\n> +\n> + * Set variable: `SWUPDATE_SIGNING = \"CUSTOM\"`\n> +\n> + * Set variable `SWUPDATE_SIGN_TOOL' to custom string that needs to be\n> + executed in order to perform the signing\n> +\n> +sw-description is signed and the signature is written to sw-description.sig\n> +which is included in the SWU file.\n> +\n> +Encrypted private keys are not currently supported since a secure\n> +mechanism must exist to provide the passphrase.\n> \n> Maintainer\n> ----------\n> \nApplied to -master and -pyro, thanks !\n\nBest regards,\nStefano Babic","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=googlegroups.com\n\t(client-ip=2a00:1450:4010:c07::23b;\n\thelo=mail-lf0-x23b.google.com;\n\tenvelope-from=swupdate+bncbaabbl6x33gqkgqeebngrya@googlegroups.com;\n\treceiver=)","ozlabs.org; dkim=pass (2048-bit key;\n\tunprotected) header.d=googlegroups.com header.i=@googlegroups.com\n\theader.b=\"q6NwaB2H\"; dkim-atps=neutral"],"Received":["from mail-lf0-x23b.google.com (mail-lf0-x23b.google.com\n\t[IPv6:2a00:1450:4010:c07::23b])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128\n\tbits)) (No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xs0D14lKzz9sRg\n\tfor ;\n\tTue, 12 Sep 2017 19:41:05 +1000 (AEST)","by mail-lf0-x23b.google.com with SMTP id k4sf290845lfg.9\n\tfor ;\n\tTue, 12 Sep 2017 02:41:05 -0700 (PDT)","by 10.25.216.4 with SMTP id p4ls11618lfg.21.gmail; Tue, 12 Sep 2017\n\t02:41:02 -0700 (PDT)","from mail-out.m-online.net (mail-out.m-online.net. [212.18.0.9])\n\tby gmr-mx.google.com with ESMTPS id\n\td82si582362wmd.1.2017.09.12.02.41.02\n\tfor \n\t(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);\n\tTue, 12 Sep 2017 02:41:02 -0700 (PDT)","from frontend03.mail.m-online.net (unknown [192.168.6.182])\n\tby mail-out.m-online.net (Postfix) with ESMTP id 3xs0Cy40cWz1qwR8;\n\tTue, 12 Sep 2017 11:41:02 +0200 (CEST)","from localhost (dynscan3.mnet-online.de [192.168.6.84])\n\tby mail.m-online.net (Postfix) with ESMTP id 3xs0Cy3X6kz1qsQG;\n\tTue, 12 Sep 2017 11:41:02 +0200 (CEST)","from mail.mnet-online.de ([192.168.8.182])\n\tby localhost (dynscan3.mail.m-online.net [192.168.6.84]) (amavisd-new,\n\tport 10024)\n\twith ESMTP id NuKTkY-dir5G; Tue, 12 Sep 2017 11:41:01 +0200 (CEST)","from babic.homelinux.org\n\t(host-88-217-136-221.customer.m-online.net [88.217.136.221])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256\n\tbits)) (No client certificate requested)\n\tby mail.mnet-online.de (Postfix) with ESMTPS;\n\tTue, 12 Sep 2017 11:41:01 +0200 (CEST)","from localhost (mail.babic.homelinux.org [127.0.0.1])\n\tby babic.homelinux.org (Postfix) with ESMTP id 3D56D45405CE;\n\tTue, 12 Sep 2017 11:41:01 +0200 (CEST)","from babic.homelinux.org ([127.0.0.1])\n\tby localhost (mail.babic.homelinux.org [127.0.0.1]) (amavisd-new,\n\tport 10024)\n\twith ESMTP id Wu1huicDypUX; Tue, 12 Sep 2017 11:40:58 +0200 (CEST)","from [192.168.178.132] (papero.fritz.box [192.168.178.132])\n\tby babic.homelinux.org (Postfix) with ESMTP id C82D045405CD;\n\tTue, 12 Sep 2017 11:40:58 +0200 (CEST)"],"ARC-Seal":["i=2; a=rsa-sha256; t=1505209263; cv=pass;\n\td=google.com; s=arc-20160816;\n\tb=e0L3L1z4DEK3l1x6KTEDNcMHFGqr8UcA+f6x7+jb0Lc14WOHP8WMjF9ZL8+P9Kd+Lv\n\td1HMJuY0ZEoU6/pXPbIfWmtjBjeRRrQrKvcgIUV3H85iCnmIB0KaFdYZ2twLE7ZkF2U4\n\t8WRfJplOJt2rNlo3M4VFz3L8y74nQUesbkLfCf2yqWuYVWKfaurk43HxtYaLolX6wT9o\n\tjQBYu/PQWOO8D/ClLf5zeg/ZcxPPy6QxSW3oGevSuV+hwpAD7W2o/lruiQ7+n9CYQAeE\n\tDMrlqrCp/gXWhohJVV2sPcyo2104TWJ5MxfU0sS/btbYaxfywgep4hFvrvD9zMrco5Di\n\tdFig==","i=1; a=rsa-sha256; t=1505209262; cv=none;\n\td=google.com; s=arc-20160816;\n\tb=DAcYwtPhO2vvTLUZVSK44rF9crxtQ2UfgIjlEFf+gUXdVsx2pkjCZaXOOBbHaL6Rv2\n\tPjd/aHDVZ//wu8GnDBDthhyULxqJjUloarBIBnVUJHGy9KcjWZQ5SKcUI71gUI9D6Bt8\n\tLtYM7f80abC09OyLcf1CHLZgULSd9B8XpBs0APQMWxyNqMox+8YSlePAgiQK0Gh/edeE\n\t5yuj2/SGeUOs/mXzEwDFTFXNrsgG87xSpJKZHwy+ae8D2bGBy5DWFJQkknGcI8Ik4VKX\n\t8Fq8zetAvJAaPP6fzCgEhZsUjdsm3jErrkXZeS2/eZqrGDxg07gkWvJMwCnCnAhhW6ub\n\tleIA=="],"ARC-Message-Signature":["i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;\n\ts=arc-20160816; \n\th=list-unsubscribe:list-subscribe:list-archive:list-help:list-post\n\t:list-id:mailing-list:precedence:content-language:in-reply-to\n\t:mime-version:user-agent:date:message-id:from:references:cc:to\n\t:subject:arc-authentication-results:arc-message-signature:sender\n\t:dkim-signature:arc-authentication-results;\n\tbh=zIgc+to0LFkP4p2EtxqIkELHbo4Zh25eOmHPkL/qbyk=;\n\tb=nJElHlNPqw0+Yo2wbh6sUTr9t6OQnhlTo7CQEdya9e7X0EieepgL/SiANm6Nui+kmI\n\tAueT7wI37467cN6IUZdRoeWH3XOZ3ntGYeXLj9V5s75MXp3pfsiYNKE/S7KI+2RdtOa9\n\tlp6XltjFsu71K72lUR5GnSeXXe4FGEQ09a+a97I5WxpWbpVUQFrgkHrB8c/X6pCVmNMc\n\t+FXfyZ5/J2UnO2KaCvoXqzXDNL8jHEV1pb9aApLGjRcfw4TZeiaByHcV7zl9ksrKEhUo\n\tA6CwMAZlFKY9zpPR+PA8DP4E9d9/OYAV+U3p7Reu8sL4+xIDImgSaL+DRx+7ys1qVhZU\n\tUlQg==","i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;\n\ts=arc-20160816; \n\th=content-transfer-encoding:content-language:in-reply-to:mime-version\n\t:user-agent:date:message-id:from:references:cc:to:subject\n\t:arc-authentication-results;\n\tbh=qcqOcTdILbjSg+VrF7lQv/v+eUHx1NncoPiNW00qpsY=;\n\tb=tJq7yG8SzTmPUh4tJHH5WX2dfcjvUKHt7LbEBFcyZQGCT2HaGt80zsDsb2feyaWRMX\n\tdvFb72VbkgxEQkPS4JkEPeyX5edk3cSP2L1sjURkyclhGFKoVLkoBFtfrf33wmOQ0RmE\n\tzOGQw/jtGJdtYaf/YFSOV8aiNgCAiEZhCjisYPYxrmYSqvpOYEDyXLkSKK02ontKQWid\n\tRDzug8V6rl1gWZZ5UNvF9iog8VWd9XaOtNAn3sfWbwitUAxWbCX1z+z2zJ+8OCRToTRP\n\t0hvue0vk0MO85i4DwpQv9a75evJQtasLTCKjggs5xecTcxZIKlc91kbqibs15Cs7+CF4\n\toNOA=="],"ARC-Authentication-Results":["i=2; gmr-mx.google.com;\n\tspf=neutral (google.com: 212.18.0.9 is neither permitted nor denied\n\tby best guess record for domain of sbabic@denx.de)\n\tsmtp.mailfrom=sbabic@denx.de","i=1; gmr-mx.google.com;\n\tspf=neutral (google.com: 212.18.0.9 is neither permitted nor denied\n\tby best guess record for domain of sbabic@denx.de)\n\tsmtp.mailfrom=sbabic@denx.de"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=googlegroups.com; s=20161025;\n\th=sender:subject:to:cc:references:from:message-id:date:user-agent\n\t:mime-version:in-reply-to:content-language:x-original-sender\n\t:x-original-authentication-results:precedence:mailing-list:list-id\n\t:list-post:list-help:list-archive:list-subscribe:list-unsubscribe;\n\tbh=zIgc+to0LFkP4p2EtxqIkELHbo4Zh25eOmHPkL/qbyk=;\n\tb=q6NwaB2HWYeykj408PJjEyzfQt76leQPDCeVYXSwf62eDlS/N0hRGMTWR/dsF1pQma\n\tWa4SRAMHV+4e9C77RuXe1cuNP7/8fqYOFofFMY06VH6tI5IcdieoHSR970rLXhdF1cpI\n\tiHlXyfVxWFfA2S4sFiAfZxFkKof39jj/TWSaJjW6W29mq1PtaxIYy2zzHWtIDahpIe3h\n\tpTbnok5tp4AupD0cDMK25F8B7b5XstTSyuMvCu1aiwqpCgJwg7uZT+o+PckJKGi2YEsu\n\thQ1oIzYgSuBqd/DuFDzDRMRozeIOvc4/cTnfJZvWpsGPpNmo/QCp3n7pF0Aagf2JUI7s\n\thePg==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=sender:x-gm-message-state:subject:to:cc:references:from:message-id\n\t:date:user-agent:mime-version:in-reply-to:content-language\n\t:x-original-sender:x-original-authentication-results:precedence\n\t:mailing-list:list-id:x-spam-checked-in-group:list-post:list-help\n\t:list-archive:list-subscribe:list-unsubscribe;\n\tbh=zIgc+to0LFkP4p2EtxqIkELHbo4Zh25eOmHPkL/qbyk=;\n\tb=IV2ZNCj62+gYL6YotFBbF420lV6c7iWejsIw+VQfGd6+SXoiG/jZg4w5VwcqYEfa1k\n\tUrrHJ+q4skE4eYEgQ2NYzWfxUrolnHblyORicHbknLInvpJyqXZJ+CbrjMcyH2itahDC\n\tt6HDdGJ1fJ9TKdGnZEY5xvXeNH29M1tPZhx3ElhyQiz4E0GWoNKcRl4ZrdlhPR/fPyfe\n\tG5UZ1g1VP3+DRoCG6xmx48/87P46svdt6SIe6ZdIQu+yN3f/cLvPOXJDaoH+WcPhiqPN\n\tIRLQGNcOONbLW1M8SxB36OjP5VwhscuAGoujJSnt65Llp9psp9K9lnSqi9YLcadBD58d\n\tcj/Q==","Sender":"swupdate@googlegroups.com","X-Gm-Message-State":"AHPjjUhoIJwLo826JzCbjf4+reb5isMePT23Ky5BcGNRuJ+jqY12yC6P\n\tdobzD2bdLaSUhQ==","X-Google-Smtp-Source":"ADKCNb5pZtyMGsSdGy1bSO9f0eZwWcVS32+OUG5ztekwYRB1ReZwgsVD0z7XQGA+vfRf3gUjnENPJw==","X-Received":["by 10.46.66.14 with SMTP id p14mr28466lja.20.1505209263054;\n\tTue, 12 Sep 2017 02:41:03 -0700 (PDT)","by 10.25.181.214 with SMTP id g83mr1143984lfk.17.1505209262783; \n\tTue, 12 Sep 2017 02:41:02 -0700 (PDT)"],"X-BeenThere":"swupdate@googlegroups.com","Received-SPF":"neutral (google.com: 212.18.0.9 is neither permitted nor\n\tdenied by best guess record for domain of sbabic@denx.de)\n\tclient-ip=212.18.0.9; ","X-Virus-Scanned":["amavisd-new at mnet-online.de","Debian amavisd-new at babic.homelinux.org"],"Subject":"Re: [swupdate] [meta-swupdate][PATCH] README: update signing\n\tdocumentation","To":"Maciej Pijanowski ,\n\tswupdate@googlegroups.com","Cc":"piotr.krol@3mdeb.com, diego.rondini@kynetics.com","References":"<1504775341-13994-1-git-send-email-maciej.pijanowski@3mdeb.com>","From":"Stefano Babic ","Message-ID":"","Date":"Tue, 12 Sep 2017 11:40:58 +0200","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101\n\tThunderbird/52.2.1","MIME-Version":"1.0","In-Reply-To":"<1504775341-13994-1-git-send-email-maciej.pijanowski@3mdeb.com>","Content-Type":"text/plain; charset=\"UTF-8\"","Content-Language":"de-DE","X-Original-Sender":"sbabic@denx.de","X-Original-Authentication-Results":"gmr-mx.google.com; spf=neutral\n\t(google.com: 212.18.0.9 is neither permitted nor denied by best guess\n\trecord\n\tfor domain of sbabic@denx.de) smtp.mailfrom=sbabic@denx.de","Precedence":"list","Mailing-list":"list swupdate@googlegroups.com;\n\tcontact swupdate+owners@googlegroups.com","List-ID":"","X-Spam-Checked-In-Group":"swupdate@googlegroups.com","X-Google-Group-Id":"605343134186","List-Post":",\n\t","List-Help":",\n\t","List-Archive":",\n\t","List-Unsubscribe":",\n\t"}}]