@@ -62,6 +62,8 @@ There are 3 signing mechanisms supported by meta-swupdate at the moment:
* Set `SWUPDATE_CMS_KEY ` to the full path of private key file
+ * (Optional) Set `SWUPDATE_CMS_EXTRA_CERTS` to a space delimited list of intermediate certificate files
+
3. Custom signing tool:
* Set variable: `SWUPDATE_SIGNING = "CUSTOM"`
@@ -34,6 +34,18 @@ def get_pwd_file_args(d, passfile):
pwd_args = ["-passin", "file:%s" % pwd_file]
return pwd_args
+def get_certfile_args(d):
+ extra_certs = d.getVar('SWUPDATE_CMS_EXTRA_CERTS', True)
+ if not extra_certs:
+ return []
+ certfile_args = []
+ extra_paths = extra_certs.split()
+ for crt_path in extra_paths:
+ if not os.path.exists(crt_path):
+ bb.fatal("SWUPDATE_CMS_EXTRA_CERTS path %s doesn't exist" % (crt_path))
+ certfile_args.extend(["-certfile", crt_path])
+ return certfile_args
+
def swupdate_getdepends(d):
def adddep(depstr, deps):
for i in (depstr or "").split():
@@ -204,8 +216,11 @@ def prepare_sw_description(d):
bb.fatal("SWUPDATE_CMS_KEY isn't set")
if not os.path.exists(cms_key):
bb.fatal("SWUPDATE_CMS_KEY %s doesn't exist" % (cms_key))
- signcmd = ["openssl", "cms", "-sign", "-in", sw_desc, "-out", sw_desc_sig, "-signer", cms_cert, "-inkey", cms_key] + \
- get_pwd_file_args(d, 'SWUPDATE_PASSWORD_FILE') + ["-outform", "DER", "-nosmimecap", "-binary"]
+ signcmd = ["openssl", "cms", "-sign", "-in", sw_desc, "-out", sw_desc_sig] + \
+ ["-signer", cms_cert, "-inkey", cms_key] + \
+ ["-outform", "DER", "-nosmimecap", "-binary"] + \
+ get_pwd_file_args(d, 'SWUPDATE_PASSWORD_FILE') + \
+ get_certfile_args(d)
else:
bb.fatal("Unrecognized SWUPDATE_SIGNING mechanism.")
subprocess.run(' '.join(signcmd), shell=True, check=True)
Using openssl cms the recipient may not share intermediate certs in the chain. The -certfile option includes these certificates in the message, ensuring the recipient can establish the full chain of trust from a root CA they already have, through the intermediate certificate(s) to the signing certificate. Add optional SWUPDATE_CMS_EXTRA_CERTS var to add additional certs to CMS output using -certfile argument. Signed-off-by: Wes Malone <wes@mitsi.com> --- README | 2 ++ classes/swupdate-common.bbclass | 19 +++++++++++++++++-- 2 files changed, 19 insertions(+), 2 deletions(-)