From mboxrd@z Thu Jan  1 00:00:00 1970
Return-path: <ptxdist-bounces@pengutronix.de>
Received: (from localhost user: 'ladis' uid#1021 fake: STDIN
 (ladis@eddie.linux-mips.org)) by eddie.linux-mips.org
 id S23991212AbgIXLPYwN51m (ORCPT <rfc822;ptxdist@pengutronix.de>
 + 1 other); Thu, 24 Sep 2020 13:15:24 +0200
Date: Thu, 24 Sep 2020 13:15:22 +0200
From: Ladislav Michl <ladis@linux-mips.org>
Message-ID: <20200924111522.GA229137@lenoch>
References: <20200617143125.23999-1-bst@pengutronix.de>
 <20200617143125.23999-3-bst@pengutronix.de>
 <20200924100427.GA225235@lenoch>
 <ebbda4c0-4003-e57d-08c0-ea8946358975@pengutronix.de>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <ebbda4c0-4003-e57d-08c0-ea8946358975@pengutronix.de>
Subject: Re: [ptxdist] [PATCH v3 2/6] package templates: add
 code-signing-provider template
List-Id: PTXdist Development Mailing List <ptxdist.pengutronix.de>
List-Unsubscribe: <http://metis.pengutronix.de/cgi-bin/mailman/options/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=unsubscribe>
List-Archive: <http://metis.pengutronix.de/cgi-bin/mailman/private/ptxdist/>
List-Post: <mailto:ptxdist@pengutronix.de>
List-Help: <mailto:ptxdist-request@pengutronix.de?subject=help>
List-Subscribe: <http://metis.pengutronix.de/cgi-bin/mailman/listinfo/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=subscribe>
Reply-To: ptxdist@pengutronix.de
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ptxdist-bounces@pengutronix.de
Sender: "ptxdist" <ptxdist-bounces@pengutronix.de>
To: Bastian Krause <bst@pengutronix.de>
Cc: ptxdist@pengutronix.de

Hi Bastian,

On Thu, Sep 24, 2020 at 01:05:31PM +0200, Bastian Krause wrote:
[doc quote deleted] 
> After reading the quoted documentation snippets above (and assuming the
> error message triggers correctly now), do you still think this needs
> documentation improvement? If yes, you're very welcome to add an
> explanation to the signing doc section (maybe an info box?) to help
> others migrate their development key material into a code signing
> provider for the sake of backwards compatibility.

I needed to handle this situation (I guess many people find it familiar):
Board is using rauc for updates, keys was generated using previously
provided script and boards were supposed to stay near developers until
software stack is finalized. As always that was not the case and now
we need to update then. Templated provider does not add ca.cert.pem,
so generating rauc will end with error (Failed to create bundle:
failed signing bundle: signature verification failed: Verify error:
unable to get local issuer certificate).

This way you can at least prepare firmware using recent ptxdist
with properly generated keys. If there is any other option,
please let me know.

	ladis

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de