From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: References: <20200617143125.23999-1-bst@pengutronix.de> <20200617143125.23999-3-bst@pengutronix.de> <20200924100427.GA225235@lenoch> <20200924111522.GA229137@lenoch> From: Bastian Krause Message-ID: Date: Thu, 24 Sep 2020 14:23:37 +0200 MIME-Version: 1.0 In-Reply-To: <20200924111522.GA229137@lenoch> Content-Language: en-US Subject: Re: [ptxdist] [PATCH v3 2/6] package templates: add code-signing-provider template List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: ptxdist@pengutronix.de, Ladislav Michl On 9/24/20 1:15 PM, Ladislav Michl wrote: > On Thu, Sep 24, 2020 at 01:05:31PM +0200, Bastian Krause wrote: > [doc quote deleted] >> After reading the quoted documentation snippets above (and assuming the >> error message triggers correctly now), do you still think this needs >> documentation improvement? If yes, you're very welcome to add an >> explanation to the signing doc section (maybe an info box?) to help >> others migrate their development key material into a code signing >> provider for the sake of backwards compatibility. > > I needed to handle this situation (I guess many people find it familiar): > Board is using rauc for updates, keys was generated using previously > provided script and boards were supposed to stay near developers until > software stack is finalized. As always that was not the case and now > we need to update then. Templated provider does not add ca.cert.pem, > so generating rauc will end with error (Failed to create bundle: > failed signing bundle: signature verification failed: Verify error: > unable to get local issuer certificate). > > This way you can at least prepare firmware using recent ptxdist > with properly generated keys. If there is any other option, > please let me know. We had a short discussion on the #ptdist irc channel: ladis' point is to mention.. cs_append_ca_from_pem "${r}" "${rauc_cert_dir}/ca.cert.pem" ..which is required for people who migrate from the previous key generation script [1]. My point is to move the key material into local_src//. We agreed that both points are valid. Regards, Bastian [1] 001a500ed ("scripts: add script that generates test certificates for RAUC") -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de