Re: [ptxdist] [PATCH v3 2/6] package templates: add code-signing-provider template

[Bastian Krause <bst@pengutronix.de>]

Hi ladis,

On 9/24/20 12:04 PM, Ladislav Michl wrote:
> Hi and sorry to revive this old patch. I just hadn't time to finish 
> conversion to code-signing-provider sooner...

I'm always happy if we can improvde documentation patches, even after
some time has passed :)

> For those previously using scripts/rauc-gen-test-certs.sh above shoud
> read: import_rauc_keys() { local
> rauc_cert_dir=${PTXDIST_WORKSPACE}/configs/rauc

This is not intended. Let me quote the relevant documentation snippets:

"Finally, one or several code signing providers supply the mapping from
roles to the respective key material or even provide it themselves for
development." [1]

"A code signing provider is a package responsible for providing the role
↔ PKCS#11 URI relationships in case an HSM is used, or for providing the
key material in case SoftHSM is used." [2]

"In case of SoftHSM use cases the keys should also be placed inside
local_src/<name>-code-signing/" [3]

The key material should reside *in* the code signing provider, just as
in the devel provider [4].

[1] https://www.ptxdist.org/doc/dev_code_signing.html#code-signing
[2] https://www.ptxdist.org/doc/dev_code_signing.html#code-signing-providers
[3]
https://www.ptxdist.org/doc/dev_code_signing.html#creating-custom-code-signing-providers
[4] https://git.pengutronix.de/cgit/ptx-code-signing-dev/

> local r="update" cs_define_role "${r}"
> 
> # SoftHSM use case cs_import_cert_from_pem "${r}"
> "${rauc_cert_dir}/rauc.cert.pem" cs_import_key_from_pem "${r}"
> "${rauc_cert_dir}/rauc.key.pem" cs_append_ca_from_pem "${r}"
> "${rauc_cert_dir}/ca.cert.pem" }
> 
> scripts/rauc-gen-test-certs.sh generated those files and back then
> there was following note: 
> ===============================================================================
>
>  Note that the default application should be to set up a public key 
> infrastructure at your site and use keys and certificates genereated
> by these.
> 
> In oder to use the just generated files in your BSP for testing
> purpose or if you do not intend to use real authentification, follow
> the instructions below.
> 
> Place the key and certificate file in your platform-dir's config/
> folder:
> 
> cp rauc-openssl-ca/private/rauc.key.pem
> <platform-dir>/config/rauc/rauc.key.pem

ptxdist should have bailed out if it found a file at that location.
Unfortunately we checked for "<platform-dir>/config/rauc/rauc.key"
(missing the .pem suffix). That's a bug, fixed with
20200924104811.30246-1-bst@pengutronix.de on the ptxdist mailing list.

> cp rauc-openssl-ca/rauc.cert.pem 
> <platform-dir>/config/rauc/rauc.cert.pem
> 
> Place the keyring file in your platform-dir's projectroot/ folder:
> 
> cp rauc-openssl-ca/ca.cert.pem
> <plaform-dir>/projectroot/etc/rauc/ca.cert.pem
> 
> ===============================================================================
>
>  Perhaps it would be nice to mention than in documentation as it
> could save time to others.

After reading the quoted documentation snippets above (and assuming the
error message triggers correctly now), do you still think this needs
documentation improvement? If yes, you're very welcome to add an
explanation to the signing doc section (maybe an info box?) to help
others migrate their development key material into a code signing
provider for the sake of backwards compatibility.

Regards,
Bastian

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de