On Thursday 22 Mar 2012 17:24:45 Michael Brown wrote: > On Thursday 22 Mar 2012 16:44:54 Terry Burton wrote: > > It's working perfectly well for my purposes using an embedded > > self-signed certificate but I will report on success with CA-signed > > (and cross-signed) certificates if we go that way. > > Great! Thanks for letting me know. :) > > In case you're interested, I'm currently working on code-signing. The code > PKCS#7 functionality is tested and committed, but I want to rationalise > some of the image-management commands before adding any more.
Code-signing is now available. For example: # Require the use of trusted images imgtrust --permanent # Download a kernel over an untrusted connection kernel http://${next-server}/boot/vmlinuz # Verify the digital signature and boot the kernel imgverify vmlinuz http://${next-server}/boot/vmlinuz.sig boot vmlinuz Suitable signatures can be created using openssl: openssl cms -sign -binary -noattr -in vmlinuz \ -signer codesign.crt -inkey codesign.key -certfile ca.crt \ -outform DER -out vmlinuz.sig I'd appreciate any test reports and general feedback. Michael _______________________________________________ ipxe-devel mailing list [email protected] https://lists.ipxe.org/mailman/listinfo/ipxe-devel
