On 9/24/20 1:15 PM, Ladislav Michl wrote:
> On Thu, Sep 24, 2020 at 01:05:31PM +0200, Bastian Krause wrote:
> [doc quote deleted]
>> After reading the quoted documentation snippets above (and assuming the
>> error message triggers correctly now), do you still think this needs
>> documentation improvement? If yes, you're very welcome to add an
>> explanation to the signing doc section (maybe an info box?) to help
>> others migrate their development key material into a code signing
>> provider for the sake of backwards compatibility.
>
> I needed to handle this situation (I guess many people find it familiar):
> Board is using rauc for updates, keys was generated using previously
> provided script and boards were supposed to stay near developers until
> software stack is finalized. As always that was not the case and now
> we need to update then. Templated provider does not add ca.cert.pem,
> so generating rauc will end with error (Failed to create bundle:
> failed signing bundle: signature verification failed: Verify error:
> unable to get local issuer certificate).
>
> This way you can at least prepare firmware using recent ptxdist
> with properly generated keys. If there is any other option,
> please let me know.
We had a short discussion on the #ptdist irc channel:
ladis' point is to mention..
cs_append_ca_from_pem "${r}" "${rauc_cert_dir}/ca.cert.pem"
..which is required for people who migrate from the previous key
generation script [1].
My point is to move the key material into local_src/<provider>/.
We agreed that both points are valid.
Regards,
Bastian
[1] 001a500ed ("scripts: add script that generates test certificates for
RAUC")
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
ptxdist mailing list
[email protected]
To unsubscribe, send a mail with subject "unsubscribe" to
[email protected]
