Re: sign-file and detached PKCS#7 firmware signatures

From: David Howells
Date: Tue May 19 2015 - 12:49:11 EST

Next message: Catalin Marinas: "Re: [PATCH v5] arm64: perf: Fix callchain parse error with kernel tracepoint events"
Previous message: Lad, Prabhakar: "Re: [PATCH] [media] ov2659: add v4l2_subdev dependency"
In reply to: Luis R. Rodriguez: "Re: sign-file and detached PKCS#7 firmware signatures"
Next in thread: Luis R. Rodriguez: "Re: sign-file and detached PKCS#7 firmware signatures"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Luis R. Rodriguez <mcgrof@xxxxxxxx> wrote:

> > Something like:
> >
> > openssl smime -verify \
> > -in $PKCS7_MESSAGE_FILE_IN_DER_FORM \
> > -inform DER \
> > -content $FIRMWARE_BLOB_NAME \
> > -inkey $PRIVATE_KEY_FILE_IN_PEM_FORM \
> > -signer $X509_CERT_FILE_IN_PEM_FORM
> >
> > I would guess.
>
> I tried a few things and no luck with that.

Try this:

openssl smime -verify \
-in $PKCS7_MESSAGE_FILE_IN_DER_FORM \
-inform DER \
-certfile $X509_CERT_FILE_IN_PEM_FORM \
-content $FIRMWARE_BLOB_NAME \
-binary \
-noverify \
>/dev/null

Seems using -signer with -verify isn't a good idea as -signer refers to an
output file during verification just for the surprise factor.

David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Catalin Marinas: "Re: [PATCH v5] arm64: perf: Fix callchain parse error with kernel tracepoint events"
Previous message: Lad, Prabhakar: "Re: [PATCH] [media] ov2659: add v4l2_subdev dependency"
In reply to: Luis R. Rodriguez: "Re: sign-file and detached PKCS#7 firmware signatures"
Next in thread: Luis R. Rodriguez: "Re: sign-file and detached PKCS#7 firmware signatures"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]