Re: sign-file and detached PKCS#7 firmware signatures
From: David Howells
Date: Tue May 19 2015 - 12:49:11 EST
Luis R. Rodriguez <mcgrof@xxxxxxxx> wrote:
> > Something like:
> >
> > openssl smime -verify \
> > -in $PKCS7_MESSAGE_FILE_IN_DER_FORM \
> > -inform DER \
> > -content $FIRMWARE_BLOB_NAME \
> > -inkey $PRIVATE_KEY_FILE_IN_PEM_FORM \
> > -signer $X509_CERT_FILE_IN_PEM_FORM
> >
> > I would guess.
>
> I tried a few things and no luck with that.
Try this:
openssl smime -verify \
-in $PKCS7_MESSAGE_FILE_IN_DER_FORM \
-inform DER \
-certfile $X509_CERT_FILE_IN_PEM_FORM \
-content $FIRMWARE_BLOB_NAME \
-binary \
-noverify \
>/dev/null
Seems using -signer with -verify isn't a good idea as -signer refers to an
output file during verification just for the surprise factor.
David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/