git: f486ebb5e36b - main - libsecureboot/README.rst clarify use of gpg

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Simon J. Gerraty <sjg_at_FreeBSD.org>
Date: Thu, 23 Jan 2025 03:12:52 UTC
The branch main has been updated by sjg:

URL: https://cgit.FreeBSD.org/src/commit/?id=f486ebb5e36b0dada882cfa1592cee110da2afb2

commit f486ebb5e36b0dada882cfa1592cee110da2afb2
Author:     Simon J. Gerraty <sjg@FreeBSD.org>
AuthorDate: 2025-01-23 03:10:10 +0000
Commit:     Simon J. Gerraty <sjg@FreeBSD.org>
CommitDate: 2025-01-23 03:10:10 +0000

    libsecureboot/README.rst clarify use of gpg
    
    Clarify some language and provide an example of gpg use to generate
    a detached signature.
---
 lib/libsecureboot/README.rst | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/lib/libsecureboot/README.rst b/lib/libsecureboot/README.rst
index 85b949db58cc..f1d3c5679d35 100644
--- a/lib/libsecureboot/README.rst
+++ b/lib/libsecureboot/README.rst
@@ -1,7 +1,8 @@
 libsecureboot
 *************
 
-This library depends one way or another on verifying digital signatures.
+This library depends one way or another on verifying detached digital
+signatures. 
 To do that, the necessary trust anchors need to be available.
 
 The simplest (and most attractive for an embedded system) is to
@@ -16,7 +17,7 @@ provide access to the necessary trust anchors.
 That signing server is freely available - see
 http://www.crufty.net/sjg/docs/signing-server.htm
 
-X.509 certificates chains offer a lot of flexibility over time and are
+X.509 certificate chains offer a lot of flexibility over time and are
 a great solution for an embedded vendor like Juniper or even
 FreeBSD.org, but are probably overkill for personal or small site use.
 
@@ -74,8 +75,12 @@ header.
 Signatures
 ----------
 
-We expect ascii armored (``.asc``) detached signatures.
-Eg. signature for ``manifest`` would be in ``manifest.asc``
+We expect ascii armored (``.asc``) detached signatures
+Eg.::
+
+	gpg -a --detach-sign manifest
+
+should produce the expected signature in ``manifest.asc``
 
 We only support version 4 signatures using RSA (the default for ``gpg``).
 
@@ -108,6 +113,10 @@ Ie. client sends a hash which during signing gets hashed again.
 So for Junos we define VE_ECDSA_HASH_AGAIN which causes ``verify_ec``
 to hash again.
 
+Later I added a FakeHash class to the signing server so we could
+generate signatures compatible with our previous RSA scheme and
+others.
+
 Otherwise our EC DSA and RSA signatures are the default used by
 OpenSSL - an original design goal was that a customer could verify our
 signatures using nothing but an ``openssl`` binary.