From bf77a1a391bf01bf982ac694b278618609a4caed Mon Sep 17 00:00:00 2001 From: George T Kramer Date: Tue, 4 Dec 2018 12:25:12 -0800 Subject: [PATCH] Add OpenSSL 1.1 support for image validation Clear Linux ships OpenSSL 1.1. As a part of this transition from OpenSSL 1.0, a new option needs passed to the command used to validate the chain of trust. Signed-off-by: George T Kramer --- .../guides/maintenance/validate-signatures.rst | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/source/clear-linux/guides/maintenance/validate-signatures.rst b/source/clear-linux/guides/maintenance/validate-signatures.rst index 65668884..54bbfe4d 100644 --- a/source/clear-linux/guides/maintenance/validate-signatures.rst +++ b/source/clear-linux/guides/maintenance/validate-signatures.rst @@ -57,7 +57,14 @@ used for illustrative purposes. You may use any image of |CL| you choose. .. code-block:: console - openssl smime -verify -in clear-$(curl https://download.clearlinux.org/latest)-installer.img.xz-SHA512SUMS.sig -inform der -content sha512sum.out -CAfile ClearLinuxRoot.pem + openssl smime -verify -purpose any -in clear-$(curl https://download.clearlinux.org/latest)-installer.img.xz-SHA512SUMS.sig -inform der -content sha512sum.out -CAfile ClearLinuxRoot.pem + + .. note:: + + The `-purpose any` option is required when using OpenSSL 1.1. If using + an earlier version of OpenSSL, omit this option to perform signature + validation. The `openssl version` command may be used to determine the + version of OpenSSL in use. #. The output should contain ``Verification successful``. If the output contains ``bad_signature`` anywhere, then the image is not trustworthy. @@ -101,7 +108,14 @@ these steps manually when performing a ``swupd update``. .. code-block:: console - openssl smime -verify -in Manifest.MoM.sig -inform der -content Manifest.MoM -CAfile Swupd_Root.pem + openssl smime -verify -purpose any -in Manifest.MoM.sig -inform der -content Manifest.MoM -CAfile Swupd_Root.pem + + .. note:: + + The `-purpose any` option is required when using OpenSSL 1.1. If using + an earlier version of OpenSSL, omit this option to perform signature + validation. The `openssl version` command may be used to determine the + version of OpenSSL in use. .. note::