* Re: [RAUC] resign a bundle with new intermediate certificate [not found] <55847245da1d4554889701ddd9071a67@data-modul.com> @ 2022-03-16 10:10 ` Jan Lübbe 2022-03-16 11:45 ` Yazdani, Reyhaneh 2022-03-16 11:56 ` Yazdani, Reyhaneh 0 siblings, 2 replies; 5+ messages in thread From: Jan Lübbe @ 2022-03-16 10:10 UTC (permalink / raw) To: Yazdani, Reyhaneh, rauc Hi, On Wed, 2022-03-16 at 08:36 +0000, Yazdani, Reyhaneh wrote: > Hello, > > I have a bundle, which is signed with keys in the past. > Now, I have new keys, which are created with a new ica-certificate. When I > want to resign the bundle with new keys, I face this error: > > Failed to resign bundle: failed signing bundle: signature verification failed: > Verify error:unable to get local issuer certificate Please don't trim the log output. You can also use -d to get more output. > This is the command which is applied: > > rauc resign --cert=new-certificate-1.pem --key=new-key-1.pem --keyring=old- > rauc.cert.pem This is only correct if the old certificate was self-signed. Otherwise it must be the old root CA certificate. > --signing-keyring=new-certificate-1.pem If your using intermediate certificates, the new-certificate-1.pem can't be self-signed. Accordingly, using it as the --signing-keyring can't be correct. You need to use the *new* root CA certificate here. > --intermediate=new-ica-certificate.pem old-bundle.raucb new-bundle.raucb > > Can I resign a bundle with new ica-certificate? It uses the same code paths as the normal bundle creation for singing, so I don't see why it should behave differently. Regards, Jan -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ RAUC mailing list ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [RAUC] resign a bundle with new intermediate certificate 2022-03-16 10:10 ` [RAUC] resign a bundle with new intermediate certificate Jan Lübbe @ 2022-03-16 11:45 ` Yazdani, Reyhaneh 2022-03-16 11:56 ` Yazdani, Reyhaneh 1 sibling, 0 replies; 5+ messages in thread From: Yazdani, Reyhaneh @ 2022-03-16 11:45 UTC (permalink / raw) To: Jan Lübbe, rauc Hi Jan, > -----Ursprüngliche Nachricht----- > Von: Jan Lübbe <jlu@pengutronix.de> > Gesendet: Mittwoch, 16. März 2022 11:11 > An: Yazdani, Reyhaneh <RYazdani@data-modul.com>; rauc@pengutronix.de > Betreff: Re: [RAUC] resign a bundle with new intermediate certificate > > Hi, > > On Wed, 2022-03-16 at 08:36 +0000, Yazdani, Reyhaneh wrote: > > Hello, > > > > I have a bundle, which is signed with keys in the past. > > Now, I have new keys, which are created with a new ica-certificate. > > When I want to resign the bundle with new keys, I face this error: > > > > Failed to resign bundle: failed signing bundle: signature verification failed: > > Verify error:unable to get local issuer certificate > > Please don't trim the log output. You can also use -d to get more output. [Reyhaneh] Yes, I used -d argument, but since it did not provide me more output, I didn't bring it in the email. > > > This is the command which is applied: > > > > rauc resign --cert=new-certificate-1.pem --key=new-key-1.pem > > --keyring=old- rauc.cert.pem > > This is only correct if the old certificate was self-signed. Otherwise it must be > the old root CA certificate. [Reyhaneh] Old certificate was self-signed. > > > --signing-keyring=new-certificate-1.pem > > If your using intermediate certificates, the new-certificate-1.pem can't be > self-signed. Accordingly, using it as the --signing-keyring can't be correct. > [Reyhaneh] Yes, It was my mistake. I removed it from --signing-keyring argument. > You need to use the *new* root CA certificate here. [Reyhaneh] So, do you mean the below(similar to intermediate argument)?: --signing-keyring= new-ica-certificate.pem > > > --intermediate=new-ica-certificate.pem old-bundle.raucb > > new-bundle.raucb > > > > Can I resign a bundle with new ica-certificate? > > It uses the same code paths as the normal bundle creation for singing, so I > don't see why it should behave differently. Best, Reyhaneh > > Regards, > Jan > -- > Pengutronix e.K. | | > Steuerwalder Str. 21 | http://www.pengutronix.de/ | > 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | > Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ RAUC mailing list ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [RAUC] resign a bundle with new intermediate certificate 2022-03-16 10:10 ` [RAUC] resign a bundle with new intermediate certificate Jan Lübbe 2022-03-16 11:45 ` Yazdani, Reyhaneh @ 2022-03-16 11:56 ` Yazdani, Reyhaneh 2022-03-16 12:25 ` Enrico Jörns 1 sibling, 1 reply; 5+ messages in thread From: Yazdani, Reyhaneh @ 2022-03-16 11:56 UTC (permalink / raw) To: Jan Lübbe, rauc Maybe it would be better that I ask my question in this way: If I have an ICA certificate and a pair of signed certificate (not self-signed) and key, how should I prepare the rauc bundle command? Is the below command correct? $ rauc bundle --cert=certificate.pem --key=key.pem --intermediate=ica-certificate.pem input-dir output.bundle Or still I need --keyring argument? If yes, then --keyring=certificate.pem is right? What should I copy in rootfs (/etc/rauc/), certificate or ica-certificate? Best regards, Reyhaneh > -----Ursprüngliche Nachricht----- > Von: Jan Lübbe <jlu@pengutronix.de> > Gesendet: Mittwoch, 16. März 2022 11:11 > An: Yazdani, Reyhaneh <RYazdani@data-modul.com>; rauc@pengutronix.de > Betreff: Re: [RAUC] resign a bundle with new intermediate certificate > > Hi, > > On Wed, 2022-03-16 at 08:36 +0000, Yazdani, Reyhaneh wrote: > > Hello, > > > > I have a bundle, which is signed with keys in the past. > > Now, I have new keys, which are created with a new ica-certificate. > > When I want to resign the bundle with new keys, I face this error: > > > > Failed to resign bundle: failed signing bundle: signature verification failed: > > Verify error:unable to get local issuer certificate > > Please don't trim the log output. You can also use -d to get more output. > > > This is the command which is applied: > > > > rauc resign --cert=new-certificate-1.pem --key=new-key-1.pem > > --keyring=old- rauc.cert.pem > > This is only correct if the old certificate was self-signed. Otherwise it must be > the old root CA certificate. > > > --signing-keyring=new-certificate-1.pem > > If your using intermediate certificates, the new-certificate-1.pem can't be > self-signed. Accordingly, using it as the --signing-keyring can't be correct. > > You need to use the *new* root CA certificate here. > > > --intermediate=new-ica-certificate.pem old-bundle.raucb > > new-bundle.raucb > > > > Can I resign a bundle with new ica-certificate? > > It uses the same code paths as the normal bundle creation for singing, so I > don't see why it should behave differently. > > Regards, > Jan > -- > Pengutronix e.K. | | > Steuerwalder Str. 21 | http://www.pengutronix.de/ | > 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | > Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ RAUC mailing list ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [RAUC] resign a bundle with new intermediate certificate 2022-03-16 11:56 ` Yazdani, Reyhaneh @ 2022-03-16 12:25 ` Enrico Jörns 2022-03-17 9:06 ` Yazdani, Reyhaneh 0 siblings, 1 reply; 5+ messages in thread From: Enrico Jörns @ 2022-03-16 12:25 UTC (permalink / raw) To: Yazdani, Reyhaneh, Jan Lübbe, rauc Hi, Am Mittwoch, dem 16.03.2022 um 11:56 +0000 schrieb Yazdani, Reyhaneh: > Maybe it would be better that I ask my question in this way: > > If I have an ICA certificate and a pair of signed certificate (not self-signed) and key, how should I prepare the rauc bundle command? Is the below command correct? > > $ rauc bundle --cert=certificate.pem --key=key.pem --intermediate=ica-certificate.pem input-dir output.bundle > > Or still I need --keyring argument? If yes, then --keyring=certificate.pem is right? --keyring is optional for 'rauc bundle' and used only for post-signing verification. > > What should I copy in rootfs (/etc/rauc/), certificate or ica-certificate? > The purpose of putting the intermediate certificate into the CMS/signature is to not require this to be present in the keyring. Thus you only need to place the (root) certificate there. Best regards, Enrico > Best regards, > Reyhaneh > > > -----Ursprüngliche Nachricht----- > > Von: Jan Lübbe <jlu@pengutronix.de> > > Gesendet: Mittwoch, 16. März 2022 11:11 > > An: Yazdani, Reyhaneh <RYazdani@data-modul.com>; rauc@pengutronix.de > > Betreff: Re: [RAUC] resign a bundle with new intermediate certificate > > > > Hi, > > > > On Wed, 2022-03-16 at 08:36 +0000, Yazdani, Reyhaneh wrote: > > > Hello, > > > > > > I have a bundle, which is signed with keys in the past. > > > Now, I have new keys, which are created with a new ica-certificate. > > > When I want to resign the bundle with new keys, I face this error: > > > > > > Failed to resign bundle: failed signing bundle: signature verification failed: > > > Verify error:unable to get local issuer certificate > > > > Please don't trim the log output. You can also use -d to get more output. > > > > > This is the command which is applied: > > > > > > rauc resign --cert=new-certificate-1.pem --key=new-key-1.pem > > > --keyring=old- rauc.cert.pem > > > > This is only correct if the old certificate was self-signed. Otherwise it must be > > the old root CA certificate. > > > > > --signing-keyring=new-certificate-1.pem > > > > If your using intermediate certificates, the new-certificate-1.pem can't be > > self-signed. Accordingly, using it as the --signing-keyring can't be correct. > > > > You need to use the *new* root CA certificate here. > > > > > --intermediate=new-ica-certificate.pem old-bundle.raucb > > > new-bundle.raucb > > > > > > Can I resign a bundle with new ica-certificate? > > > > It uses the same code paths as the normal bundle creation for singing, so I > > don't see why it should behave differently. > > > > Regards, > > Jan > > -- > > Pengutronix e.K. | | > > Steuerwalder Str. 21 | http://www.pengutronix.de/ | > > 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | > > Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | > _______________________________________________ > RAUC mailing list -- Pengutronix e.K. | Enrico Jörns | Embedded Linux Consulting & Support | https://www.pengutronix.de/ | Steuerwalder Str. 21 | Phone: +49-5121-206917-180 | 31137 Hildesheim, Germany | Fax: +49-5121-206917-9 | _______________________________________________ RAUC mailing list ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [RAUC] resign a bundle with new intermediate certificate 2022-03-16 12:25 ` Enrico Jörns @ 2022-03-17 9:06 ` Yazdani, Reyhaneh 0 siblings, 0 replies; 5+ messages in thread From: Yazdani, Reyhaneh @ 2022-03-17 9:06 UTC (permalink / raw) To: Enrico Jörns, Jan Lübbe, rauc Hi Enrico, Now my problem is solved by using Root CA. Best regards, Reyhaneh > -----Ursprüngliche Nachricht----- > Von: Enrico Jörns <ejo@pengutronix.de> > Gesendet: Mittwoch, 16. März 2022 13:26 > An: Yazdani, Reyhaneh <RYazdani@data-modul.com>; Jan Lübbe > <jlu@pengutronix.de>; rauc@pengutronix.de > Betreff: Re: [RAUC] resign a bundle with new intermediate certificate > > Hi, > > Am Mittwoch, dem 16.03.2022 um 11:56 +0000 schrieb Yazdani, Reyhaneh: > > Maybe it would be better that I ask my question in this way: > > > > If I have an ICA certificate and a pair of signed certificate (not self-signed) > and key, how should I prepare the rauc bundle command? Is the below > command correct? > > > > $ rauc bundle --cert=certificate.pem --key=key.pem > > --intermediate=ica-certificate.pem input-dir output.bundle > > > > Or still I need --keyring argument? If yes, then --keyring=certificate.pem is > right? > > --keyring is optional for 'rauc bundle' and used only for post-signing > verification. > > > > > What should I copy in rootfs (/etc/rauc/), certificate or ica-certificate? > > > > The purpose of putting the intermediate certificate into the CMS/signature is > to not require this to be present in the keyring. > > Thus you only need to place the (root) certificate there. > > > Best regards, Enrico > > > Best regards, > > Reyhaneh > > > > > -----Ursprüngliche Nachricht----- > > > Von: Jan Lübbe <jlu@pengutronix.de> > > > Gesendet: Mittwoch, 16. März 2022 11:11 > > > An: Yazdani, Reyhaneh <RYazdani@data-modul.com>; > rauc@pengutronix.de > > > Betreff: Re: [RAUC] resign a bundle with new intermediate > > > certificate > > > > > > Hi, > > > > > > On Wed, 2022-03-16 at 08:36 +0000, Yazdani, Reyhaneh wrote: > > > > Hello, > > > > > > > > I have a bundle, which is signed with keys in the past. > > > > Now, I have new keys, which are created with a new ica-certificate. > > > > When I want to resign the bundle with new keys, I face this error: > > > > > > > > Failed to resign bundle: failed signing bundle: signature verification > failed: > > > > Verify error:unable to get local issuer certificate > > > > > > Please don't trim the log output. You can also use -d to get more output. > > > > > > > This is the command which is applied: > > > > > > > > rauc resign --cert=new-certificate-1.pem --key=new-key-1.pem > > > > --keyring=old- rauc.cert.pem > > > > > > This is only correct if the old certificate was self-signed. > > > Otherwise it must be the old root CA certificate. > > > > > > > --signing-keyring=new-certificate-1.pem > > > > > > If your using intermediate certificates, the new-certificate-1.pem > > > can't be self-signed. Accordingly, using it as the --signing-keyring can't be > correct. > > > > > > You need to use the *new* root CA certificate here. > > > > > > > --intermediate=new-ica-certificate.pem old-bundle.raucb > > > > new-bundle.raucb > > > > > > > > Can I resign a bundle with new ica-certificate? > > > > > > It uses the same code paths as the normal bundle creation for > > > singing, so I don't see why it should behave differently. > > > > > > Regards, > > > Jan > > > -- > > > Pengutronix e.K. | | > > > Steuerwalder Str. 21 | https://imsva91- > ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fhttps://imsva91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=www.p&umid=A3FC4124-DA66-5705-81ED-2AA0CD9CD367&auth=162296ff492f363ddb29ca454338bb84627996db-1193a338e35e2c8a62a53d02d18e2bdd0a8c8e19 > engutronix.de&umid=DB2EF41C-DA55-0405-A659- > D93C59E4F43F&auth=162296ff492f363ddb29ca454338bb84627996db- > 720366fbf4a4efd66b15d9a78b7735ab01aac3b9 | > > > 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | > > > Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | > > _______________________________________________ > > RAUC mailing list > > -- > Pengutronix e.K. | Enrico Jörns | Embedded Linux > Consulting & Support | https://imsva91- > ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fhttps://imsva91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=www.p&umid=A3FC4124-DA66-5705-81ED-2AA0CD9CD367&auth=162296ff492f363ddb29ca454338bb84627996db-1193a338e35e2c8a62a53d02d18e2bdd0a8c8e19 > engutronix.de&umid=DB2EF41C-DA55-0405-A659- > D93C59E4F43F&auth=162296ff492f363ddb29ca454338bb84627996db- > f06d7e8dba9176f16855942234dee15395e94b35 | Steuerwalder Str. > 21 | Phone: +49-5121-206917-180 | > 31137 Hildesheim, Germany | Fax: +49-5121-206917-9 | _______________________________________________ RAUC mailing list ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-03-17 9:06 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <55847245da1d4554889701ddd9071a67@data-modul.com> 2022-03-16 10:10 ` [RAUC] resign a bundle with new intermediate certificate Jan Lübbe 2022-03-16 11:45 ` Yazdani, Reyhaneh 2022-03-16 11:56 ` Yazdani, Reyhaneh 2022-03-16 12:25 ` Enrico Jörns 2022-03-17 9:06 ` Yazdani, Reyhaneh
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox