-
Notifications
You must be signed in to change notification settings - Fork 190
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Certificate Key Usage Attributes - S/MIME signing is needed for bundle creation #1124
Comments
When you pass a keyring to Your output also mentions Together this should be a workaround for your case. To fix this properly, we'd have to:
|
When #1268 is merged, you should be able to use |
#1268 is merged now, so you should be able to use |
Describe the bug
I use smallstep as CA and for creating my certificates. Like mentioned in the documentation I created my leaf certificate with the needed X509 keyUsage and extendedKeyUsage parameters. (keyUsage = "digitalSignature" and extendetKeyUsage = "codeSigning").
The bundle creation worked fine with the demo certificate mentioned in the documentation, but when I tried to use my self signed certificate it failed with the error message:
Background information
RAUC version: rauc 1.9.96-973ae
System:
I'm running a ubuntu server 22.04.2 LTS version in a qemu virtualization
To Reproduce
Steps to reproduce the behavior:
1.1 My provisioner config was updated with this template:
cat root.crt intermediate.crt > keyring.pem
rauc --cert=/data/update/certs/my_leaf.pem --key=/data/update/certs/my_leaf.key --keyring=/data/update/certs/keyring.pem bundle rauc-bundle/ update-2023.05-1.raucb
Expected behavior
Bundle creation without error
Logs
Additional context
After a view hours of trying to find the problem and even changing my intermediate certificate to include the extendetKeyUsage = "codeSigning" parameter without luck, I found the problem!
The leaf certificate also needed the S/MIME signing parameter!
With the updated template, everything worked as expected:
Before including the "emailProtection" in the extKeyUsage Field, I also tried to include the "check-purpose=codesign" inside the config file, but it didn't change anything.
My config file now:
Therefore either the documentation is incomplete or the implementation is wrong.
Just wanted to let you know that I had huge problems with this. :)
Kind regards
Michael
The text was updated successfully, but these errors were encountered: