[ipxe-devel] imgverify error: CMS 0xda9b4 does not contain singedData

Kuniyasu Suzaki k.suzaki at aist.go.jp
Sun Jan 10 10:12:53 UTC 2016 

Hello!

On 2016/01/09 0:08, Shao Miller wrote:
> On 1/8/2016 04:12, Kuniyasu Suzaki wrote:
>
> Hooray for Knoppix Japanese Edition! :)

I was surprised that this ML has a person who knows me.


> The error-message has a link: http://ipxe.org/3c2ae103 :
>
>>  This error indicates that the file used for digital signature
>> verification (e.g. with imgverify) was not a valid digital signature
>> file.
>>
>> Things to try:
>>
>>     Check that the signature file is in DER format.
>>
>>     Check that the file is a valid signature file:
>>
>>       openssl cms -in signature_file.sig -inform DER -cmsout -print

Thank you for your suggestion. I could confirm that “imgveriy” works well.

The problem was caused by the wrong “ca.cnf”.


Instead of “ca.cnf”, I used “openssl-ca.cnf” which is used to create CA
certificate.

I added the following lines to the “openssl-ca.cnf”.

----------------------------------------------------------------------

[ codesigning ]

  keyUsage                = digitalSignature

   extendedKeyUsage        = codeSigning

----------------------------------------------------------------------

 

The following is the memo I build the correct iPXE.

 

# openssl req -newkey rsa -keyout codesign.key -out codesign.req

# openssl ca -config openssl-ca.cnf -extensions codesigning -in
codesign.req -out codesign.crt

 

# openssl cms -sign -binary -noattr -in vmlinuz -signer codesign.crt
-inkey codesign.key -certfile CA/capem.pem  -outform DER -out vmlinuz.sig

# openssl cms -in vmlinuz.sig -inform DER -cmsout -print

I confirmed that the command showed correct the answer.

 

After that I made new iPXE image.

# cat codesign.crt codesign.key > codesign.sign.key

# make bin/ipxe.iso CERT=/etc/ssl/codesign.crt.key
TRUST=/etc/ssl/CA/capem.pem

 

On the iPXE, the following commands worked well.

iPXE > kernel http://192.168.0.152/vmlinuz

http://192.168.0.152/vmlinuz ... ok

iPXE > imgverify vmlinuz http://192.168.0.152/vmlinuz.sig

http://192.168.0.152/vmlinuz.sig ok

iPXE > imgstat

vmlinuz : 5259536 bytes [bmImage] [TRUSTED] [SELECTED]

 

Thank you.

 

-------

Kuni Suzaki  https://staff.aist.go.jp/k.suzaki/


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20160110/08510e6f/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20160110/08510e6f/attachment.sig>

More information about the ipxe-devel mailing list