[ipxe-devel] imgverify error: CMS 0xda9b4 does not contain singedData

Kuniyasu Suzaki k.suzaki at aist.go.jp
Sun Jan 10 10:12:53 UTC 2016


On 2016/01/09 0:08, Shao Miller wrote:
> On 1/8/2016 04:12, Kuniyasu Suzaki wrote:
> Hooray for Knoppix Japanese Edition! :)

I was surprised that this ML has a person who knows me.

> The error-message has a link: http://ipxe.org/3c2ae103 :
>>  This error indicates that the file used for digital signature
>> verification (e.g. with imgverify) was not a valid digital signature
>> file.
>> Things to try:
>>     Check that the signature file is in DER format.
>>     Check that the file is a valid signature file:
>>       openssl cms -in signature_file.sig -inform DER -cmsout -print

Thank you for your suggestion. I could confirm that “imgveriy” works well.

The problem was caused by the wrong “ca.cnf”.

Instead of “ca.cnf”, I used “openssl-ca.cnf” which is used to create CA

I added the following lines to the “openssl-ca.cnf”.


[ codesigning ]

  keyUsage                = digitalSignature

   extendedKeyUsage        = codeSigning



The following is the memo I build the correct iPXE.


# openssl req -newkey rsa -keyout codesign.key -out codesign.req

# openssl ca -config openssl-ca.cnf -extensions codesigning -in
codesign.req -out codesign.crt


# openssl cms -sign -binary -noattr -in vmlinuz -signer codesign.crt
-inkey codesign.key -certfile CA/capem.pem  -outform DER -out vmlinuz.sig

# openssl cms -in vmlinuz.sig -inform DER -cmsout -print

I confirmed that the command showed correct the answer.


After that I made new iPXE image.

# cat codesign.crt codesign.key > codesign.sign.key

# make bin/ipxe.iso CERT=/etc/ssl/codesign.crt.key


On the iPXE, the following commands worked well.

iPXE > kernel ... ok

iPXE > imgverify vmlinuz ok

iPXE > imgstat

vmlinuz : 5259536 bytes [bmImage] [TRUSTED] [SELECTED]


Thank you.



Kuni Suzaki  https://staff.aist.go.jp/k.suzaki/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20160110/08510e6f/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20160110/08510e6f/attachment.sig>

More information about the ipxe-devel mailing list