diff options
author | Luca Boccassi <luca.boccassi@microsoft.com> | 2020-10-26 19:18:39 +0000 |
---|---|---|
committer | Eric Biggers <ebiggers@google.com> | 2020-10-26 13:30:11 -0700 |
commit | 97bc1aa3775ab4ebcf59560b5d4b26f3c6fcc750 (patch) | |
tree | 7382f6aad2ea34cf6de7e641ae95f9086d4b3f2c /README.md | |
parent | 28c86c20a8dbcc9563324b163be73e28d4ca02e2 (diff) | |
download | fsverity-utils-97bc1aa3775ab4ebcf59560b5d4b26f3c6fcc750.tar.gz |
programs/fsverity: Add digest subcommand
Add a 'fsverity digest' subcommand that prints the hex-encoded digest of
the specified file(s), ready to be signed offline. By default the
output is like 'fsverity measure', but if the --for-builtin-sig option
is given, the output is the hex-encoded "struct fsverity_signed_digest"
that the kernel expects to be signed for builtin signatures.
This subcommand is useful in case the integrated signing mechanism with
local cert/key cannot be used.
Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
Link: https://lore.kernel.org/r/20201026191839.3329948-1-luca.boccassi@gmail.com
[EB: commit message, comment, and whitespace tweaks]
Signed-off-by: Eric Biggers <ebiggers@google.com>
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 4 |
1 files changed, 4 insertions, 0 deletions
@@ -112,6 +112,10 @@ the set of X.509 certificates that have been loaded into the fsverity enable file --signature=file.sig rm -f file.sig sha256sum file + + # The digest to be signed can also be printed separately, hex + # encoded, in case the integrated signing cannot be used: + fsverity digest file --compact --for-builtin-sig | tr -d '\n' | xxd -p -r | openssl smime -sign -in /dev/stdin ... ``` By default, it's not required that verity files have a signature. |