Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755054AbbESQtI (ORCPT ); Tue, 19 May 2015 12:49:08 -0400 Received: from mx1.redhat.com ([209.132.183.28]:38471 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750747AbbESQtE (ORCPT ); Tue, 19 May 2015 12:49:04 -0400 Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: <20150519161902.GC23057@wotan.suse.de> References: <20150519161902.GC23057@wotan.suse.de> <20150518231304.GZ23057@wotan.suse.de> <20150515123610.16723.61913.stgit@warthog.procyon.org.uk> <20150515123513.16723.96340.stgit@warthog.procyon.org.uk> <21177.1431716875@warthog.procyon.org.uk> <8931.1432027524@warthog.procyon.org.uk> To: "Luis R. Rodriguez" Cc: dhowells@redhat.com, rusty@rustcorp.com.au, mmarek@suse.cz, mjg59@srcf.ucam.org, keyrings@linux-nfs.org, dmitry.kasatkin@gmail.com, linux-kernel@vger.kernel.org, seth.forshee@canonical.com, linux-security-module@vger.kernel.org, dwmw2@infradead.org Subject: Re: sign-file and detached PKCS#7 firmware signatures MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <3810.1432054137.1@warthog.procyon.org.uk> Date: Tue, 19 May 2015 17:48:57 +0100 Message-ID: <3811.1432054137@warthog.procyon.org.uk> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 957 Lines: 35 Luis R. Rodriguez wrote: > > Something like: > > > > openssl smime -verify \ > > -in $PKCS7_MESSAGE_FILE_IN_DER_FORM \ > > -inform DER \ > > -content $FIRMWARE_BLOB_NAME \ > > -inkey $PRIVATE_KEY_FILE_IN_PEM_FORM \ > > -signer $X509_CERT_FILE_IN_PEM_FORM > > > > I would guess. > > I tried a few things and no luck with that. Try this: openssl smime -verify \ -in $PKCS7_MESSAGE_FILE_IN_DER_FORM \ -inform DER \ -certfile $X509_CERT_FILE_IN_PEM_FORM \ -content $FIRMWARE_BLOB_NAME \ -binary \ -noverify \ >/dev/null Seems using -signer with -verify isn't a good idea as -signer refers to an output file during verification just for the surprise factor. David -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/