clearlinux/clear-linux-documentation
2
0
Fork 0
mirror of https://github.com/clearlinux/clear-linux-documentation.git synced 2026-05-01 12:33:44 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
developmentHTML
clear-linux-documentation/guides/maintenance/validate-signatures.html
alexjch b16b933983 latest html output
2024-11-04 18:48:51 +00:00

257 lines
14 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE html>
<html lang="en" data-content_root="../../">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" />
<title>Validate signatures &#8212; Documentation for Clear Linux* project</title>
<link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" />
<link rel="stylesheet" type="text/css" href="../../_static/bizstyle.css?v=5283bb3d" />
<link rel="stylesheet" type="text/css" href="../../_static/copybutton.css?v=76b2166b" />
<script src="../../_static/documentation_options.js?v=5929fcd5"></script>
<script src="../../_static/doctools.js?v=9bcbadda"></script>
<script src="../../_static/sphinx_highlight.js?v=dc90522c"></script>
<script src="../../_static/clipboard.min.js?v=a7894cd8"></script>
<script src="../../_static/copybutton.js?v=a56c686a"></script>
<script src="../../_static/bizstyle.js"></script>
<link rel="canonical" href="https://clearlinux.github.io/clear-linux-documentation/guides/maintenance/validate-signatures.html" />
<link rel="icon" href="../../_static/favicon.ico"/>
<link rel="author" title="About these documents" href="../../about.html" />
<link rel="index" title="Index" href="../../genindex.html" />
<link rel="search" title="Search" href="../../search.html" />
<link rel="next" title="Assign a static IP address" href="../network/assign-static-ip.html" />
<link rel="prev" title="Restart system services after an OS update" href="restart.html" />
<meta name="viewport" content="width=device-width,initial-scale=1.0" />
<!--[if lt IE 9]>
<script src="_static/css3-mediaqueries.js"></script>
<![endif]-->
</head><body>
<div class="related" role="navigation" aria-label="Related">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../../genindex.html" title="General Index"
accesskey="I">index</a></li>
<li class="right" >
<a href="../network/assign-static-ip.html" title="Assign a static IP address"
accesskey="N">next</a> |</li>
<li class="right" >
<a href="restart.html" title="Restart system services after an OS update"
accesskey="P">previous</a> |</li>
<li class="nav-item nav-item-0"><a href="../../index.html">Documentation for Clear Linux* project</a> &#187;</li>
<li class="nav-item nav-item-1"><a href="../index.html" accesskey="U">Guides</a> &#187;</li>
<li class="nav-item nav-item-this"><a href="">Validate signatures</a></li>
</ul>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<section id="validate-signatures">
<span id="id1"></span><h1>Validate signatures<a class="headerlink" href="#validate-signatures" title="Link to this heading"></a></h1>
<p>This guide describes how to validate the contents of a Clear Linux* OS image.</p>
<nav class="contents local" id="contents">
<ul class="simple">
<li><p><a class="reference internal" href="#overview" id="id3">Overview</a></p></li>
<li><p><a class="reference internal" href="#image-content-validation" id="id4">Image content validation</a></p></li>
<li><p><a class="reference internal" href="#update-content-validation" id="id5">Update content validation</a></p></li>
</ul>
</nav>
<section id="overview">
<h2><a class="toc-backref" href="#id3" role="doc-backlink">Overview</a><a class="headerlink" href="#overview" title="Link to this heading"></a></h2>
<p>Validating the contents of an image is a manual process and is the same process
that <a class="reference internal" href="../clear/swupd.html#swupd-guide"><span class="std std-ref">swupd</span></a> performs internally.</p>
<p>Clear Linux OS offers a way to validate the content of an image or an update. All
validation of content works by creating and signing a hash. A valid signature
creates a chain of trust. A broken chain of trust, seen as an invalid
signature, means the content is not valid.</p>
</section>
<section id="image-content-validation">
<span id="id2"></span><h2><a class="toc-backref" href="#id4" role="doc-backlink">Image content validation</a><a class="headerlink" href="#image-content-validation" title="Link to this heading"></a></h2>
<p>In the steps below, we used the installer image of the latest release
of Clear Linux OS. You may use any image of Clear Linux OS you choose.</p>
<ol class="arabic">
<li><p>Download the image, the signature of the SHA512 sum of the image, and the
Clear Linux OS certificate used for signing the SHA512 sum.</p>
<div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="gp"># </span>Image
<span class="go">curl -O https://cdn.download.clearlinux.org/current/clear-$(curl https://cdn.download.clearlinux.org/latest)-installer.img.xz</span>
<span class="gp"># </span>Signature<span class="w"> </span>of<span class="w"> </span>SHA512<span class="w"> </span>sum<span class="w"> </span>of<span class="w"> </span>image
<span class="go">curl -O https://cdn.download.clearlinux.org/current/clear-$(curl https://cdn.download.clearlinux.org/latest)-installer.img.xz-SHA512SUMS.sig</span>
<span class="gp"># </span>Certificate
<span class="go">curl -O https://cdn.download.clearlinux.org/releases/$(curl https://cdn.download.clearlinux.org/latest)/clear/ClearLinuxRoot.pem</span>
</pre></div>
</div>
</li>
<li><p>Generate the SHA256 sum of the Clear Linux OS certificate.</p>
<div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="go">sha256sum ClearLinuxRoot.pem</span>
</pre></div>
</div>
</li>
<li><p>Ensure the generated SHA256 sum of the Clear Linux OS certificate matches the
following SHA256 sum to verify the integrity of the certificate.</p>
<div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="go">4b0ca67300727477913c331ff124928a98bcf2fb12c011a855f17cd73137a890 ClearLinuxRoot.pem</span>
</pre></div>
</div>
</li>
<li><p>Generate the SHA512 sum of the image and save it to a file.</p>
<div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="go">sha512sum clear-$(curl https://cdn.download.clearlinux.org/latest)-installer.img.xz &gt; sha512sum.out</span>
</pre></div>
</div>
</li>
<li><p>Ensure the signature of the SHA512 sum of the image was created using the
Clear Linux OS certificate. This confirms that the image is trusted and has not
been modified.</p>
<div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="go">openssl smime -verify -purpose any -in clear-$(curl https://cdn.download.clearlinux.org/latest)-installer.img.xz-SHA512SUMS.sig -inform der -content sha512sum.out -CAfile ClearLinuxRoot.pem</span>
</pre></div>
</div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>The <strong class="command">-purpose any</strong> option is required when using OpenSSL 1.1.
If you use an earlier version of OpenSSL, omit this option to perform
signature validation. The <strong class="command">openssl version</strong> command may be used
to determine the version of OpenSSL in use.</p>
</div>
</li>
<li><p>The output should contain “Verification successful”. If the output
contains “bad_signature” anywhere, then the image is not trustworthy.</p></li>
</ol>
</section>
<section id="update-content-validation">
<h2><a class="toc-backref" href="#id5" role="doc-backlink">Update content validation</a><a class="headerlink" href="#update-content-validation" title="Link to this heading"></a></h2>
<p><strong>swupd</strong> validates all update content automatically before applying the
update content. The process swupd follows internally is illustrated here
with manual steps using the latest Clear Linux OS release. There is no need to perform
these steps manually when performing a <strong class="command">swupd update</strong>.</p>
<ol class="arabic">
<li><p>Download the <abbr title="top-level manifest">MoM</abbr>, the signature of the MoM,
and the Swupd certificate used for signing the signature of the MoM.</p>
<div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="gp"># </span>MoM
<span class="go">curl -O https://cdn.download.clearlinux.org/update/$(curl https://cdn.download.clearlinux.org/latest)/Manifest.MoM</span>
<span class="gp"># </span>Signature<span class="w"> </span>of<span class="w"> </span>MoM
<span class="go">curl -O https://cdn.download.clearlinux.org/update/$(curl https://cdn.download.clearlinux.org/latest)/Manifest.MoM.sig</span>
<span class="gp"># </span>Swupd<span class="w"> </span>certificate
<span class="go">curl -O https://cdn.download.clearlinux.org/releases/$(curl https://cdn.download.clearlinux.org/latest)/clear/Swupd_Root.pem</span>
</pre></div>
</div>
</li>
<li><p>Generate the SHA256 sum of the swupd certificate.</p>
<div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="go">sha256sum Swupd_Root.pem</span>
</pre></div>
</div>
</li>
<li><p>Confirm that the generated SHA256 sum of the swupd certificate matches the
SHA256 sum shown below to verify the integrity of the certificate.</p>
<div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="go">ff06fc76ec5148040acb4fcb2bc8105cc72f1963b55de0daf3a4ed664c6fe72c Swupd_Root.pem</span>
</pre></div>
</div>
</li>
<li><p>Confirm that the signature of the MoM was created using the Swupd
certificate. This signature validates the update content is trustworthy and
has not been modified.</p>
<div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="go">openssl smime -verify -purpose any -in Manifest.MoM.sig -inform der -content Manifest.MoM -CAfile Swupd_Root.pem</span>
</pre></div>
</div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>The <strong class="command">-purpose any</strong> option is required when using OpenSSL 1.1.
If you use an earlier version of OpenSSL, omit this option to perform
signature validation. The <strong class="command">openssl version</strong> command may be used
to determine the version of OpenSSL in use.</p>
</div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>The SHA512 sum of the MoM is not generated and then signed. Instead, the
MoM is signed directly because it is small in size compared to an image of
Clear Linux OS.</p>
</div>
</li>
<li><p>The output should contain “Verification successful”. If the output
contains “bad_signature” anywhere, then the MoM cannot be trusted.
Because the MoM contains a list of hashes for bundle manifests, if the MoM
cannot be trusted, then the bundle content cannot be trusted.</p></li>
</ol>
</section>
</section>
<div class="clearer"></div>
</div>
</div>
</div>
<div class="sphinxsidebar" role="navigation" aria-label="Main">
<div class="sphinxsidebarwrapper">
<p class="logo"><a href="../../index.html">
<img class="logo" src="../../_static/clearlinux.png" alt="Logo of Clear Linux* Project Docs"/>
</a></p>
<div>
<h3><a href="../../index.html">Table of Contents</a></h3>
<ul>
<li><a class="reference internal" href="#">Validate signatures</a><ul>
<li><a class="reference internal" href="#overview">Overview</a></li>
<li><a class="reference internal" href="#image-content-validation">Image content validation</a></li>
<li><a class="reference internal" href="#update-content-validation">Update content validation</a></li>
</ul>
</li>
</ul>
</div>
<div>
<h4>Previous topic</h4>
<p class="topless"><a href="restart.html"
title="previous chapter">Restart system services after an OS update</a></p>
</div>
<div>
<h4>Next topic</h4>
<p class="topless"><a href="../network/assign-static-ip.html"
title="next chapter">Assign a static IP address</a></p>
</div>
<div role="note" aria-label="source link">
<h3>This Page</h3>
<ul class="this-page-menu">
<li><a href="../../_sources/guides/maintenance/validate-signatures.rst.txt"
rel="nofollow">Show Source</a></li>
</ul>
</div>
<search id="searchbox" style="display: none" role="search">
<h3 id="searchlabel">Quick search</h3>
<div class="searchformwrapper">
<form class="search" action="../../search.html" method="get">
<input type="text" name="q" aria-labelledby="searchlabel" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false"/>
<input type="submit" value="Go" />
</form>
</div>
</search>
<script>document.getElementById('searchbox').style.display = "block"</script>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related" role="navigation" aria-label="Related">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../../genindex.html" title="General Index"
>index</a></li>
<li class="right" >
<a href="../network/assign-static-ip.html" title="Assign a static IP address"
>next</a> |</li>
<li class="right" >
<a href="restart.html" title="Restart system services after an OS update"
>previous</a> |</li>
<li class="nav-item nav-item-0"><a href="../../index.html">Documentation for Clear Linux* project</a> &#187;</li>
<li class="nav-item nav-item-1"><a href="../index.html" >Guides</a> &#187;</li>
<li class="nav-item nav-item-this"><a href="">Validate signatures</a></li>
</ul>
</div>
<div class="footer" role="contentinfo">
&#169; Copyright 2022 Intel Corporation. All Rights Reserved..
Last updated on Nov 04, 2024.
Created using <a href="https://www.sphinx-doc.org/">Sphinx</a> 8.1.3.
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink