Rather than duplicating the key & certificate loading in each tool,
unify it in a fileio object.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
Rather than setting ->sigbuf directly, add two functions to handle image
signature addition and removal:
image_add_signature(image, sig, sigsize);
image_remove_signature(image);
And warn when a signature is to be overwritten.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
We're using OpenSSL, so need to grant binary distrbutors permission to
link with it.
Cleared with current contributors.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
The current incarnation of sbsign doesn't all all ciphers to OpenSSL
meaning that if the private key is encrypted, it can't decrypt it and
instead it returns the unhelpful error message
error reading private key ../certs/PK.key
Fix this by adding all ciphers before trying to read the private key.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
Rather than requiring an explicit image_pecoff_parse, do it
unconditionally in image_load. We don't have any instances where we need
to do this separately.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
Change image_write_signed to image_write, and conditionally write the
signature if one is present.
This will allow us to write unsigned images when detaching a sig from an
image.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
The optstrings for sbsign and sbverify are out of sync with the long
options, this change brings them up to date.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
Add an option (--detached) to sbsign, which creates a detached
signature, rather than embedding it in the PE/COFF signature table.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
Update the usage output of sbsign and sbverify so that it can be better
parsed by help2man. Also, add --version and --help.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>