From c4ce9e7880b13a62c9f27ca3962489a66a0b2719 Mon Sep 17 00:00:00 2001
From: Mitchell R <root@mitchellr.info>
Date: Thu, 21 May 2026 15:45:26 +0200
Subject: [PATCH] fix(rauc): switch signing keys from Ed25519 to ECDSA P-256
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

RAUC uses OpenSSL CMS signing. CMS doesn't support Ed25519 on
OpenSSL < 3.2 — Ubuntu 24.04 ships 3.0.13 → "pkey nid=1087" error.
ECDSA P-256 is universally supported in CMS, fast, and small.

Operator must regenerate keys + re-set GitHub secrets:
  rm -rf rauc-signing
  bash scripts/gen-rauc-signing-keys.sh
  cp rauc-signing/ca-cert.pem deploy/rauc/ca-cert.pem
  git add + commit + push
  Update BF_RAUC_SIGNING_CERT + BF_RAUC_SIGNING_KEY secrets
---
 scripts/gen-rauc-signing-keys.ps1 | 10 ++++++----
 scripts/gen-rauc-signing-keys.sh  | 11 +++++++----
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/scripts/gen-rauc-signing-keys.ps1 b/scripts/gen-rauc-signing-keys.ps1
index 8e8f434..2727ad5 100644
--- a/scripts/gen-rauc-signing-keys.ps1
+++ b/scripts/gen-rauc-signing-keys.ps1
@@ -28,13 +28,15 @@ New-Item -ItemType Directory -Force -Path $OutDir | Out-Null
 Push-Location $OutDir
 
 try {
-    Write-Host "==> Generating CA (Ed25519, 10 year validity)"
-    openssl genpkey -algorithm ED25519 -out ca-key.pem
+    # ECDSA P-256 — RAUC uses OpenSSL CMS which doesn't support Ed25519 on
+    # OpenSSL < 3.2 (Ubuntu 24.04 ships 3.0). P-256 is universally supported.
+    Write-Host "==> Generating CA (ECDSA P-256, 10 year validity)"
+    openssl ecparam -genkey -name prime256v1 -noout -out ca-key.pem
     openssl req -new -x509 -days 3650 -key ca-key.pem `
         -subj "/CN=BetterFrame RAUC CA" -out ca-cert.pem
 
-    Write-Host "==> Generating signing cert (Ed25519, 2 year validity)"
-    openssl genpkey -algorithm ED25519 -out signing-key.pem
+    Write-Host "==> Generating signing cert (ECDSA P-256, 2 year validity)"
+    openssl ecparam -genkey -name prime256v1 -noout -out signing-key.pem
     openssl req -new -key signing-key.pem `
         -subj "/CN=BetterFrame RAUC Signing" -out signing.csr
     openssl x509 -req -in signing.csr -CA ca-cert.pem -CAkey ca-key.pem `
diff --git a/scripts/gen-rauc-signing-keys.sh b/scripts/gen-rauc-signing-keys.sh
index e287ff3..8617d49 100755
--- a/scripts/gen-rauc-signing-keys.sh
+++ b/scripts/gen-rauc-signing-keys.sh
@@ -25,13 +25,16 @@ if [ -f ca-cert.pem ]; then
   exit 1
 fi
 
-echo "==> Generating CA (Ed25519, 10 year validity)"
-openssl genpkey -algorithm ED25519 -out ca-key.pem
+# ECDSA P-256 — RAUC uses OpenSSL CMS signing which doesn't support
+# Ed25519 on OpenSSL < 3.2 (Ubuntu 24.04 ships 3.0). P-256 is universally
+# supported, fast, and small.
+echo "==> Generating CA (ECDSA P-256, 10 year validity)"
+openssl ecparam -genkey -name prime256v1 -noout -out ca-key.pem
 MSYS_NO_PATHCONV=1 openssl req -new -x509 -days 3650 -key ca-key.pem \
   -subj "/CN=BetterFrame RAUC CA" -out ca-cert.pem
 
-echo "==> Generating signing cert (Ed25519, 2 year validity)"
-openssl genpkey -algorithm ED25519 -out signing-key.pem
+echo "==> Generating signing cert (ECDSA P-256, 2 year validity)"
+openssl ecparam -genkey -name prime256v1 -noout -out signing-key.pem
 MSYS_NO_PATHCONV=1 openssl req -new -key signing-key.pem \
   -subj "/CN=BetterFrame RAUC Signing" -out signing.csr
 openssl x509 -req -in signing.csr -CA ca-cert.pem -CAkey ca-key.pem \