BetterCorp/BetterFrame
1
0
Fork 0
mirror of https://github.com/BetterCorp/BetterFrame.git synced 2026-05-26 16:56:33 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

fix(rauc): switch signing keys from Ed25519 to ECDSA P-256

Browse source 
RAUC uses OpenSSL CMS signing. CMS doesn't support Ed25519 on
OpenSSL < 3.2 — Ubuntu 24.04 ships 3.0.13 → "pkey nid=1087" error.
ECDSA P-256 is universally supported in CMS, fast, and small.

Operator must regenerate keys + re-set GitHub secrets:
  rm -rf rauc-signing
  bash scripts/gen-rauc-signing-keys.sh
  cp rauc-signing/ca-cert.pem deploy/rauc/ca-cert.pem
  git add + commit + push
  Update BF_RAUC_SIGNING_CERT + BF_RAUC_SIGNING_KEY secrets
This commit is contained in:
Mitchell R 2026-05-21 15:45:26 +02:00
parent 6e10913380
commit c4ce9e7880
No known key found for this signature in database
2 changed files with 13 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
scripts/gen-rauc-signing-keys.ps1
View file

@ -28,13 +28,15 @@ New-Item -ItemType Directory -Force -Path $OutDir | Out-Null
Push-Location $OutDir Push-Location $OutDir
try { try {
Write-Host "==> Generating CA (Ed25519, 10 year validity)" # ECDSA P-256 — RAUC uses OpenSSL CMS which doesn't support Ed25519 on
openssl genpkey -algorithm ED25519 -out ca-key.pem # OpenSSL < 3.2 (Ubuntu 24.04 ships 3.0). P-256 is universally supported.
Write-Host "==> Generating CA (ECDSA P-256, 10 year validity)"
openssl ecparam -genkey -name prime256v1 -noout -out ca-key.pem
openssl req -new -x509 -days 3650 -key ca-key.pem ` openssl req -new -x509 -days 3650 -key ca-key.pem `
-subj "/CN=BetterFrame RAUC CA" -out ca-cert.pem -subj "/CN=BetterFrame RAUC CA" -out ca-cert.pem
Write-Host "==> Generating signing cert (Ed25519, 2 year validity)" Write-Host "==> Generating signing cert (ECDSA P-256, 2 year validity)"
openssl genpkey -algorithm ED25519 -out signing-key.pem openssl ecparam -genkey -name prime256v1 -noout -out signing-key.pem
openssl req -new -key signing-key.pem ` openssl req -new -key signing-key.pem `
-subj "/CN=BetterFrame RAUC Signing" -out signing.csr -subj "/CN=BetterFrame RAUC Signing" -out signing.csr
openssl x509 -req -in signing.csr -CA ca-cert.pem -CAkey ca-key.pem ` openssl x509 -req -in signing.csr -CA ca-cert.pem -CAkey ca-key.pem `

11
scripts/gen-rauc-signing-keys.sh
View file

@ -25,13 +25,16 @@ if [ -f ca-cert.pem ]; then
exit 1 exit 1
fi fi
echo "==> Generating CA (Ed25519, 10 year validity)" # ECDSA P-256 — RAUC uses OpenSSL CMS signing which doesn't support
openssl genpkey -algorithm ED25519 -out ca-key.pem # Ed25519 on OpenSSL < 3.2 (Ubuntu 24.04 ships 3.0). P-256 is universally
# supported, fast, and small.
echo "==> Generating CA (ECDSA P-256, 10 year validity)"
openssl ecparam -genkey -name prime256v1 -noout -out ca-key.pem
MSYS_NO_PATHCONV=1 openssl req -new -x509 -days 3650 -key ca-key.pem \ MSYS_NO_PATHCONV=1 openssl req -new -x509 -days 3650 -key ca-key.pem \
-subj "/CN=BetterFrame RAUC CA" -out ca-cert.pem -subj "/CN=BetterFrame RAUC CA" -out ca-cert.pem
echo "==> Generating signing cert (Ed25519, 2 year validity)" echo "==> Generating signing cert (ECDSA P-256, 2 year validity)"
openssl genpkey -algorithm ED25519 -out signing-key.pem openssl ecparam -genkey -name prime256v1 -noout -out signing-key.pem
MSYS_NO_PATHCONV=1 openssl req -new -key signing-key.pem \ MSYS_NO_PATHCONV=1 openssl req -new -key signing-key.pem \
-subj "/CN=BetterFrame RAUC Signing" -out signing.csr -subj "/CN=BetterFrame RAUC Signing" -out signing.csr
openssl x509 -req -in signing.csr -CA ca-cert.pem -CAkey ca-key.pem \ openssl x509 -req -in signing.csr -CA ca-cert.pem -CAkey ca-key.pem \