BetterCorp/BetterFrame
1
0
Fork 0
mirror of https://github.com/BetterCorp/BetterFrame.git synced 2026-05-26 17:56:34 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

chore: add Windows PowerShell version of RAUC key gen script

Browse source
This commit is contained in:
Mitchell R 2026-05-21 13:40:05 +02:00
parent 87c4dbb2bc
commit f339fe8e67
No known key found for this signature in database
1 changed files with 64 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

64
scripts/gen-rauc-signing-keys.ps1 Normal file
View file

@ -0,0 +1,64 @@
# Generate the RAUC signing-cert PAIR used to sign OS bundles.
# Run ONCE per deployment. Requires OpenSSL in PATH (e.g. via Git for Windows,
# choco install openssl, or winget install ShiningLight.OpenSSL).
#
# Outputs (written to ./rauc-signing/):
# ca-cert.pem - embed in kiosk image at /etc/rauc/keyring.pem
# ca-key.pem - KEEP OFFLINE. Only used to issue new signing certs.
# signing-cert.pem - GitHub Actions secret BF_RAUC_SIGNING_CERT
# signing-key.pem - GitHub Actions secret BF_RAUC_SIGNING_KEY
param(
[string]$OutDir = ".\rauc-signing"
)
$ErrorActionPreference = "Stop"
if (-not (Get-Command openssl -ErrorAction SilentlyContinue)) {
Write-Error "openssl not found in PATH. Install via: winget install ShiningLight.OpenSSL"
exit 1
}
if (Test-Path "$OutDir\ca-cert.pem") {
Write-Error "Refusing to overwrite existing keys at $OutDir - delete first if intentional"
exit 1
}
New-Item -ItemType Directory -Force -Path $OutDir | Out-Null
Push-Location $OutDir
try {
Write-Host "==> Generating CA (Ed25519, 10 year validity)"
openssl genpkey -algorithm ED25519 -out ca-key.pem
openssl req -new -x509 -days 3650 -key ca-key.pem `
-subj "/CN=BetterFrame RAUC CA" -out ca-cert.pem
Write-Host "==> Generating signing cert (Ed25519, 2 year validity)"
openssl genpkey -algorithm ED25519 -out signing-key.pem
openssl req -new -key signing-key.pem `
-subj "/CN=BetterFrame RAUC Signing" -out signing.csr
openssl x509 -req -in signing.csr -CA ca-cert.pem -CAkey ca-key.pem `
-CAcreateserial -days 730 -out signing-cert.pem
Remove-Item -Force signing.csr, ca-cert.srl -ErrorAction SilentlyContinue
Write-Host ""
Write-Host "==> Done. Next steps:"
Write-Host ""
Write-Host "1. Commit CA cert into repo:"
Write-Host " Copy-Item $(Resolve-Path ca-cert.pem) ..\deploy\rauc\ca-cert.pem"
Write-Host " git add deploy/rauc/ca-cert.pem"
Write-Host " git commit -m 'chore(rauc): commit CA cert'"
Write-Host " git push"
Write-Host ""
Write-Host "2. Set GitHub Actions secrets (Settings > Secrets > Actions):"
Write-Host " BF_RAUC_SIGNING_CERT = contents of $(Resolve-Path signing-cert.pem)"
Write-Host " BF_RAUC_SIGNING_KEY = contents of $(Resolve-Path signing-key.pem)"
Write-Host ""
Write-Host "3. STORE ca-key.pem OFFLINE. Only needed to issue replacement signing certs."
Write-Host ""
Get-ChildItem | Format-Table Name, Length
}
finally {
Pop-Location
}