BetterCorp/BetterFrame
1
0
Fork 0
mirror of https://github.com/BetterCorp/BetterFrame.git synced 2026-05-26 16:56:33 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10
BetterFrame/scripts/gen-rauc-signing-keys.sh
Mitchell R c4ce9e7880
fix(rauc): switch signing keys from Ed25519 to ECDSA P-256 
RAUC uses OpenSSL CMS signing. CMS doesn't support Ed25519 on
OpenSSL < 3.2 — Ubuntu 24.04 ships 3.0.13 → "pkey nid=1087" error.
ECDSA P-256 is universally supported in CMS, fast, and small.

Operator must regenerate keys + re-set GitHub secrets:
  rm -rf rauc-signing
  bash scripts/gen-rauc-signing-keys.sh
  cp rauc-signing/ca-cert.pem deploy/rauc/ca-cert.pem
  git add + commit + push
  Update BF_RAUC_SIGNING_CERT + BF_RAUC_SIGNING_KEY secrets
2026-05-21 15:45:26 +02:00

62 lines
2.5 KiB
Bash
Executable file
Raw Blame History

#!/usr/bin/env bash
# Generate the RAUC signing-cert PAIR used to sign OS bundles. Run ONCE per
# deployment; ALL kiosks built afterward must embed the matching CA cert
# in /etc/rauc/keyring.pem to accept bundles signed with this key.
#
# Outputs (written to ./rauc-signing/, .gitignored):
# ca-cert.pem — embed in kiosk image at /etc/rauc/keyring.pem
# ca-key.pem — KEEP OFFLINE. Only used to issue new signing certs.
# signing-cert.pem — committed to GitHub Actions secret BF_RAUC_SIGNING_CERT
# signing-key.pem — committed to GitHub Actions secret BF_RAUC_SIGNING_KEY
#
# RAUC accepts any OpenSSL-supported key inside an X.509 cert. We use
# Ed25519 because the cert chain stays small and verification is fast on
# the Pi. CA cert is self-signed; signing cert is issued by the CA. If
# the signing cert is ever leaked, revoke by rotating it under the same
# CA — kiosks don't need a re-flash, only a CRL update (future work).
set -euo pipefail
OUT_DIR="${1:-./rauc-signing}"
mkdir -p "$OUT_DIR"
cd "$OUT_DIR"
if [ -f ca-cert.pem ]; then
echo "refusing to overwrite existing keys at $OUT_DIR — delete first if intentional"
exit 1
fi
# ECDSA P-256 — RAUC uses OpenSSL CMS signing which doesn't support
# Ed25519 on OpenSSL < 3.2 (Ubuntu 24.04 ships 3.0). P-256 is universally
# supported, fast, and small.
echo "==> Generating CA (ECDSA P-256, 10 year validity)"
openssl ecparam -genkey -name prime256v1 -noout -out ca-key.pem
MSYS_NO_PATHCONV=1 openssl req -new -x509 -days 3650 -key ca-key.pem \
-subj "/CN=BetterFrame RAUC CA" -out ca-cert.pem
echo "==> Generating signing cert (ECDSA P-256, 2 year validity)"
openssl ecparam -genkey -name prime256v1 -noout -out signing-key.pem
MSYS_NO_PATHCONV=1 openssl req -new -key signing-key.pem \
-subj "/CN=BetterFrame RAUC Signing" -out signing.csr
openssl x509 -req -in signing.csr -CA ca-cert.pem -CAkey ca-key.pem \
-CAcreateserial -days 730 -out signing-cert.pem
rm -f signing.csr ca-cert.srl
chmod 600 ca-key.pem signing-key.pem
cat <<EOF
==> Done. Next steps:
1. Embed CA cert in the image at /etc/rauc/keyring.pem
(commit ca-cert.pem to repo; pi-gen stage will install it).
2. Set GitHub Actions secrets (Settings → Secrets → Actions):
BF_RAUC_SIGNING_CERT = $(realpath signing-cert.pem) contents
BF_RAUC_SIGNING_KEY = $(realpath signing-key.pem) contents
3. STORE ca-key.pem OFFLINE. It's used only to issue replacement signing
certs if the live signing key is rotated. Treat like a root password.
Files:
$(ls -la)
EOF
Reference in a new issue View git blame Copy permalink