Not sure if you want to use the same tool again, but GenerateCapsule can be used to validate them too - it runs 'openssl smime -verify'. e.g.:

bcran@delano:/tiano> GenerateCapsule --signer-private-cert certs/cert.pem --other-public-cert certs/intermediate.pub.pem --trusted-public-cert certs/root.pub.pem -d ./Build/ComHpcAlt/comhpcalt_host_debug_24.11.21-10.cap -o out.bin
bcran@delano:/tiano>


When there's no output verification passed. Otherwise a message will be displayed (though the exit code is still 0, which I guess is a bug). If I edit the capsule file or pass in the wrong certificate file, then I get:

Verification failure
E06A93BAFFFF0000:error:10800075:PKCS7 routines:PKCS7_verify:certificate verify error:crypto/pkcs7/pk7_smime.c:296:Verify error: unable to get local issuer certificate

GenerateCapsule: warning: payload verification failed Index = 1
GenerateCapsule: error: openssl failed.


Otherwise, similar to Mike's suggestion of using CapsuleApp you can also build a cabinet file and run e.g. "fwupdtool install comhpcalt_host_debug_24.11.21-10.cab" from the test machine to check if the verification succeeds and the capsule gets installed.


Rebecca


On 11/18/24 12:15 PM, james.last via groups.io wrote:
We're working on a tool similar to GenerateCapsule but uses HSM-based keys to perform the signing instead of a local key file. Is there a standalone tool or recommended method to validate the capsules are generated correctly using the cert chain?


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#120812): https://edk2.groups.io/g/devel/message/120812
Mute This Topic: https://groups.io/mt/109651149/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-


Reply via email to