Not sure if you want to use the same tool again, but GenerateCapsule can
be used to validate them too - it runs 'openssl smime -verify'. e.g.:
bcran@delano:/tiano> GenerateCapsule --signer-private-cert
certs/cert.pem --other-public-cert certs/intermediate.pub.pem
--trusted-public-cert certs/root.pub.pem -d
./Build/ComHpcAlt/comhpcalt_host_debug_24.11.21-10.cap -o out.bin
bcran@delano:/tiano>
When there's no output verification passed. Otherwise a message will be
displayed (though the exit code is still 0, which I guess is a bug). If
I edit the capsule file or pass in the wrong certificate file, then I get:
Verification failure
E06A93BAFFFF0000:error:10800075:PKCS7 routines:PKCS7_verify:certificate
verify error:crypto/pkcs7/pk7_smime.c:296:Verify error: unable to get
local issuer certificate
GenerateCapsule: warning: payload verification failed Index = 1
GenerateCapsule: error: openssl failed.
Otherwise, similar to Mike's suggestion of using CapsuleApp you can also
build a cabinet file and run e.g. "fwupdtool install
comhpcalt_host_debug_24.11.21-10.cab" from the test machine to check if
the verification succeeds and the capsule gets installed.
Rebecca
On 11/18/24 12:15 PM, james.last via groups.io wrote:
We're working on a tool similar to GenerateCapsule but uses HSM-based
keys to perform the signing instead of a local key file. Is there a
standalone tool or recommended method to validate the capsules are
generated correctly using the cert chain?
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#120812): https://edk2.groups.io/g/devel/message/120812
Mute This Topic: https://groups.io/mt/109651149/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-