From 6a7194ea236590ae2cc02b0bf92b8fe6a7848c7e Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Sat, 3 Jul 2021 12:15:53 +0100 Subject: [PATCH] mount: fix roothash signature extension in manpage The PKCS7 RFC recommends to use .p7s for detached signatures file extensions, so use that in the example. https://datatracker.ietf.org/doc/html/rfc5751#section-3.2.1 --- sys-utils/mount.8.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys-utils/mount.8.adoc b/sys-utils/mount.8.adoc index a534586a7..9630d564d 100644 --- a/sys-utils/mount.8.adoc +++ b/sys-utils/mount.8.adoc @@ -1414,9 +1414,9 @@ mksquashfs /etc /tmp/etc.squashfs dd if=/dev/zero of=/tmp/etc.hash bs=1M count=10 veritysetup format /tmp/etc.squashfs /tmp/etc.hash openssl smime -sign -in -nocerts -inkey private.key \ --signer private.crt -noattr -binary -outform der -out /tmp/etc.p7 +-signer private.crt -noattr -binary -outform der -out /tmp/etc.roothash.p7s mount -o verity.hashdevice=/tmp/etc.hash,verity.roothash=,\ -verity.roothashsig=/tmp/etc.p7 /tmp/etc.squashfs /mnt +verity.roothashsig=/tmp/etc.roothash.p7s /tmp/etc.squashfs /mnt .... create squashfs image from _/etc_ directory, verity hash device and mount verified filesystem image to _/mnt_. The kernel will verify that the root hash is signed by a key from the kernel keyring if roothashsig is used.