External PKI for signing rauc bundle

[kavithabk]

We plan to use external PKI to sign our RAUC bundle (using verity format)

1.Extract the bundle signature
$ rauc extract-signature --keyring ca.cert.pem bundle.raucb extracted-signature.cms
2. Extract embedded manifest from the verity bundle CMS
$ openssl cms -verify -CAfile ca.cert.pem -out manifest.raucm -inform DER -in extracted-signature.cms
3. Or without trust chain verification
$ openssl cms -verify -noverify -out manifest.raucm -inform DER -in extracted-signature.cms
4.Sign the manifest with your external PKI (for this example, it was made by an openssl command)
$ openssl cms -sign -signer new-signer.cert.pem -CAfile new-ca-cert.pem -inkey new-signer.key.pem -nodetach -in manifest.raucm -outform der -out new-signature.cms
5. Finally replace the bundle signature
$ rauc replace-signature --keyring ca-cert.pem --signing-keyring new-ca-cert.pem bundle.raucb new-signature.cms new-bundle.raucb

We get below error when we run the last step "Signature data is no valid CMS".
I am using a signature in PKCS7 format for our signature, please let me know any pointers what is done wrong , if you have used external PKI for signing .

[leon-anavi]

Hi @kavithabk,

Please note that meta-rauc-community is a Yocto/OpenEmbedded layer with RAUC demo integrations on various popular hardware platforms.

Your questions seems specifically for the replace-signature feature for RAUC and therefore I think it will be better to seek help on this topic in the RAUC dedicated git repository where the implementation of replace-signature is: https://github.com/rauc/rauc

Please have a look at the documentation, eventually at the source code and after that seek help at the RAUC git repository in GitHub.

Best reagrds,
Leon