* [Lvfs-announce] LVFS and the new Jcat files
@ 2020-03-03 11:02 Richard Hughes
0 siblings, 0 replies; only message in thread
From: Richard Hughes @ 2020-03-03 11:02 UTC (permalink / raw)
To: lvfs-announce
Hi all,
This is just for your information, as I know some vendors get worried
when extra unknown files get added to the cabinet archives. The
important thing to take away from this email is that no action is
required and that they’re harmless.
The LVFS is now adding an additional Jcat file in each signed archive.
A Jcat file can be used to store GPG, PKCS-7 and SHA-256 checksums for
multiple files. This allows us to sign a firmware or metadata multiple
times (perhaps by the ODM, OEM and also then the LVFS) which further
decentralizes the trust model of the LVFS. At the moment we are just
using the Jcat file to store the same detached GPG and PKCS-7
signatures we already generate. Nothing is actually parsing the new
.jcat file in the archive and the .asc and .p7b detached signatures
are still generated as before.
If however you are interested in signing the firmware with a
vendor-specific detached key before it gets uploaded to the LVFS
please let me know. The jcat-tool command line tool isn’t very fully
featured yet, but this is the kind of feature we’ll be working
towards. They’ll be no requirement for vendors to do this, and the
LVFS will of course continue to sign your firmware as before.
More information about the Jcat specification can be found here:
https://blogs.gnome.org/hughsie/2020/02/28/introducing-jcat/
Richard
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-03-03 11:02 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-03 11:02 [Lvfs-announce] LVFS and the new Jcat files Richard Hughes
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).