Sign Mender Artifacts with mender-artifact and OpenSSL using PKCS11 library
Mender is a secure software update system designed to handle large number of devices. It has a simple client-server architecture allowing central management of deployments to all devices.
Integrate Mender and DigiCert® Software Trust Manager PKCS11 using OpenSSL.
Note
Mender only supports the follows keys and algorithms for signing.
Keys stored on:
Disk
HSM
Signing algorithms:
RSA (at least 3072 bits recommended)
ECDSA with curve P-256.
Prerequisites
macOS or Linux operating system
OpenSSL (version 1.xx)
Software Trust Manager PKCS11 library
Set up mender-artifact
A artifact.mender file to be signed
Public key
Install and configure OpenSSL version 1.xx
OpenSSL version 1.xx is a Mender requirement.
Install OpenSSL version 1.xx based on your operating system..
Download and configure PKCS11 library
A configuration file is required for OpenSSL PKCS#11 engine to use Software Trust Manager PKCS11 library. This file is required in related sign commands.
Download PKCS11 library
To download the Software Trust Manager PKCS11 library:
Sign in to DigiCert ONE.
Navigate to Software Trust Manager > Resources > Client tool repository.
Select your operating system.
Click the download icon next to Software Trust Manager PKCS#11 Library.
Create configuration file
To create the configuration file for PKCS11:
Open an integrated development environment (IDE) or plain text editor.
Name the file as openssl.conf.
Copy and paste the following text for your operating system into the editor:
Set environment variable for dc-openssl.conf
Configure OpenSSL to use our configuration file using an environment variable: OPENSSL_CONF.
To set the OPENSSL_CONF environment variable, add:
Tip
OpenSSL does not support the following characters in sign commands: ; ! ‘ ( ) [ &
To avoid errors, remove unsupported characters from file paths before attempting to sign.
Sign
Copy the file to the desired location to permit signing.
To sign and replace the artifact file, use:
:~/mender/test$ ./mender-artifact sign --key-pkcs11 "pkcs11:object=<keypair alias>;type=private" artifact.mender
To sign and create new artifact file, use:
:~/mender/test$ ./mender-artifact sign --key-pkcs11 "pkcs11:object=<keypair alias>;type=private" artifact.mender
To force new signature on signed artifact, use:
:~/mender/test$ ./mender-artifact sign -f --key-pkcs11 "pkcs11:object=<keypair alias>;type=private" artifact.mender
Verify signature
To verify a signature using the public key file, use:
:~/mender/test$ ./mender-artifact validate --key <keypair public key>.pem artifact.mender
Output:
Artifact file 'artifact.mender' validated successfully