Sign Mender Artifacts with mender-artifact and OpenSSL

Mender is a secure software update system designed to handle large number of devices. It has a simple client-server architecture allowing central management of deployments to all devices.

Integrate Mender and DigiCert® Software Trust Manager PKCS11 using OpenSSL.

Nota

Mender only supports the follows keys and algorithms for signing.

Keys stored on:

Disk
HSM

Signing algorithms:

RSA (at least 3072 bits recommended)
ECDSA with curve P-256.

Prerequisites

macOS or Linux operating system
OpenSSL (version 1.xx)
Software Trust Manager PKCS11 library
Configure your credentials
Set up mender-artifact
A artifact.mender file to be signed
Public key

Install and configure OpenSSL version 1.xx

OpenSSL version 1.xx is a Mender requirement.

Install OpenSSL version 1.xx based on your operating system..

Download and configure PKCS11 library

A configuration file is required for OpenSSL PKCS#11 engine to use Software Trust Manager PKCS11 library. This file is required in related sign commands.

Download PKCS11 library

To download the Software Trust Manager PKCS11 library:

Sign in to DigiCert ONE.
Navigate to Software Trust Manager > Resources > Client tool repository.
Select your operating system.
Click the download icon next to Software Trust Manager PKCS#11 Library.

Create configuration file

To create the configuration file for PKCS11:

Open an integrated development environment (IDE) or plain text editor.
Name the file as openssl.conf.
Copy and paste the following text for your operating system into the editor:

ejemplo 3. Linux

openssl_conf = openssl_init
[openssl_init]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]

#Path to the OpenSSL PKCS11 Engine
dynamic_path = "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so"

MODULE_PATH = <Path to smpkcs11.so>

ejemplo 4. macOS

openssl_conf = openssl_init
[openssl_init]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]

#Path to the OpenSSL PKCS11 Engine
dynamic_path = "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11"

MODULE_PATH = <Path to smpkcs11.so/smpkcs11.DLL>

Set environment variable for dc-openssl.conf

Configure OpenSSL to use our configuration file using an environment variable: OPENSSL_CONF.

To set the OPENSSL_CONF environment variable, add:

Sign

Copy the file to the desired location to permit signing.

To sign and replace the artifact file, use:

:~/mender/test$ ./mender-artifact sign --key-pkcs11 "pkcs11:object=<keypair alias>;type=private" artifact.mender

To sign and create new artifact file, use:

:~/mender/test$ ./mender-artifact sign --key-pkcs11 "pkcs11:object=<keypair alias>;type=private" artifact.mender

To force new signature on signed artifact, use:

:~/mender/test$ ./mender-artifact sign -f --key-pkcs11 "pkcs11:object=<keypair alias>;type=private" artifact.mender

Verify signature

To verify a signature using the public key file, use:

:~/mender/test$ ./mender-artifact  validate --key <keypair public key>.pem artifact.mender

Output:

Artifact file 'artifact.mender' validated successfully

En esta sección: