Code signing tools

hi
i want to update my codes via network so i need too preventing hackers and i need code sign verification tools in my Linux package to verify my code author
is there any package or tools that code help me too do this??

i am using:
Colibri imx6dl V1.1A
iris carrier board
linux BSP 2.8b7

appreciate your support

Hi @me_ahani98,

This is, of course, a very complicated topic. The best solution would be to use something like our Torizon OTA platform where you get the protection of the entire image using the Uptane Framework.

Can you describe your workflow a bit so I understand how you are generating code and what bits you would want signed?

Drew

hi @drew.tx
thanks for attention
i am developing my code in Qt creator and cross compile to into my IMX6
i have find something my self
Unfortunately i am not using torizon so is there any OTA platform for angstrom?
i find openssl that is angstrom based package
and i need some more help about it
what is your recommendation for keeping private and public.pem ?
is there any safe directory or any safe package to keep this key inside?
is openssl code package for code signing??

Hi @me_ahani98

I believe angstrom has some sort of on-target package management so you could theoretically use that to do updates, but that’s generally a clunky mechanism for handling large device fleets. We don’t even provide Angstrom builds in newer BSP versions. Most users who are not on Torizon will do a custom Yocto build to add the packages they need rather than relying on package management on the target. There are other options for OTA updates that can integrated with Yocto (see mender.io for one example).

You can definitely use openssl to sign and/or encrypt your application and it is well supported in Yocto. It’s not a full solution though and you would have to take care of issues such as certificate revocation and rotation and a slew of other things. I think you will find that this is a much bigger effort than you are expecting.

If you can describe how your system is structured, where the updates will come from, how and when they will be signed and verified, we may be able to guide you further.

Drew

hi
i think i will never face with certificate revocation issue
is there any supported local application like mendor.io that do not need internet connection and integrated in Yocto or basic linux package?

best regard dear @drew.tx

You can use Mender in standalone mode which does not require a server-side setup.

There are other Yocto options. You can find more here but I’m not sure how up-to-date that wiki page is.

Drew

hi again mr @drew.tx
i have used openssl for my code signing and write my own update procedure based on my own web server
but for now i need to keep safe my PublicSign.pem and PrivateEncrypcionCertificate.pem
is there any special location or service designed for this??
any suggestion could be helpful

best regard

Normally the public keys don’t need any special protection. Keeping the private keys on the device is of course problematic; if you can find a way to store them offline that would be best.

There are secure element chips that you can install on your carrier board that could help here. See this link for something similar.

Drew