[isar-cip-core,RFC,1/3] recipe-devtools: Add recipe to sign SWUpdate update binaries

Commit Message

Quirin Gylstorff July 13, 2023, 4:40 p.m. UTC

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This adds the necessary recipes to provide a snakeoil for testing
sign updates and a recipe to for offical certificates.

The certificates creation can be found at [1].

[1]: https://sbabic.github.io/swupdate/signed_images.html?highlight=signing#usage-with-certificates-and-cms

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../files/cip-swupdate-snakeoil.cert.pem      | 30 +++++++++++
 .../files/cip-swupdate-snakeoil.key.pem       | 52 +++++++++++++++++++
 .../swupdate-certificates-key-snakeoil_0.1.bb | 17 ++++++
 .../swupdate-certificates-key.inc             | 31 +++++++++++
 .../swupdate-certificates-key_0.1.bb          | 15 ++++++
 .../swupdate-certificates-snakeoil_0.1.bb     | 16 ++++++
 .../swupdate-certificates.inc                 | 31 +++++++++++
 .../swupdate-certificates_0.1.bb              | 14 +++++
 8 files changed, 206 insertions(+)
 create mode 100644 recipes-devtools/swupdate-certificates/files/cip-swupdate-snakeoil.cert.pem
 create mode 100644 recipes-devtools/swupdate-certificates/files/cip-swupdate-snakeoil.key.pem
 create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates-key-snakeoil_0.1.bb
 create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc
 create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates-key_0.1.bb
 create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates-snakeoil_0.1.bb
 create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates.inc
 create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates_0.1.bb

Comments

Jan Kiszka July 13, 2023, 5:03 p.m. UTC | #1

On 13.07.23 18:40, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> This adds the necessary recipes to provide a snakeoil for testing
> sign updates and a recipe to for offical certificates.

Several typos / wrong words here.

> 
> The certificates creation can be found at [1].
> 
> [1]: https://sbabic.github.io/swupdate/signed_images.html?highlight=signing#usage-with-certificates-and-cms
> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  .../files/cip-swupdate-snakeoil.cert.pem      | 30 +++++++++++
>  .../files/cip-swupdate-snakeoil.key.pem       | 52 +++++++++++++++++++

Are these different from the Debian snakeoil keys? I suspose they are
for the reasons you mentioned offlist. Please document them in the
commit message.

>  .../swupdate-certificates-key-snakeoil_0.1.bb | 17 ++++++
>  .../swupdate-certificates-key.inc             | 31 +++++++++++
>  .../swupdate-certificates-key_0.1.bb          | 15 ++++++
>  .../swupdate-certificates-snakeoil_0.1.bb     | 16 ++++++
>  .../swupdate-certificates.inc                 | 31 +++++++++++
>  .../swupdate-certificates_0.1.bb              | 14 +++++
>  8 files changed, 206 insertions(+)
>  create mode 100644 recipes-devtools/swupdate-certificates/files/cip-swupdate-snakeoil.cert.pem
>  create mode 100644 recipes-devtools/swupdate-certificates/files/cip-swupdate-snakeoil.key.pem
>  create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates-key-snakeoil_0.1.bb
>  create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc
>  create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates-key_0.1.bb
>  create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates-snakeoil_0.1.bb
>  create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates.inc
>  create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates_0.1.bb
> 
> diff --git a/recipes-devtools/swupdate-certificates/files/cip-swupdate-snakeoil.cert.pem b/recipes-devtools/swupdate-certificates/files/cip-swupdate-snakeoil.cert.pem
> new file mode 100644
> index 0000000..a44cb7d
> --- /dev/null
> +++ b/recipes-devtools/swupdate-certificates/files/cip-swupdate-snakeoil.cert.pem
> @@ -0,0 +1,30 @@
> +-----BEGIN CERTIFICATE-----
> +MIIFKzCCAxOgAwIBAgIUEA0euuQB7ulZBzoFaG+/Fps82oEwDQYJKoZIhvcNAQEL
> +BQAwJTESMBAGA1UECgwJU1dVcGRhdGUgMQ8wDQYDVQQDDAZ0YXJnZXQwHhcNMjMw
> +NjIzMDk1NDA4WhcNMjMwNzIzMDk1NDA4WjAlMRIwEAYDVQQKDAlTV1VwZGF0ZSAx
> +DzANBgNVBAMMBnRhcmdldDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
> +ALO14EDb7Q/hXCJZbrl/UD2RytUb8Phh49iPpIOryJKqDEyGNhc03XzpkB5qMYEt
> +vMN+UXRTLFvBIfrtukLzrpEm5jTPaSAciKD+nIGqNFbPXWl+KIy2lMTEqD9Se7lQ
> +4u4fupZQp4adlsdjya0i9u9fnNbK25jCrPjQHf698eS1VR0YpXOqAqB9VFLeLdlj
> +BCCmVBkhMTF/z7CvF7XsL7rqBG8F1yTg9qKTf/2C9Odc9sCtjy0wGt8NBSV2Cua3
> +ifPNQtYdxPLR9ohyariMEsS3s0WVclUvctD6SwCmP0RNvwmKDyzlWerRTSvODw+8
> ++laD0vI2KIkgegzDiJGBF0DrfBrePqCHLeZztQHpHfTkcSAEP4hgg4ev2p5XV7lC
> +1ed9UTHjhW+mmKJuJODgfsS7sQs8CqRGHYj95RrK14CG5PHebRWpSH3KcmROpsSl
> +fUXQTSqth01welrL9/OEpO0vRlnL0FNrhjQFtgIR3djgxosoRuOL43g/ep1CtIwc
> +ypFDemhgMKoUzc7KnQvGpG5FeqUSqqAlqclAKEfFNs4pvpc5mz3LUwdNkyIGkgqL
> +Xuhnf1OkMDtMlZ5wvi+CTqYMX2KqXU8yz2Csf9uN54ojIGbWN73wCZA5JH7R8FqN
> +PoKJ8csQTayQK5XBYP7XQV1CgnAJDxa/pEnMf4zLotG/AgMBAAGjUzBRMB0GA1Ud
> +DgQWBBR2lBlS17x7xqB2kaLwEg1lJXpoLDAfBgNVHSMEGDAWgBR2lBlS17x7xqB2
> +kaLwEg1lJXpoLDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQCe
> +WK2TcfszS5EPeO4K6o7Zsr6tNkyAfP0oHm4gqAOfverfITctws/SIOdwLI79ljMq
> +vUuSEzWRnx16TfzqBlnFNFEUPBknnk/KeHCXgz4XdyyLdS8cga1lCHc+yRVIcq53
> +Z9KaLjbg/OmyJwVTehlJGnDF4QCOIzMO4Ha+O6Eyxu3ARp/x2QrzsfQ1U3KtMhAy
> +NcBG/mupj8mwg3cfo10MmzzN4ioQUCIf5M6eg/8iDITgA51XqFpjf2fX1xusSBBe
> +zuoy4Rz+Df1rGsUabAd7jKVXghS1+AE22ZPy6bnmV810ONb1H8MExFbGgdulYhmo
> +zoH6H7h6LtKP0xVOZ6H87X4Hoi7YitQqCl+oaHUE2GzA97fm+rNXe84ekJvjUiEz
> +Js3q1wXaegMr4LFmu9MPBSycJw54KtLfg2U0tIW6SD7dFlvD2f/qo7RtyEiE/Wfu
> +Cm8ZvMUr+OuNAvQL/Ig08JgUKisTK3ARHFxMu9sEMsWoB7bTGvyiZ9mS/G2VIet4
> +1pucvi89d9qXeZZ8PByHOEo0c7cu8lCmtIZoh0rdV3t8mxOZA1kFwYK2xahA6DT3
> +J2me41iKb9l2aCbGBbUKiesu3CRLpPG8Ic8X5PPkbRlX5/Zza21AbM8jxX14ZAL8
> +mkgMhzaLWIGo8ixvA8i7Fm/JunrIimDZaRjJrKuoMg==
> +-----END CERTIFICATE-----
> diff --git a/recipes-devtools/swupdate-certificates/files/cip-swupdate-snakeoil.key.pem b/recipes-devtools/swupdate-certificates/files/cip-swupdate-snakeoil.key.pem
> new file mode 100644
> index 0000000..5dd3d3b
> --- /dev/null
> +++ b/recipes-devtools/swupdate-certificates/files/cip-swupdate-snakeoil.key.pem
> @@ -0,0 +1,52 @@
> +-----BEGIN PRIVATE KEY-----
> +MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCzteBA2+0P4Vwi
> +WW65f1A9kcrVG/D4YePYj6SDq8iSqgxMhjYXNN186ZAeajGBLbzDflF0UyxbwSH6
> +7bpC866RJuY0z2kgHIig/pyBqjRWz11pfiiMtpTExKg/Unu5UOLuH7qWUKeGnZbH
> +Y8mtIvbvX5zWytuYwqz40B3+vfHktVUdGKVzqgKgfVRS3i3ZYwQgplQZITExf8+w
> +rxe17C+66gRvBdck4Paik3/9gvTnXPbArY8tMBrfDQUldgrmt4nzzULWHcTy0faI
> +cmq4jBLEt7NFlXJVL3LQ+ksApj9ETb8Jig8s5Vnq0U0rzg8PvPpWg9LyNiiJIHoM
> +w4iRgRdA63wa3j6ghy3mc7UB6R305HEgBD+IYIOHr9qeV1e5QtXnfVEx44Vvppii
> +biTg4H7Eu7ELPAqkRh2I/eUayteAhuTx3m0VqUh9ynJkTqbEpX1F0E0qrYdNcHpa
> +y/fzhKTtL0ZZy9BTa4Y0BbYCEd3Y4MaLKEbji+N4P3qdQrSMHMqRQ3poYDCqFM3O
> +yp0LxqRuRXqlEqqgJanJQChHxTbOKb6XOZs9y1MHTZMiBpIKi17oZ39TpDA7TJWe
> +cL4vgk6mDF9iql1PMs9grH/bjeeKIyBm1je98AmQOSR+0fBajT6CifHLEE2skCuV
> +wWD+10FdQoJwCQ8Wv6RJzH+My6LRvwIDAQABAoICABWNlpuwxLnG2Xn1J+Zvcnwv
> +5BezBi+D7gOnFqAEFkYgxuDWp94YpQe6K2K6cb2Acscvey1sXEGU5DJoGJK3DxSx
> +iaKDzaPgSDKm1rZmZ2iR7i4cx1g4/Zarz1Ho3pXXMaBFhedJPQ5UECVRvnpZWyxS
> +V0kbg0LK9lvQ+gf3V++KH+8haZZ5qV7+KQLXSsBrs68Gw8dPx8qb/Zi/JyTWctME
> +BgwaszblFC9jaVJKRn0JFT7+kdFll5NwyFE52wzYrl7jG0T6xQgqTlsG/e2sPwQA
> +1CtgRRoaWrbdjelCBwx2FpdaS3+i8inLeGnsiLnmfE+r97y86heoIXsuaE6rINKg
> +8K3FF7LD3f6dbWWGC3IqE7/hYMPV2FOTFufXvyH7dzhosB7XBAMIXr9/bswW/5tH
> +mmCtFnXARqMirdwqf+oruuX8xhrlYBiVEe9E0qCG9iJBjtyqd/IJOHL9liD6+II2
> +trdgJGaFlqXXWSVm2A91LrsETxRPepd+tPyARhszHkqnpdjMdoUGh2lVIPdPjP8f
> +SaBvQeoa83b2eOfI5RK4b7/TOe8W/YVN00hewaFS0YmDcfeNH8yIxuraU5xpwfKJ
> +QKz4zFSPTSYHTf+jCp450+LY8gwoaHKZ6J7IuCKbOke9iVHlOYsgQICCFSG/knPj
> +8vwiL9lUVIW5EqG7jyEhAoIBAQDd/4PPxPw0mL7i4F44uOwaVgtVcbCtsLbyje9V
> +YCGl0MS+jmIIRxXYPZWhmuUNE5I6gMXHsaawhFXkSPEWJ6DfNYV8HQLcix9vkrFs
> ++OK8vCVsAymoDpdkl8+k3i9Uu6+/EakU1badQGfNOqnQONRRO3ePoGK44583j8Wu
> +6XxkXETmNeYYZJc5HwcOS/r8Oh/1kWnJHysz64PoZ4d3h3oaLJJ3LzZ4q0+hVuk0
> +5cCdzGqy5eLr+U6GnCTNhAqY0ZhlH3UJlYPNx3UsQ/nXxYsOtHZnvs7Q/s4quhF2
> +lufzIf0ftPEtdY+7wFm1TIyf+AW4PhkdwvbJkpStGpL+KSZ1AoIBAQDPPEYYVCA7
> +oO3e3i8bUqh2iLZ0KDehOv455Ylmk5x6t5+OaO8m1+JTtEvIjkxpHsdwuCTm5Ewv
> +L4/RAv3KLjkrO63Lk3Bbjy+L6ElD2TjBEAlXnZI9eNMw7wsmzbrFbIYHj46/twpv
> +yBihQoSupClCWKbYB0fwWR94VU57WJABmX5UIbWqcPWkK1USW1foG+uuVu+yNpmn
> +sXDsaBZcHjWGsjBvxGnIzJO8oaNzrRFfNqIFhSY6pVklv4M84I17dJNYt3PmDARW
> +xliHyg0w6c3zIahcEuOTn3CN/DAU5zbTA800hyEQ+0baCHUn6Aa2TYdGTCdULFow
> +w90RDVYZh9jjAoIBAEZnMjZCEnnbty3cWgVDIB16DD4cwBtVX6+ss6ovwnwDqWGF
> +ZjGZ2aOqZDnMFbf/7PAAxrh97o8saNDtEQglqS8gmiSyTqYCuQV5UCtvAvk38eY/
> +WoahmgGc4401qW0F2MaPoz+oRzG3qzO61v/iBfN9GH3EL4rTJTtJrTe7dGefm3om
> +vcIepJbI8EPodMBo7pnCc/oEmH7uwfaCXsPZgy+p0wlZP70lFyvjlDHiayOgIHZ7
> +0WtktTKbclB6/6FXVy06vLM9Z39rMg3HwQRc8azILoTYTl6ZcGi8ea1STl0c+lmD
> +2LjB/8NbTRfiHvbcgXPcvbpiikGC6wO62cMg6cECggEBALcvNVrOCkwLPhkyV3uU
> +fluBD57v6fS4W/87mlA1DS4g4IaW1UeFr4eEKTUYLA0D6xIFhIEgrwNKzJraRRKR
> +93Dy6Pa51qjokgPfCdxSyGtITKnJHHsAMdbghv/+/SkEfBl02Z84Ip6axsLNNNHX
> +RK1kBd+R2BJqBXpuFdjMeUcgsl2WCqql/UzoDOQUIEmJXLSYHntu7jYgkIw4mgNF
> +pNTy8APsIAIibDlivERFaMS8W03728YdYQcQGecXK5lEe/cA+w8P8knuPFWT0kM5
> +eRaA2vzAqbBVUL4BfVMM6xZuFtdm12DWbVPQBBeJb114fKo0KNOr/PF8QQ6QtloN
> +DjcCggEBALumqFVF8eU236dz7jffdY1LEgxZQHXgOJcrNVpuqeLeD91NPEl8HoiO
> +PAYtXbrNM+PtYD8KBDG8Bv9MZgaZyEfww8zkqzYtMzIk/5Kb9wBhdeq36YHBC/1+
> +cDGty0dfubELKw2L+bwalFgk0urnQzJW+11+nFh+g2q3PJpRUisvih4apE+dOdE8
> +cdsgc58nZksyS2WusW8OG0XZeJTrCejEP1GP6svYm3mPOVAp5Y3e7CQP10WcDoQ9
> +WUZp+JbefDrJ/+aVmtkQ1pMGbOCbSwa/xmn6bbCVeI/aD3Sr9t4wnKQzu4InD5PB
> +nFtyUBqMFy+r+QlyRfQbhfXxs7cW1/M=
> +-----END PRIVATE KEY-----
> diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates-key-snakeoil_0.1.bb b/recipes-devtools/swupdate-certificates/swupdate-certificates-key-snakeoil_0.1.bb
> new file mode 100644
> index 0000000..fa2ce23
> --- /dev/null
> +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates-key-snakeoil_0.1.bb
> @@ -0,0 +1,17 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2023
> +#
> +# Authors:
> +#  Jan Kiszka <quirin.gylstorff@siemens.com>

Did you change your name? Or should I now use your email address? ;)

> +#
> +# SPDX-License-Identifier: MIT
> +#
> +DEBIAN_DEPENDS += "swupdate-certificates-snakeoil"
> +
> +require swupdate-certificates-key.inc
> +
> +SWU_SIGN_KEY = "cip-swupdate-snakeoil.key.pem"
> +
> +DEBIAN_CONFLICTS = "swupdate-certificates-key"
> diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc b/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc
> new file mode 100644
> index 0000000..3fafce0
> --- /dev/null
> +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc
> @@ -0,0 +1,31 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2023
> +#
> +# Authors:
> +#  Jan Kiszka <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +inherit dpkg-raw
> +
> +PROVIDES += "swupdate-certificates-key"
> +
> +SWU_SIGN_KEY ??= ""
> +
> +SRC_URI:append = " ${@ "file://"+d.getVar('SWU_SIGN_KEY') if d.getVar('SWU_SIGN_KEY') else '' }"
> +
> +do_install() {
> +    if [ -z ${SWU_SIGN_KEY} ] ]; then
> +        bbfatal "You must set SWU_SIGN_KEY and provide the required file as artifacts to this recipe"
> +    fi
> +    TARGET=${D}/usr/share/swupdate-signing/
> +    install -d -m 0700 ${TARGET}
> +    install -m 0700 ${WORKDIR}/${SWU_SIGN_KEY} ${TARGET}/swupdate-sign.key
> +}
> +
> +do_prepare_build:append() {
> +    echo "Provides: swupdate-certificates-key" >> ${S}/debian/control
> +}
> diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates-key_0.1.bb b/recipes-devtools/swupdate-certificates/swupdate-certificates-key_0.1.bb
> new file mode 100644
> index 0000000..45864fa
> --- /dev/null
> +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates-key_0.1.bb
> @@ -0,0 +1,15 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2023
> +#
> +# Authors:
> +#  Jan Kiszka <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +DEBIAN_DEPENDS += "swupdate-certificates"
> +
> +require swupdate-certificates-key.inc
> +
> +DEBIAN_CONFLICTS = "swupdate-certificates-key-snakeoil"
> diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates-snakeoil_0.1.bb b/recipes-devtools/swupdate-certificates/swupdate-certificates-snakeoil_0.1.bb
> new file mode 100644
> index 0000000..4e45b6b
> --- /dev/null
> +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates-snakeoil_0.1.bb
> @@ -0,0 +1,16 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2023
> +#
> +# Authors:
> +#  Jan Kiszka <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +require swupdate-certificates.inc
> +
> +SWU_SIGN_CERT = "cip-swupdate-snakeoil.cert.pem"
> +
> +DEBIAN_CONFLICTS = "swupdate-certificates"
> diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates.inc b/recipes-devtools/swupdate-certificates/swupdate-certificates.inc
> new file mode 100644
> index 0000000..92f9715
> --- /dev/null
> +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates.inc
> @@ -0,0 +1,31 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2023
> +#
> +# Authors:
> +#  Jan Kiszka <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +inherit dpkg-raw
> +
> +PROVIDES += "swupdate-certificates"
> +
> +SWU_SIGN_CERT ??= ""
> +
> +SRC_URI:append = " ${@ "file://"+d.getVar('SWU_SIGN_CERT') if d.getVar('SWU_SIGN_CERT') else '' }"
> +
> +do_install() {
> +    if [ -z ${SWU_SIGN_CERT} ] ]; then
> +        bbfatal "You must set SWU_SIGN_CERT and provide the required file as artifacts to this recipe"
> +    fi
> +    TARGET=${D}/usr/share/swupdate-signing/
> +    install -d -m 0700 ${TARGET}
> +    install -m 0700 ${WORKDIR}/${SWU_SIGN_CERT} ${TARGET}/swupdate-sign.crt
> +}
> +
> +do_prepare_build:append() {
> +    echo "Provides: swupdate-certificates" >> ${S}/debian/control
> +}
> diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates_0.1.bb b/recipes-devtools/swupdate-certificates/swupdate-certificates_0.1.bb
> new file mode 100644
> index 0000000..41d07a5
> --- /dev/null
> +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates_0.1.bb
> @@ -0,0 +1,14 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2023
> +#
> +# Authors:
> +#  Jan Kiszka <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +require swupdate-certificates.inc
> +
> +DEBIAN_CONFLICTS = "swupdate-certificates-snakeoil"

Jan

Quirin Gylstorff July 14, 2023, 7:14 a.m. UTC | #2

On 7/13/23 19:03, Jan Kiszka wrote:
> On 13.07.23 18:40, Quirin Gylstorff wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> This adds the necessary recipes to provide a snakeoil for testing
>> sign updates and a recipe to for offical certificates.
> 
> Several typos / wrong words here.
>
Will fix.

>>
>> The certificates creation can be found at [1].
>>
>> [1]: https://sbabic.github.io/swupdate/signed_images.html?highlight=signing#usage-with-certificates-and-cms
>>
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>>   .../files/cip-swupdate-snakeoil.cert.pem      | 30 +++++++++++
>>   .../files/cip-swupdate-snakeoil.key.pem       | 52 +++++++++++++++++++
> 
> Are these different from the Debian snakeoil keys? I suspose they are
> for the reasons you mentioned offlist. Please document them in the
> commit message.

I tested it with the Debian snakeoil keys modified by isar-cip-core and 
it works. The question was more should we copy the keys into this recipe 
or do we make a dependency chain to secure-boot secrets.


> 
>>   .../swupdate-certificates-key-snakeoil_0.1.bb | 17 ++++++
>>   .../swupdate-certificates-key.inc             | 31 +++++++++++
>>   .../swupdate-certificates-key_0.1.bb          | 15 ++++++
>>   .../swupdate-certificates-snakeoil_0.1.bb     | 16 ++++++
>>   .../swupdate-certificates.inc                 | 31 +++++++++++
>>   .../swupdate-certificates_0.1.bb              | 14 +++++
>>   8 files changed, 206 insertions(+)
>>   create mode 100644 recipes-devtools/swupdate-certificates/files/cip-swupdate-snakeoil.cert.pem
>>   create mode 100644 recipes-devtools/swupdate-certificates/files/cip-swupdate-snakeoil.key.pem
>>   create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates-key-snakeoil_0.1.bb
>>   create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc
>>   create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates-key_0.1.bb
>>   create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates-snakeoil_0.1.bb
>>   create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates.inc
>>   create mode 100644 recipes-devtools/swupdate-certificates/swupdate-certificates_0.1.bb
>>
>> diff --git a/recipes-devtools/swupdate-certificates/files/cip-swupdate-snakeoil.cert.pem b/recipes-devtools/swupdate-certificates/files/cip-swupdate-snakeoil.cert.pem
>> new file mode 100644
>> index 0000000..a44cb7d
>> --- /dev/null
>> +++ b/recipes-devtools/swupdate-certificates/files/cip-swupdate-snakeoil.cert.pem
>> @@ -0,0 +1,30 @@
>> +-----BEGIN CERTIFICATE-----
>> +MIIFKzCCAxOgAwIBAgIUEA0euuQB7ulZBzoFaG+/Fps82oEwDQYJKoZIhvcNAQEL
>> +BQAwJTESMBAGA1UECgwJU1dVcGRhdGUgMQ8wDQYDVQQDDAZ0YXJnZXQwHhcNMjMw
>> +NjIzMDk1NDA4WhcNMjMwNzIzMDk1NDA4WjAlMRIwEAYDVQQKDAlTV1VwZGF0ZSAx
>> +DzANBgNVBAMMBnRhcmdldDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
>> +ALO14EDb7Q/hXCJZbrl/UD2RytUb8Phh49iPpIOryJKqDEyGNhc03XzpkB5qMYEt
>> +vMN+UXRTLFvBIfrtukLzrpEm5jTPaSAciKD+nIGqNFbPXWl+KIy2lMTEqD9Se7lQ
>> +4u4fupZQp4adlsdjya0i9u9fnNbK25jCrPjQHf698eS1VR0YpXOqAqB9VFLeLdlj
>> +BCCmVBkhMTF/z7CvF7XsL7rqBG8F1yTg9qKTf/2C9Odc9sCtjy0wGt8NBSV2Cua3
>> +ifPNQtYdxPLR9ohyariMEsS3s0WVclUvctD6SwCmP0RNvwmKDyzlWerRTSvODw+8
>> ++laD0vI2KIkgegzDiJGBF0DrfBrePqCHLeZztQHpHfTkcSAEP4hgg4ev2p5XV7lC
>> +1ed9UTHjhW+mmKJuJODgfsS7sQs8CqRGHYj95RrK14CG5PHebRWpSH3KcmROpsSl
>> +fUXQTSqth01welrL9/OEpO0vRlnL0FNrhjQFtgIR3djgxosoRuOL43g/ep1CtIwc
>> +ypFDemhgMKoUzc7KnQvGpG5FeqUSqqAlqclAKEfFNs4pvpc5mz3LUwdNkyIGkgqL
>> +Xuhnf1OkMDtMlZ5wvi+CTqYMX2KqXU8yz2Csf9uN54ojIGbWN73wCZA5JH7R8FqN
>> +PoKJ8csQTayQK5XBYP7XQV1CgnAJDxa/pEnMf4zLotG/AgMBAAGjUzBRMB0GA1Ud
>> +DgQWBBR2lBlS17x7xqB2kaLwEg1lJXpoLDAfBgNVHSMEGDAWgBR2lBlS17x7xqB2
>> +kaLwEg1lJXpoLDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQCe
>> +WK2TcfszS5EPeO4K6o7Zsr6tNkyAfP0oHm4gqAOfverfITctws/SIOdwLI79ljMq
>> +vUuSEzWRnx16TfzqBlnFNFEUPBknnk/KeHCXgz4XdyyLdS8cga1lCHc+yRVIcq53
>> +Z9KaLjbg/OmyJwVTehlJGnDF4QCOIzMO4Ha+O6Eyxu3ARp/x2QrzsfQ1U3KtMhAy
>> +NcBG/mupj8mwg3cfo10MmzzN4ioQUCIf5M6eg/8iDITgA51XqFpjf2fX1xusSBBe
>> +zuoy4Rz+Df1rGsUabAd7jKVXghS1+AE22ZPy6bnmV810ONb1H8MExFbGgdulYhmo
>> +zoH6H7h6LtKP0xVOZ6H87X4Hoi7YitQqCl+oaHUE2GzA97fm+rNXe84ekJvjUiEz
>> +Js3q1wXaegMr4LFmu9MPBSycJw54KtLfg2U0tIW6SD7dFlvD2f/qo7RtyEiE/Wfu
>> +Cm8ZvMUr+OuNAvQL/Ig08JgUKisTK3ARHFxMu9sEMsWoB7bTGvyiZ9mS/G2VIet4
>> +1pucvi89d9qXeZZ8PByHOEo0c7cu8lCmtIZoh0rdV3t8mxOZA1kFwYK2xahA6DT3
>> +J2me41iKb9l2aCbGBbUKiesu3CRLpPG8Ic8X5PPkbRlX5/Zza21AbM8jxX14ZAL8
>> +mkgMhzaLWIGo8ixvA8i7Fm/JunrIimDZaRjJrKuoMg==
>> +-----END CERTIFICATE-----
>> diff --git a/recipes-devtools/swupdate-certificates/files/cip-swupdate-snakeoil.key.pem b/recipes-devtools/swupdate-certificates/files/cip-swupdate-snakeoil.key.pem
>> new file mode 100644
>> index 0000000..5dd3d3b
>> --- /dev/null
>> +++ b/recipes-devtools/swupdate-certificates/files/cip-swupdate-snakeoil.key.pem
>> @@ -0,0 +1,52 @@
>> +-----BEGIN PRIVATE KEY-----
>> +MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCzteBA2+0P4Vwi
>> +WW65f1A9kcrVG/D4YePYj6SDq8iSqgxMhjYXNN186ZAeajGBLbzDflF0UyxbwSH6
>> +7bpC866RJuY0z2kgHIig/pyBqjRWz11pfiiMtpTExKg/Unu5UOLuH7qWUKeGnZbH
>> +Y8mtIvbvX5zWytuYwqz40B3+vfHktVUdGKVzqgKgfVRS3i3ZYwQgplQZITExf8+w
>> +rxe17C+66gRvBdck4Paik3/9gvTnXPbArY8tMBrfDQUldgrmt4nzzULWHcTy0faI
>> +cmq4jBLEt7NFlXJVL3LQ+ksApj9ETb8Jig8s5Vnq0U0rzg8PvPpWg9LyNiiJIHoM
>> +w4iRgRdA63wa3j6ghy3mc7UB6R305HEgBD+IYIOHr9qeV1e5QtXnfVEx44Vvppii
>> +biTg4H7Eu7ELPAqkRh2I/eUayteAhuTx3m0VqUh9ynJkTqbEpX1F0E0qrYdNcHpa
>> +y/fzhKTtL0ZZy9BTa4Y0BbYCEd3Y4MaLKEbji+N4P3qdQrSMHMqRQ3poYDCqFM3O
>> +yp0LxqRuRXqlEqqgJanJQChHxTbOKb6XOZs9y1MHTZMiBpIKi17oZ39TpDA7TJWe
>> +cL4vgk6mDF9iql1PMs9grH/bjeeKIyBm1je98AmQOSR+0fBajT6CifHLEE2skCuV
>> +wWD+10FdQoJwCQ8Wv6RJzH+My6LRvwIDAQABAoICABWNlpuwxLnG2Xn1J+Zvcnwv
>> +5BezBi+D7gOnFqAEFkYgxuDWp94YpQe6K2K6cb2Acscvey1sXEGU5DJoGJK3DxSx
>> +iaKDzaPgSDKm1rZmZ2iR7i4cx1g4/Zarz1Ho3pXXMaBFhedJPQ5UECVRvnpZWyxS
>> +V0kbg0LK9lvQ+gf3V++KH+8haZZ5qV7+KQLXSsBrs68Gw8dPx8qb/Zi/JyTWctME
>> +BgwaszblFC9jaVJKRn0JFT7+kdFll5NwyFE52wzYrl7jG0T6xQgqTlsG/e2sPwQA
>> +1CtgRRoaWrbdjelCBwx2FpdaS3+i8inLeGnsiLnmfE+r97y86heoIXsuaE6rINKg
>> +8K3FF7LD3f6dbWWGC3IqE7/hYMPV2FOTFufXvyH7dzhosB7XBAMIXr9/bswW/5tH
>> +mmCtFnXARqMirdwqf+oruuX8xhrlYBiVEe9E0qCG9iJBjtyqd/IJOHL9liD6+II2
>> +trdgJGaFlqXXWSVm2A91LrsETxRPepd+tPyARhszHkqnpdjMdoUGh2lVIPdPjP8f
>> +SaBvQeoa83b2eOfI5RK4b7/TOe8W/YVN00hewaFS0YmDcfeNH8yIxuraU5xpwfKJ
>> +QKz4zFSPTSYHTf+jCp450+LY8gwoaHKZ6J7IuCKbOke9iVHlOYsgQICCFSG/knPj
>> +8vwiL9lUVIW5EqG7jyEhAoIBAQDd/4PPxPw0mL7i4F44uOwaVgtVcbCtsLbyje9V
>> +YCGl0MS+jmIIRxXYPZWhmuUNE5I6gMXHsaawhFXkSPEWJ6DfNYV8HQLcix9vkrFs
>> ++OK8vCVsAymoDpdkl8+k3i9Uu6+/EakU1badQGfNOqnQONRRO3ePoGK44583j8Wu
>> +6XxkXETmNeYYZJc5HwcOS/r8Oh/1kWnJHysz64PoZ4d3h3oaLJJ3LzZ4q0+hVuk0
>> +5cCdzGqy5eLr+U6GnCTNhAqY0ZhlH3UJlYPNx3UsQ/nXxYsOtHZnvs7Q/s4quhF2
>> +lufzIf0ftPEtdY+7wFm1TIyf+AW4PhkdwvbJkpStGpL+KSZ1AoIBAQDPPEYYVCA7
>> +oO3e3i8bUqh2iLZ0KDehOv455Ylmk5x6t5+OaO8m1+JTtEvIjkxpHsdwuCTm5Ewv
>> +L4/RAv3KLjkrO63Lk3Bbjy+L6ElD2TjBEAlXnZI9eNMw7wsmzbrFbIYHj46/twpv
>> +yBihQoSupClCWKbYB0fwWR94VU57WJABmX5UIbWqcPWkK1USW1foG+uuVu+yNpmn
>> +sXDsaBZcHjWGsjBvxGnIzJO8oaNzrRFfNqIFhSY6pVklv4M84I17dJNYt3PmDARW
>> +xliHyg0w6c3zIahcEuOTn3CN/DAU5zbTA800hyEQ+0baCHUn6Aa2TYdGTCdULFow
>> +w90RDVYZh9jjAoIBAEZnMjZCEnnbty3cWgVDIB16DD4cwBtVX6+ss6ovwnwDqWGF
>> +ZjGZ2aOqZDnMFbf/7PAAxrh97o8saNDtEQglqS8gmiSyTqYCuQV5UCtvAvk38eY/
>> +WoahmgGc4401qW0F2MaPoz+oRzG3qzO61v/iBfN9GH3EL4rTJTtJrTe7dGefm3om
>> +vcIepJbI8EPodMBo7pnCc/oEmH7uwfaCXsPZgy+p0wlZP70lFyvjlDHiayOgIHZ7
>> +0WtktTKbclB6/6FXVy06vLM9Z39rMg3HwQRc8azILoTYTl6ZcGi8ea1STl0c+lmD
>> +2LjB/8NbTRfiHvbcgXPcvbpiikGC6wO62cMg6cECggEBALcvNVrOCkwLPhkyV3uU
>> +fluBD57v6fS4W/87mlA1DS4g4IaW1UeFr4eEKTUYLA0D6xIFhIEgrwNKzJraRRKR
>> +93Dy6Pa51qjokgPfCdxSyGtITKnJHHsAMdbghv/+/SkEfBl02Z84Ip6axsLNNNHX
>> +RK1kBd+R2BJqBXpuFdjMeUcgsl2WCqql/UzoDOQUIEmJXLSYHntu7jYgkIw4mgNF
>> +pNTy8APsIAIibDlivERFaMS8W03728YdYQcQGecXK5lEe/cA+w8P8knuPFWT0kM5
>> +eRaA2vzAqbBVUL4BfVMM6xZuFtdm12DWbVPQBBeJb114fKo0KNOr/PF8QQ6QtloN
>> +DjcCggEBALumqFVF8eU236dz7jffdY1LEgxZQHXgOJcrNVpuqeLeD91NPEl8HoiO
>> +PAYtXbrNM+PtYD8KBDG8Bv9MZgaZyEfww8zkqzYtMzIk/5Kb9wBhdeq36YHBC/1+
>> +cDGty0dfubELKw2L+bwalFgk0urnQzJW+11+nFh+g2q3PJpRUisvih4apE+dOdE8
>> +cdsgc58nZksyS2WusW8OG0XZeJTrCejEP1GP6svYm3mPOVAp5Y3e7CQP10WcDoQ9
>> +WUZp+JbefDrJ/+aVmtkQ1pMGbOCbSwa/xmn6bbCVeI/aD3Sr9t4wnKQzu4InD5PB
>> +nFtyUBqMFy+r+QlyRfQbhfXxs7cW1/M=
>> +-----END PRIVATE KEY-----
>> diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates-key-snakeoil_0.1.bb b/recipes-devtools/swupdate-certificates/swupdate-certificates-key-snakeoil_0.1.bb
>> new file mode 100644
>> index 0000000..fa2ce23
>> --- /dev/null
>> +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates-key-snakeoil_0.1.bb
>> @@ -0,0 +1,17 @@
>> +#
>> +# CIP Core, generic profile
>> +#
>> +# Copyright (c) Siemens AG, 2023
>> +#
>> +# Authors:
>> +#  Jan Kiszka <quirin.gylstorff@siemens.com>
> 
> Did you change your name? Or should I now use your email address? ;)
Oops will fix in v2.

> 
>> +#
>> +# SPDX-License-Identifier: MIT
>> +#
>> +DEBIAN_DEPENDS += "swupdate-certificates-snakeoil"
>> +
>> +require swupdate-certificates-key.inc
>> +
>> +SWU_SIGN_KEY = "cip-swupdate-snakeoil.key.pem"
>> +
>> +DEBIAN_CONFLICTS = "swupdate-certificates-key"
>> diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc b/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc
>> new file mode 100644
>> index 0000000..3fafce0
>> --- /dev/null
>> +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc
>> @@ -0,0 +1,31 @@
>> +#
>> +# CIP Core, generic profile
>> +#
>> +# Copyright (c) Siemens AG, 2023
>> +#
>> +# Authors:
>> +#  Jan Kiszka <quirin.gylstorff@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +#
>> +
>> +inherit dpkg-raw
>> +
>> +PROVIDES += "swupdate-certificates-key"
>> +
>> +SWU_SIGN_KEY ??= ""
>> +
>> +SRC_URI:append = " ${@ "file://"+d.getVar('SWU_SIGN_KEY') if d.getVar('SWU_SIGN_KEY') else '' }"
>> +
>> +do_install() {
>> +    if [ -z ${SWU_SIGN_KEY} ] ]; then
>> +        bbfatal "You must set SWU_SIGN_KEY and provide the required file as artifacts to this recipe"
>> +    fi
>> +    TARGET=${D}/usr/share/swupdate-signing/
>> +    install -d -m 0700 ${TARGET}
>> +    install -m 0700 ${WORKDIR}/${SWU_SIGN_KEY} ${TARGET}/swupdate-sign.key
>> +}
>> +
>> +do_prepare_build:append() {
>> +    echo "Provides: swupdate-certificates-key" >> ${S}/debian/control
>> +}
>> diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates-key_0.1.bb b/recipes-devtools/swupdate-certificates/swupdate-certificates-key_0.1.bb
>> new file mode 100644
>> index 0000000..45864fa
>> --- /dev/null
>> +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates-key_0.1.bb
>> @@ -0,0 +1,15 @@
>> +#
>> +# CIP Core, generic profile
>> +#
>> +# Copyright (c) Siemens AG, 2023
>> +#
>> +# Authors:
>> +#  Jan Kiszka <quirin.gylstorff@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +#
>> +DEBIAN_DEPENDS += "swupdate-certificates"
>> +
>> +require swupdate-certificates-key.inc
>> +
>> +DEBIAN_CONFLICTS = "swupdate-certificates-key-snakeoil"
>> diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates-snakeoil_0.1.bb b/recipes-devtools/swupdate-certificates/swupdate-certificates-snakeoil_0.1.bb
>> new file mode 100644
>> index 0000000..4e45b6b
>> --- /dev/null
>> +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates-snakeoil_0.1.bb
>> @@ -0,0 +1,16 @@
>> +#
>> +# CIP Core, generic profile
>> +#
>> +# Copyright (c) Siemens AG, 2023
>> +#
>> +# Authors:
>> +#  Jan Kiszka <quirin.gylstorff@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +#
>> +
>> +require swupdate-certificates.inc
>> +
>> +SWU_SIGN_CERT = "cip-swupdate-snakeoil.cert.pem"
>> +
>> +DEBIAN_CONFLICTS = "swupdate-certificates"
>> diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates.inc b/recipes-devtools/swupdate-certificates/swupdate-certificates.inc
>> new file mode 100644
>> index 0000000..92f9715
>> --- /dev/null
>> +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates.inc
>> @@ -0,0 +1,31 @@
>> +#
>> +# CIP Core, generic profile
>> +#
>> +# Copyright (c) Siemens AG, 2023
>> +#
>> +# Authors:
>> +#  Jan Kiszka <quirin.gylstorff@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +#
>> +
>> +inherit dpkg-raw
>> +
>> +PROVIDES += "swupdate-certificates"
>> +
>> +SWU_SIGN_CERT ??= ""
>> +
>> +SRC_URI:append = " ${@ "file://"+d.getVar('SWU_SIGN_CERT') if d.getVar('SWU_SIGN_CERT') else '' }"
>> +
>> +do_install() {
>> +    if [ -z ${SWU_SIGN_CERT} ] ]; then
>> +        bbfatal "You must set SWU_SIGN_CERT and provide the required file as artifacts to this recipe"
>> +    fi
>> +    TARGET=${D}/usr/share/swupdate-signing/
>> +    install -d -m 0700 ${TARGET}
>> +    install -m 0700 ${WORKDIR}/${SWU_SIGN_CERT} ${TARGET}/swupdate-sign.crt
>> +}
>> +
>> +do_prepare_build:append() {
>> +    echo "Provides: swupdate-certificates" >> ${S}/debian/control
>> +}
>> diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates_0.1.bb b/recipes-devtools/swupdate-certificates/swupdate-certificates_0.1.bb
>> new file mode 100644
>> index 0000000..41d07a5
>> --- /dev/null
>> +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates_0.1.bb
>> @@ -0,0 +1,14 @@
>> +#
>> +# CIP Core, generic profile
>> +#
>> +# Copyright (c) Siemens AG, 2023
>> +#
>> +# Authors:
>> +#  Jan Kiszka <quirin.gylstorff@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +#
>> +
>> +require swupdate-certificates.inc
>> +
>> +DEBIAN_CONFLICTS = "swupdate-certificates-snakeoil"
> 
> Jan
>

Jan Kiszka July 14, 2023, 7:26 a.m. UTC | #3

On 14.07.23 09:14, Gylstorff Quirin wrote:
> 
> 
> On 7/13/23 19:03, Jan Kiszka wrote:
>> On 13.07.23 18:40, Quirin Gylstorff wrote:
>>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>>
>>> This adds the necessary recipes to provide a snakeoil for testing
>>> sign updates and a recipe to for offical certificates.
>>
>> Several typos / wrong words here.
>>
> Will fix.
> 
>>>
>>> The certificates creation can be found at [1].
>>>
>>> [1]:
>>> https://sbabic.github.io/swupdate/signed_images.html?highlight=signing#usage-with-certificates-and-cms
>>>
>>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>> ---
>>>   .../files/cip-swupdate-snakeoil.cert.pem      | 30 +++++++++++
>>>   .../files/cip-swupdate-snakeoil.key.pem       | 52 +++++++++++++++++++
>>
>> Are these different from the Debian snakeoil keys? I suspose they are
>> for the reasons you mentioned offlist. Please document them in the
>> commit message.
> 
> I tested it with the Debian snakeoil keys modified by isar-cip-core and
> it works. The question was more should we copy the keys into this recipe
> or do we make a dependency chain to secure-boot secrets.
> 

First of all, you can set links, rather than creating copies. And then I
just noticed again that those secrets are Debian release specific.
Please check that again.

Jan

Patch

diff --git a/recipes-devtools/swupdate-certificates/files/cip-swupdate-snakeoil.cert.pem b/recipes-devtools/swupdate-certificates/files/cip-swupdate-snakeoil.cert.pem
new file mode 100644
index 0000000..a44cb7d
--- /dev/null
+++ b/recipes-devtools/swupdate-certificates/files/cip-swupdate-snakeoil.cert.pem
@@ -0,0 +1,30 @@ 
+-----BEGIN CERTIFICATE-----
+MIIFKzCCAxOgAwIBAgIUEA0euuQB7ulZBzoFaG+/Fps82oEwDQYJKoZIhvcNAQEL
+BQAwJTESMBAGA1UECgwJU1dVcGRhdGUgMQ8wDQYDVQQDDAZ0YXJnZXQwHhcNMjMw
+NjIzMDk1NDA4WhcNMjMwNzIzMDk1NDA4WjAlMRIwEAYDVQQKDAlTV1VwZGF0ZSAx
+DzANBgNVBAMMBnRhcmdldDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
+ALO14EDb7Q/hXCJZbrl/UD2RytUb8Phh49iPpIOryJKqDEyGNhc03XzpkB5qMYEt
+vMN+UXRTLFvBIfrtukLzrpEm5jTPaSAciKD+nIGqNFbPXWl+KIy2lMTEqD9Se7lQ
+4u4fupZQp4adlsdjya0i9u9fnNbK25jCrPjQHf698eS1VR0YpXOqAqB9VFLeLdlj
+BCCmVBkhMTF/z7CvF7XsL7rqBG8F1yTg9qKTf/2C9Odc9sCtjy0wGt8NBSV2Cua3
+ifPNQtYdxPLR9ohyariMEsS3s0WVclUvctD6SwCmP0RNvwmKDyzlWerRTSvODw+8
++laD0vI2KIkgegzDiJGBF0DrfBrePqCHLeZztQHpHfTkcSAEP4hgg4ev2p5XV7lC
+1ed9UTHjhW+mmKJuJODgfsS7sQs8CqRGHYj95RrK14CG5PHebRWpSH3KcmROpsSl
+fUXQTSqth01welrL9/OEpO0vRlnL0FNrhjQFtgIR3djgxosoRuOL43g/ep1CtIwc
+ypFDemhgMKoUzc7KnQvGpG5FeqUSqqAlqclAKEfFNs4pvpc5mz3LUwdNkyIGkgqL
+Xuhnf1OkMDtMlZ5wvi+CTqYMX2KqXU8yz2Csf9uN54ojIGbWN73wCZA5JH7R8FqN
+PoKJ8csQTayQK5XBYP7XQV1CgnAJDxa/pEnMf4zLotG/AgMBAAGjUzBRMB0GA1Ud
+DgQWBBR2lBlS17x7xqB2kaLwEg1lJXpoLDAfBgNVHSMEGDAWgBR2lBlS17x7xqB2
+kaLwEg1lJXpoLDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQCe
+WK2TcfszS5EPeO4K6o7Zsr6tNkyAfP0oHm4gqAOfverfITctws/SIOdwLI79ljMq
+vUuSEzWRnx16TfzqBlnFNFEUPBknnk/KeHCXgz4XdyyLdS8cga1lCHc+yRVIcq53
+Z9KaLjbg/OmyJwVTehlJGnDF4QCOIzMO4Ha+O6Eyxu3ARp/x2QrzsfQ1U3KtMhAy
+NcBG/mupj8mwg3cfo10MmzzN4ioQUCIf5M6eg/8iDITgA51XqFpjf2fX1xusSBBe
+zuoy4Rz+Df1rGsUabAd7jKVXghS1+AE22ZPy6bnmV810ONb1H8MExFbGgdulYhmo
+zoH6H7h6LtKP0xVOZ6H87X4Hoi7YitQqCl+oaHUE2GzA97fm+rNXe84ekJvjUiEz
+Js3q1wXaegMr4LFmu9MPBSycJw54KtLfg2U0tIW6SD7dFlvD2f/qo7RtyEiE/Wfu
+Cm8ZvMUr+OuNAvQL/Ig08JgUKisTK3ARHFxMu9sEMsWoB7bTGvyiZ9mS/G2VIet4
+1pucvi89d9qXeZZ8PByHOEo0c7cu8lCmtIZoh0rdV3t8mxOZA1kFwYK2xahA6DT3
+J2me41iKb9l2aCbGBbUKiesu3CRLpPG8Ic8X5PPkbRlX5/Zza21AbM8jxX14ZAL8
+mkgMhzaLWIGo8ixvA8i7Fm/JunrIimDZaRjJrKuoMg==
+-----END CERTIFICATE-----
diff --git a/recipes-devtools/swupdate-certificates/files/cip-swupdate-snakeoil.key.pem b/recipes-devtools/swupdate-certificates/files/cip-swupdate-snakeoil.key.pem
new file mode 100644
index 0000000..5dd3d3b
--- /dev/null
+++ b/recipes-devtools/swupdate-certificates/files/cip-swupdate-snakeoil.key.pem
@@ -0,0 +1,52 @@ 
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCzteBA2+0P4Vwi
+WW65f1A9kcrVG/D4YePYj6SDq8iSqgxMhjYXNN186ZAeajGBLbzDflF0UyxbwSH6
+7bpC866RJuY0z2kgHIig/pyBqjRWz11pfiiMtpTExKg/Unu5UOLuH7qWUKeGnZbH
+Y8mtIvbvX5zWytuYwqz40B3+vfHktVUdGKVzqgKgfVRS3i3ZYwQgplQZITExf8+w
+rxe17C+66gRvBdck4Paik3/9gvTnXPbArY8tMBrfDQUldgrmt4nzzULWHcTy0faI
+cmq4jBLEt7NFlXJVL3LQ+ksApj9ETb8Jig8s5Vnq0U0rzg8PvPpWg9LyNiiJIHoM
+w4iRgRdA63wa3j6ghy3mc7UB6R305HEgBD+IYIOHr9qeV1e5QtXnfVEx44Vvppii
+biTg4H7Eu7ELPAqkRh2I/eUayteAhuTx3m0VqUh9ynJkTqbEpX1F0E0qrYdNcHpa
+y/fzhKTtL0ZZy9BTa4Y0BbYCEd3Y4MaLKEbji+N4P3qdQrSMHMqRQ3poYDCqFM3O
+yp0LxqRuRXqlEqqgJanJQChHxTbOKb6XOZs9y1MHTZMiBpIKi17oZ39TpDA7TJWe
+cL4vgk6mDF9iql1PMs9grH/bjeeKIyBm1je98AmQOSR+0fBajT6CifHLEE2skCuV
+wWD+10FdQoJwCQ8Wv6RJzH+My6LRvwIDAQABAoICABWNlpuwxLnG2Xn1J+Zvcnwv
+5BezBi+D7gOnFqAEFkYgxuDWp94YpQe6K2K6cb2Acscvey1sXEGU5DJoGJK3DxSx
+iaKDzaPgSDKm1rZmZ2iR7i4cx1g4/Zarz1Ho3pXXMaBFhedJPQ5UECVRvnpZWyxS
+V0kbg0LK9lvQ+gf3V++KH+8haZZ5qV7+KQLXSsBrs68Gw8dPx8qb/Zi/JyTWctME
+BgwaszblFC9jaVJKRn0JFT7+kdFll5NwyFE52wzYrl7jG0T6xQgqTlsG/e2sPwQA
+1CtgRRoaWrbdjelCBwx2FpdaS3+i8inLeGnsiLnmfE+r97y86heoIXsuaE6rINKg
+8K3FF7LD3f6dbWWGC3IqE7/hYMPV2FOTFufXvyH7dzhosB7XBAMIXr9/bswW/5tH
+mmCtFnXARqMirdwqf+oruuX8xhrlYBiVEe9E0qCG9iJBjtyqd/IJOHL9liD6+II2
+trdgJGaFlqXXWSVm2A91LrsETxRPepd+tPyARhszHkqnpdjMdoUGh2lVIPdPjP8f
+SaBvQeoa83b2eOfI5RK4b7/TOe8W/YVN00hewaFS0YmDcfeNH8yIxuraU5xpwfKJ
+QKz4zFSPTSYHTf+jCp450+LY8gwoaHKZ6J7IuCKbOke9iVHlOYsgQICCFSG/knPj
+8vwiL9lUVIW5EqG7jyEhAoIBAQDd/4PPxPw0mL7i4F44uOwaVgtVcbCtsLbyje9V
+YCGl0MS+jmIIRxXYPZWhmuUNE5I6gMXHsaawhFXkSPEWJ6DfNYV8HQLcix9vkrFs
++OK8vCVsAymoDpdkl8+k3i9Uu6+/EakU1badQGfNOqnQONRRO3ePoGK44583j8Wu
+6XxkXETmNeYYZJc5HwcOS/r8Oh/1kWnJHysz64PoZ4d3h3oaLJJ3LzZ4q0+hVuk0
+5cCdzGqy5eLr+U6GnCTNhAqY0ZhlH3UJlYPNx3UsQ/nXxYsOtHZnvs7Q/s4quhF2
+lufzIf0ftPEtdY+7wFm1TIyf+AW4PhkdwvbJkpStGpL+KSZ1AoIBAQDPPEYYVCA7
+oO3e3i8bUqh2iLZ0KDehOv455Ylmk5x6t5+OaO8m1+JTtEvIjkxpHsdwuCTm5Ewv
+L4/RAv3KLjkrO63Lk3Bbjy+L6ElD2TjBEAlXnZI9eNMw7wsmzbrFbIYHj46/twpv
+yBihQoSupClCWKbYB0fwWR94VU57WJABmX5UIbWqcPWkK1USW1foG+uuVu+yNpmn
+sXDsaBZcHjWGsjBvxGnIzJO8oaNzrRFfNqIFhSY6pVklv4M84I17dJNYt3PmDARW
+xliHyg0w6c3zIahcEuOTn3CN/DAU5zbTA800hyEQ+0baCHUn6Aa2TYdGTCdULFow
+w90RDVYZh9jjAoIBAEZnMjZCEnnbty3cWgVDIB16DD4cwBtVX6+ss6ovwnwDqWGF
+ZjGZ2aOqZDnMFbf/7PAAxrh97o8saNDtEQglqS8gmiSyTqYCuQV5UCtvAvk38eY/
+WoahmgGc4401qW0F2MaPoz+oRzG3qzO61v/iBfN9GH3EL4rTJTtJrTe7dGefm3om
+vcIepJbI8EPodMBo7pnCc/oEmH7uwfaCXsPZgy+p0wlZP70lFyvjlDHiayOgIHZ7
+0WtktTKbclB6/6FXVy06vLM9Z39rMg3HwQRc8azILoTYTl6ZcGi8ea1STl0c+lmD
+2LjB/8NbTRfiHvbcgXPcvbpiikGC6wO62cMg6cECggEBALcvNVrOCkwLPhkyV3uU
+fluBD57v6fS4W/87mlA1DS4g4IaW1UeFr4eEKTUYLA0D6xIFhIEgrwNKzJraRRKR
+93Dy6Pa51qjokgPfCdxSyGtITKnJHHsAMdbghv/+/SkEfBl02Z84Ip6axsLNNNHX
+RK1kBd+R2BJqBXpuFdjMeUcgsl2WCqql/UzoDOQUIEmJXLSYHntu7jYgkIw4mgNF
+pNTy8APsIAIibDlivERFaMS8W03728YdYQcQGecXK5lEe/cA+w8P8knuPFWT0kM5
+eRaA2vzAqbBVUL4BfVMM6xZuFtdm12DWbVPQBBeJb114fKo0KNOr/PF8QQ6QtloN
+DjcCggEBALumqFVF8eU236dz7jffdY1LEgxZQHXgOJcrNVpuqeLeD91NPEl8HoiO
+PAYtXbrNM+PtYD8KBDG8Bv9MZgaZyEfww8zkqzYtMzIk/5Kb9wBhdeq36YHBC/1+
+cDGty0dfubELKw2L+bwalFgk0urnQzJW+11+nFh+g2q3PJpRUisvih4apE+dOdE8
+cdsgc58nZksyS2WusW8OG0XZeJTrCejEP1GP6svYm3mPOVAp5Y3e7CQP10WcDoQ9
+WUZp+JbefDrJ/+aVmtkQ1pMGbOCbSwa/xmn6bbCVeI/aD3Sr9t4wnKQzu4InD5PB
+nFtyUBqMFy+r+QlyRfQbhfXxs7cW1/M=
+-----END PRIVATE KEY-----
diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates-key-snakeoil_0.1.bb b/recipes-devtools/swupdate-certificates/swupdate-certificates-key-snakeoil_0.1.bb
new file mode 100644
index 0000000..fa2ce23
--- /dev/null
+++ b/recipes-devtools/swupdate-certificates/swupdate-certificates-key-snakeoil_0.1.bb
@@ -0,0 +1,17 @@ 
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Jan Kiszka <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+DEBIAN_DEPENDS += "swupdate-certificates-snakeoil"
+
+require swupdate-certificates-key.inc
+
+SWU_SIGN_KEY = "cip-swupdate-snakeoil.key.pem"
+
+DEBIAN_CONFLICTS = "swupdate-certificates-key"
diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc b/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc
new file mode 100644
index 0000000..3fafce0
--- /dev/null
+++ b/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc
@@ -0,0 +1,31 @@ 
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Jan Kiszka <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+PROVIDES += "swupdate-certificates-key"
+
+SWU_SIGN_KEY ??= ""
+
+SRC_URI:append = " ${@ "file://"+d.getVar('SWU_SIGN_KEY') if d.getVar('SWU_SIGN_KEY') else '' }"
+
+do_install() {
+    if [ -z ${SWU_SIGN_KEY} ] ]; then
+        bbfatal "You must set SWU_SIGN_KEY and provide the required file as artifacts to this recipe"
+    fi
+    TARGET=${D}/usr/share/swupdate-signing/
+    install -d -m 0700 ${TARGET}
+    install -m 0700 ${WORKDIR}/${SWU_SIGN_KEY} ${TARGET}/swupdate-sign.key
+}
+
+do_prepare_build:append() {
+    echo "Provides: swupdate-certificates-key" >> ${S}/debian/control
+}
diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates-key_0.1.bb b/recipes-devtools/swupdate-certificates/swupdate-certificates-key_0.1.bb
new file mode 100644
index 0000000..45864fa
--- /dev/null
+++ b/recipes-devtools/swupdate-certificates/swupdate-certificates-key_0.1.bb
@@ -0,0 +1,15 @@ 
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Jan Kiszka <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+DEBIAN_DEPENDS += "swupdate-certificates"
+
+require swupdate-certificates-key.inc
+
+DEBIAN_CONFLICTS = "swupdate-certificates-key-snakeoil"
diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates-snakeoil_0.1.bb b/recipes-devtools/swupdate-certificates/swupdate-certificates-snakeoil_0.1.bb
new file mode 100644
index 0000000..4e45b6b
--- /dev/null
+++ b/recipes-devtools/swupdate-certificates/swupdate-certificates-snakeoil_0.1.bb
@@ -0,0 +1,16 @@ 
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Jan Kiszka <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+require swupdate-certificates.inc
+
+SWU_SIGN_CERT = "cip-swupdate-snakeoil.cert.pem"
+
+DEBIAN_CONFLICTS = "swupdate-certificates"
diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates.inc b/recipes-devtools/swupdate-certificates/swupdate-certificates.inc
new file mode 100644
index 0000000..92f9715
--- /dev/null
+++ b/recipes-devtools/swupdate-certificates/swupdate-certificates.inc
@@ -0,0 +1,31 @@ 
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Jan Kiszka <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+PROVIDES += "swupdate-certificates"
+
+SWU_SIGN_CERT ??= ""
+
+SRC_URI:append = " ${@ "file://"+d.getVar('SWU_SIGN_CERT') if d.getVar('SWU_SIGN_CERT') else '' }"
+
+do_install() {
+    if [ -z ${SWU_SIGN_CERT} ] ]; then
+        bbfatal "You must set SWU_SIGN_CERT and provide the required file as artifacts to this recipe"
+    fi
+    TARGET=${D}/usr/share/swupdate-signing/
+    install -d -m 0700 ${TARGET}
+    install -m 0700 ${WORKDIR}/${SWU_SIGN_CERT} ${TARGET}/swupdate-sign.crt
+}
+
+do_prepare_build:append() {
+    echo "Provides: swupdate-certificates" >> ${S}/debian/control
+}
diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates_0.1.bb b/recipes-devtools/swupdate-certificates/swupdate-certificates_0.1.bb
new file mode 100644
index 0000000..41d07a5
--- /dev/null
+++ b/recipes-devtools/swupdate-certificates/swupdate-certificates_0.1.bb
@@ -0,0 +1,14 @@ 
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Jan Kiszka <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+require swupdate-certificates.inc
+
+DEBIAN_CONFLICTS = "swupdate-certificates-snakeoil"