Restrict updates to certificates matching a given CN

[sl8vz]

Hi,

We're using a 3rd party CA to sign the bundle and we would like to avoid having the intermediate certificate in the rootfs. Hence we want to rely on the chain on trust to validate the origin of the bundle and we would provide the intermediate certificate in the update bundle.

However by doing that any update signed by this CA could be accepted by rauc and I would like to know if there's a possibility to only accept a given CN

Regards,
Sebastien

[jluebbe]

Currently, there is no support for requiring a given CN.

You can use the allow-partial-chain option in the system.conf and add only your intermediate certificate to the keyring. Then, other sub-trees of the 3rd party CA wouldn't be accepted as valid.

In almost all set-ups we've seen so far, I was easier to set up a separate (small) CA for signing RAUC bundles, as any pre-existing CAs and their use was not related to update signing in any way. Why do you prefer using a 3rd party CA instead of a separate CA?

[sl8vz]

We have chosen to use a 3rd party CA to avoid taking the responsibility of the involved security which is not our core business. The RAUC bundle is resigned using the 3rd party CA code signing facility.
It's a common choice not to handle the CA internally.
Verifying the CN would avoid having any intermediate certificate in the keyring and allows relying only on the system root certificates of public CA (AWS, SSL, Digicert, etc...)