Table of Contents
Verify an image as trusted
Synopsis
imgverify [--signer <signer>] [--keep] <uri|image> <signature uri|image>
Examples
Verify the signature on an iPXE script
imgverify script.ipxe script.ipxe.sig
Verify the signature on a Linux kernel
kernel http://192.168.0.1/vmlinuz vga=788 splash=silent imgverify vmlinuz http://192.168.0.1/vmlinuz.sig
Verify that pxelinux.0 was signed by mcb30@ipxe.org
imgverify --signer mcb30@ipxe.org pxelinux.0 pxelinux.0.sig
Description
Verifies an image using the specified digital signature and signer name. If no signer name is specified, any name will be accepted (provided that the signature is valid). The signature will be discarded after verification unless the --keep option is specified. If verification is successful, the image will be marked as trusted. For example:
iPXE> kernel http://192.168.0.1/pxelinux.0 iPXE> imgstat pxelinux.0 : 26672 bytes [PXE] [SELECTED] iPXE> imgverify pxelinux.0 http://192.168.0.1/pxelinux.0.sig iPXE> imgstat pxelinux.0 : 26672 bytes [PXE] [TRUSTED] [SELECTED]
Command status
| Success | The image was verified as trusted |
|---|---|
| Failure | The image was not verified as trusted |
See also
- iPXE cryptography guide
Build options
This command is available only when the build option IMAGE_TRUST_CMD is enabled.
Notes
To gain any benefit from using digital signatures, you will probably want to use the imgtrust command to ensure that only trusted images can be executed.
The signature file may be in PEM or DER format, and the certificate used to sign the code must possess the digitalSignature key usage extension and the codeSigning extended key usage extension.
The iPXE cryptography guide demonstrates the process of creating a code-signing certificate and digital signatures.
