Differences

This shows you the differences between two versions of the page.

--- cmd:imgverify [2012/03/24 18:57]
mcb30
+++ cmd:imgverify [2012/03/24 23:56]
mcb30
@@ Line 2: / Line 2: @@
 ===== Synopsis =====
+    imgverify [--signer <signer>] [--keep] <uri|image> <signature uri|image>
 ===== Examples =====
+=== Verify the signature on an iPXE script ===
+    imgverify script.ipxe script.ipxe.sig
+=== Verify the signature on a Linux kernel ===
+    kernel http://192.168.0.1/vmlinuz vga=788 splash=silent
+    imgverify vmlinuz http://192.168.0.1/vmlinuz.sig
+=== Verify that pxelinux.0 was signed by mcb30@ipxe.org ===
+    imgverify --signer mcb30@ipxe.org pxelinux.0 pxelinux.0.sig
 ===== Description =====
+Verifies an image using the specified digital signature and signer name.  If no signer name is specified, any name will be accepted (provided that the signature is valid).  The signature will be discarded after verification unless the ''%%--keep%%'' option is specified.  If verification is successful, the image will be marked as trusted.  For example:
+    iPXE> kernel http://192.168.0.1/pxelinux.0
+    iPXE> imgstat
+    pxelinux.0 : 26672 bytes [PXE] [SELECTED]
+    iPXE> imgverify pxelinux.0 http://192.168.0.1/pxelinux.0.sig
+    iPXE> imgstat
+    pxelinux.0 : 26672 bytes [PXE] [TRUSTED] [SELECTED]
 ===== Command status =====
@@ Line 21: / Line 46: @@
 This command is available only when the build option ''[[:buildcfg:IMAGE_TRUST_CMD]]'' is enabled.
+===== Notes =====
+To gain any benefit from using digital signatures, you will probably want to use the ''[[:cmd:imgtrust]]'' command to ensure that only trusted images can be executed.
+The signature file must be in DER format, and the certificate used to sign the code must possess the digitalSignature key usage extension and the codeSigning extended key usage extension.
+The iPXE [[:crypto|cryptography guide]] demonstrates the process of creating a code-signing certificate and digital signatures.