Differences
This shows you the differences between two versions of the page.
|
err:022ae2 [2012/03/22 14:53] |
err:022ae2 [2012/03/22 14:53] (current) |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | This error indicates that the certificate used to verify a binary with the ''[[:cmd:imgverify]]'' command is not a code-signing certificate. A certificate used for code-signing must include the codeSigning extended key usage. | ||
| + | |||
| + | Things to try: | ||
| + | |||
| + | * Check that your certificate includes the codeSigning extended key usage. For example, to check the certificate ''codesign.crt'':<code> $ openssl x509 -in codesign.crt -noout -text | ||
| + | ... | ||
| + | X509v3 extensions: | ||
| + | X509v3 Key Usage: | ||
| + | Digital Signature | ||
| + | X509v3 Extended Key Usage: | ||
| + | Code Signing | ||
| + | ...</code> | ||
| + | |||
| + | * Generate a new code-signing certificate including the codeSigning extended key usage. If you are using [[http://www.openssl.org/|OpenSSL]] to generate the certificate, then you need to include the following [[http://www.openssl.org/docs/apps/x509v3_config.html|extensions]]:<code> keyUsage=digitalSignature | ||
| + | extendedKeyUsage=codeSigning</code> | ||
| + | |||
| + | A certificate used for code-signing must also include the digitalSignature key usage. | ||
