In production setups, it is quite normal that the private key does not
exist as a file in the file system, but is kept inside some HSM,
remote signing service or similar, and only accessed via some pkcs#11
interface; moreover, by design, the private key _cannot_ be extracted
from the HSM or signing service.
In such a case, the user will have set OPENSSL_CONF to some
configuration file setting up the appropriate engine, and the "key" is
simply the pkcs#11 URI, e.g. "pkcs11:model=foo;object=bar".
In order to support this use case, automatically infer the appropriate
options to pass to openssl-dgst if "${KEY}" begins with
"pkcs11:". Doing this at the top level avoids duplicating the logic in
both writeSig and verifySig. While here, this also adds a sanity check
that -v can only be used while also providing a (public) key to check
against.
This drops the -keyform argument in the non-pkcs#11 case, as openssl
automatically infers the type, and this then in fact allows one to use
a private key in e.g. DER format.
Signed-off-by: Rasmus Villemoes <ravi@prevas.dk>
Make it clearer that rpi-eeprom-digest is used create optionally
signed hashes for binary files.
For secure-boot the update-pieeprom.sh wrapper must be used
because only the boot configuration is signed by the customer
key rather than the entire SPI flash image.
Sync to the version from usbboot in order to add support for
the verify option. This provides a command line interface for
verifying a .sig file (with RSA) against a public key in .PEM
format.
