Validate signatures

This guide describes how to validate the contents of a Clear Linux* OS image.

Overview

Validating the contents of an image is a manual process and is the same process that swupd performs internally.

Clear Linux OS offers a way to validate the content of an image or an update. All validation of content works by creating and signing a hash. A valid signature creates a chain of trust. A broken chain of trust, seen as an invalid signature, means the content is not valid.

Image content validation

In the steps below, we used the installer image of the latest release of Clear Linux OS. You may use any image of Clear Linux OS you choose.

  1. Download the image, the signature of the SHA512 sum of the image, and the Clear Linux OS certificate used for signing the SHA512 sum.

    # Image
curl -O https://cdn.download.clearlinux.org/current/clear-$(curl https://cdn.download.clearlinux.org/latest)-installer.img.xz
# Signature of SHA512 sum of image
curl -O https://cdn.download.clearlinux.org/current/clear-$(curl https://cdn.download.clearlinux.org/latest)-installer.img.xz-SHA512SUMS.sig
# Certificate
curl -O https://cdn.download.clearlinux.org/releases/$(curl https://cdn.download.clearlinux.org/latest)/clear/ClearLinuxRoot.pem

  2. Generate the SHA256 sum of the Clear Linux OS certificate.

    sha256sum ClearLinuxRoot.pem

  3. Ensure the generated SHA256 sum of the Clear Linux OS certificate matches the following SHA256 sum to verify the integrity of the certificate.

    4b0ca67300727477913c331ff124928a98bcf2fb12c011a855f17cd73137a890  ClearLinuxRoot.pem

  4. Generate the SHA512 sum of the image and save it to a file.

    sha512sum clear-$(curl https://cdn.download.clearlinux.org/latest)-installer.img.xz > sha512sum.out

  5. Ensure the signature of the SHA512 sum of the image was created using the Clear Linux OS certificate. This confirms that the image is trusted and has not been modified.

    openssl smime -verify -purpose any -in clear-$(curl https://cdn.download.clearlinux.org/latest)-installer.img.xz-SHA512SUMS.sig -inform der -content sha512sum.out -CAfile ClearLinuxRoot.pem

    Note

    The -purpose any option is required when using OpenSSL 1.1. If you use an earlier version of OpenSSL, omit this option to perform signature validation. The openssl version command may be used to determine the version of OpenSSL in use.

  6. The output should contain “Verification successful”. If the output contains “bad_signature” anywhere, then the image is not trustworthy.

Update content validation

swupd validates all update content automatically before applying the update content. The process swupd follows internally is illustrated here with manual steps using the latest Clear Linux OS release. There is no need to perform these steps manually when performing a swupd update.

  1. Download the MoM, the signature of the MoM, and the Swupd certificate used for signing the signature of the MoM.

    # MoM
curl -O https://cdn.download.clearlinux.org/update/$(curl https://cdn.download.clearlinux.org/latest)/Manifest.MoM
# Signature of MoM
curl -O https://cdn.download.clearlinux.org/update/$(curl https://cdn.download.clearlinux.org/latest)/Manifest.MoM.sig
# Swupd certificate
curl -O https://cdn.download.clearlinux.org/releases/$(curl https://cdn.download.clearlinux.org/latest)/clear/Swupd_Root.pem

  2. Generate the SHA256 sum of the swupd certificate.

    sha256sum Swupd_Root.pem

  3. Confirm that the generated SHA256 sum of the swupd certificate matches the SHA256 sum shown below to verify the integrity of the certificate.

    ff06fc76ec5148040acb4fcb2bc8105cc72f1963b55de0daf3a4ed664c6fe72c  Swupd_Root.pem

  4. Confirm that the signature of the MoM was created using the Swupd certificate. This signature validates the update content is trustworthy and has not been modified.

    openssl smime -verify -purpose any -in Manifest.MoM.sig -inform der -content Manifest.MoM -CAfile Swupd_Root.pem

    Note

    The -purpose any option is required when using OpenSSL 1.1. If you use an earlier version of OpenSSL, omit this option to perform signature validation. The openssl version command may be used to determine the version of OpenSSL in use.

    Note

    The SHA512 sum of the MoM is not generated and then signed. Instead, the MoM is signed directly because it is small in size compared to an image of Clear Linux OS.

  5. The output should contain “Verification successful”. If the output contains “bad_signature” anywhere, then the MoM cannot be trusted. Because the MoM contains a list of hashes for bundle manifests, if the MoM cannot be trusted, then the bundle content cannot be trusted.